Managing the TPM on SNS firewalls

This section explains how to check the status of the TPM, change its administration password, seal it, and disable it.

Checking the status of the TPM

From the web administration interface

This use case is exclusive to SNS 4.8.7 and higher versions.

  1. Go to Monitoring > Dashboard, in the Health indicators widget.

  2. Check the color of the TPM health indicator icon to find out its status.

Icon Description
None

The SNS firewall is not equipped with a TPM.
Grayed out icon

The SNS firewall is equipped with a TPM, but it has not been initialized.
Green icon

The TPM is initialized, running and protects at least one private key.
Orange icon

There are several possible statuses:

  • The TPM is initialized, but it not protecting any private key. By scrolling over the icon, the tooltip "The TPM has been initialized, but is not in use" confirms this status.

  • The TPM sealing policy has been changed. To apply it, reseal the TPM by following the Sealing the TPM procedure. By scrolling over the icon, the tooltip "TPM sealing required in order to apply the new TPM sealing policy" confirms this status.
Red icon

There are several possible statuses:

  • Tests on the TPM do not work (it no longer responds),

  • The TPM can no longer be accessed because the hash values of PCRs have changed. To refresh them, reseal the TPM by following the Sealing the TPM procedure. By scrolling over the icon, the tooltip "TPM sealing required in order to recover access to the TPM" confirms this status.

  • Secure Boot is disabled. A warning in the Messages widget in the Dashboard confirms that the feature is disabled.

    IMPORTANT
    As a reminder, the integrity of the SNS firewall and its TPM will be compromised if Secure Boot is not enabled.

From the CLI console

  1. Show TPM monitoring information with the command:

    MONITOR TPM

  2. Check the result.

Token Values/Description
ondisk_init
  • 1: the TPM is initialized,
  • 0: the TPM has not been initialized.

NOTE
The other tokens below do not exist in SNS 4.3.37 LTSB and higher 4.3 LTSB versions.
secure_boot_enabled
  • 1: Secure Boot is enabled,
  • 0: Secure Boot is disabled.
ondisk_pkeys_present
  • 1: the TPM is protecting at least one private key,
  • 0: the TPM is not protecting any private keys.
pcr_access_status
  • Good: the TPM can be accessed, no action is required.
  • Legacy: the TPM sealing policy has been changed. To apply it, reseal the TPM by following the Sealing the TPM procedure. A message confirms this status.
  • NO: the TPM can no longer be accessed because the hash values of PCRs have changed. To refresh them, reseal the TPM by following the Sealing the TPM procedure. A message confirms this status.
message Specify information on the status of the TPM if necessary.

Changing the TPM administration password

From a CLI console, change the TPM administration password using the command:

SYSTEM TPM CHANGE currentpassword=<password> newpassword=<new_password>

  • Replace <password> with the current TPM password,

  • Replace <new_password> with the new TPM password, by following the recommendations in the section TPM administration password.

If you have forgotten the TPM password, refer to the section Troubleshooting.

Sealing the TPM

The TPM has to be sealed in the following cases:

  • When the TPM can no longer be accessed,
  • When a new TPM sealing policy is available and you wish to apply it.

The status of the TPM is key to identifying whether the TPM needs to be resealed. When the TPM is sealed, PCR hash values are recalculated.

From the web administration interface

This use case is exclusive to SNS 4.8.7 and higher versions.

IMPORTANT
As a reminder, the integrity of the SNS firewall and its TPM will be compromised if Secure Boot is not enabled. As such, you are advised to enable it before resealing the TPM.

  1. Log in to the SNS firewall web administration interface.

    A window automatically appears when the TPM needs to be sealed. In a high availability configuration, a window also appears if the TPM on the passive firewall needs to be sealed. If both members of the cluster are concerned, two windows will appear one after the other.

  2. Enter the TPM password in the relevant field.

  3. Click on OK.

From the CLI console

  1. Seal the TPM on the SNS firewall with the command:

    SYSTEM TPM PCRSEAL tpmpassword=<password>

    Replace <password> with the TPM password.

  2. If the SNS firewall is part of a high availability cluster, seal the TPM on the passive firewall with the command:

    SYSTEM TPM PCRSEAL tpmpassword=<password> serial=passive

From the SSH console

SSH access must be allowed on the firewall. Only the admin account can perform this operation.

Seal the TPM on the SNS firewall with the command:

tpmctl -svp <tpmpassword>

Replace <password> with the TPM password.

Disabling the TPM

From a CLI console, disable the TPM using the command:

SYSTEM TPM RESET tpmpassword=<password> force=<on|off>

  • Replace <password> with the TPM password,
  • Enter force=on if private keys in certificates are protected by the TPM, and you wish to disable it by force anyway. The protected private keys will then be decrypted.