Last Modified: Jul 11, 2025
Affected Product(s):
F5OS F5OS-A
Known Affected Versions:
F5OS-A 1.5.0, F5OS-A 1.5.1, F5OS-A 1.5.2, F5OS-A 1.5.3, F5OS-A 1.8.0
Opened: Jul 08, 2025 Severity: 3-Major
On F5OS appliances, if there is an error reading from the hardware TPM at some point, the system primary key is recreated but the ConfD database is not re-encrypted. When the system restarts at some point in the future, F5OS will be unable to decrypt the encrypted parts of the ConfD database, and will be unable to start up properly. When the TPM read error happens, the following message is logged in the platform.log file: "tpm has no data, writing new key" However, the administrator will not notice a problem until the system is restarted. The restart could happen a significant time after the rewrite, and the above message may no longer be in the platform.log file. After the restart, "Key header check failed" errors will be logged by the api-svc-gateway and orchestration-agent components. Note that these messages alone are not a definite indicator that the primary key was rewritten, as other issues can cause them to occur.
After the restart, the system is unusable and needs to be recreated.
-- rSeries appliance -- The system has been restarted after F5OS encounters an error when reading from the TPM.
None
None