Configure Trusted TPMs of Attested
ESXi
Hosts on a Cluster Level

You can use
interfaces from the
com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2
package
to manage remote attestation configuration for TPM trust.
  • Verify that you have access to a working
    vSphere Trust Authority
    environment.
  • Verify that you have Trusted Infrastructure administrative privileges.
You can add, list, remove, and retrieve details about TPM CA certificates and TPM endorsement keys. You can also set and retrieve TPM 2.0 attestation settings.
  1. Add a new TPM CA certificate to a Trusted Cluster to specify a trusted platform OEM
    by calling the
    create_Task(java.lang.String cluster, CaCertificatesTypes.CreateSpec spec)
    method of the
    CaCertificates
    interface
    .
  2. Retrieve a list of configured TPM CA certificates on a Trusted Cluster to identify the trusted platform OEMs
    by calling the
    list_Task(java.lang.String cluster)
    method of the
    CaCertificates
    interface
    .
  3. Remove a TPM CA certificate from a Trusted Cluster because a platform OEM is no longer trusted
    by calling the
    delete_Task(java.lang.String cluster, java.lang.String name)
    method of the
    CaCertificates
    interface
    .
  4. Retrieve details about a specific TPM CA certificate on a Trusted Cluster to get more information about the trusted platform OEM
    by calling the
    get_Task(java.lang.String cluster, java.lang.String name)
    method of the
    CaCertificates
    interface
    .
  5. Add a new TPM endorsement key to a Trusted Cluster to specify a trusted
    ESXi
    host
    by calling the
    create_Task(java.lang.String cluster, EndorsementKeysTypes.CreateSpec spec)
    method of the
    EndorsementKeys
    interface
    .
  6. Retrieve a list of configured TPM endorsement keys in a Trusted Cluster to identify the trusted
    ESXi
    hosts
    by calling the
    list_Task(java.lang.String cluster)
    method of the
    EndorsementKeys
    interface
    .
  7. Remove a TPM endorsement key from a Trusted Cluster because an
    ESXi
    host is no longer trusted
    by calling the
    delete_Task(java.lang.String cluster, java.lang.String name)
    method of the
    EndorsementKeys
    interface
    .
  8. Retrieve details about a specific TPM endorsement key on a Trusted Cluster to get more information about the trusted
    ESXi
    host
    by calling the
    get_Task(java.lang.String cluster, java.lang.String name)
    method of the
    EndorsementKeys
    interface
    .
  9. Set the TPM 2.0 attestation settings by specifying that TPM endorsement keys on a Trusted Cluster do not need to be signed because the trusted OEM does not sign endorsement keys
    by calling the
    update_Task(java.lang.String cluster, SettingsTypes.UpdateSpec spec)
    method of the
    Settings
    interface
    .
  10. Determine the TPM 2.0 attestation settings in a Trusted Cluster
    by calling the
    get_Task(java.lang.String cluster)
    method of the
    Settings
    interface
    .