Bug ID 1312225: System Integrity Status: Invalid with some Engineering Hotfixes

Last Modified: Apr 26, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3

Opened: Jun 26, 2023

Severity: 3-Major

Symptoms

After installing an Engineering Hotfix, when to attempt to verify the TPM system integrity with either the "tpm-status" or "tmsh run sys integrity status-check" command, the following error massage may appear: System Integrity Status: Invalid Running the "tpm-status" command with a Verbosity of 1 (or greater) reveals the following detail: Verifying system integrity... ... The signature in 17 is valid Output wrong commandline parameters cmdline is *ro ima_hash=sha256 mce=ignore_ce * The pcr value in 17 is invalid. ... System Integrity Status: Invalid

Impact

The TPM System Integrity Status is shown as Invalid. This may incorrectly suggest that system integrity has been compromised.

Conditions

This may occur if the Engineering Hotfix contains changes which cause the following packages to be included in the Engineering Hotfix ISO: -- sirr-tmos -- tboot But the Engineering Hotfix ISO does not contain the following package: -- nash-initrd The contents of the Engineering Hotfix ISO can be checked using the 'isoinfo' utility: isoinfo -Rf -i <path/to/Hotfix-*.iso> | grep -e sirr -e tboot -e nash

Workaround

None

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips