Bug ID 963017: Tpm-status-check service shows System Integrity Status: Invalid when EngHF installed

Last Modified: Nov 23, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 16.0.0, 16.0.0.1, 16.0.1

Opened: Nov 06, 2020
Severity: 3-Major

Symptoms

Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm): err tpm-status[####]: System Integrity Status: Invalid info tpm-status-check[####]: System Integrity Status: Invalid In addition, a message similar to the following may appear on the serial console while the system is booting: [ ###.######] tpm-status-check[####]: Checking System Integrity Status [ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied [ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility: # systemctl -l status tpm-status-check.service * tpm-status-check.service - F5 Trusted Platform Module Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled) Active: failed (Result: exit-code) since <...> Main PID: #### (code=exited, status=1/FAILURE) <...> tpm-status-check[####]: Checking System Integrity Status <...> tpm-status-check[####]: sh: /bin/rpm: Permission denied <...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6 <...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0 <...> tpm-status[####]: BIOS 0614 v3.10.032.0 <...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02 <...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid <...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE <...> systemd[1]: Unit tpm-status-check.service entered failed state. <...> systemd[1]: tpm-status-check.service failed. However, checking the System Integrity Status using the "tpm-status" or "tmsh run sys integrity status-check" command shows "System Integrity Status: Valid"

Impact

The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid. This is incorrect, and conflicts with the accurate System Integrity Status provided by the "tpm-status" utility and "tmsh run sys integrity status-check" command.

Conditions

This may occur: -- running affected BIG-IP v14.1.0 or later releases with an Engineering Hotfix containing fixes for ID893885 and ID946745 -- on hardware platforms that include a Trusted Platform Module (TPM), including: -- BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances -- VIPRION B4450 blades

Workaround

Use the "tpm-status" utility or "tmsh run sys integrity status-check" command to observe the correct System Integrity Status.

Fix Information

None

Behavior Change