Bug ID 963017: The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed

Last Modified: Mar 01, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1

Opened: Nov 06, 2020
Severity: 3-Major

Symptoms

Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm): err tpm-status[####]: System Integrity Status: Invalid info tpm-status-check[####]: System Integrity Status: Invalid In addition, a message similar to the following may appear on the serial console while the system is booting: [ ###.######] tpm-status-check[####]: Checking System Integrity Status [ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied [ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility: # systemctl -l status tpm-status-check.service * tpm-status-check.service - F5 Trusted Platform Module Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled) Active: failed (Result: exit-code) since <...> Main PID: #### (code=exited, status=1/FAILURE) <...> tpm-status-check[####]: Checking System Integrity Status <...> tpm-status-check[####]: sh: /bin/rpm: Permission denied <...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6 <...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0 <...> tpm-status[####]: BIOS 0614 v3.10.032.0 <...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02 <...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid <...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE <...> systemd[1]: Unit tpm-status-check.service entered failed state. <...> systemd[1]: tpm-status-check.service failed. However, checking the System Integrity Status using the 'tpm-status' or 'tmsh run sys integrity status-check' command shows 'System Integrity Status: Valid'.

Impact

The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid. This is incorrect, and conflicts with the accurate System Integrity Status provided by the 'tpm-status' utility and 'tmsh run sys integrity status-check' command.

Conditions

This may occur under the following conditions: -- Running BIG-IP v14.1.0 or later. -- Using Engineering Hotfixes containing fixes for the following bugs: - ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html) - ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html) -- Using hardware platforms that include a Trusted Platform Module (TPM), including: - BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances - VIPRION B4450 blades

Workaround

To observe the correct System Integrity Status, do either of the following: -- Use the 'tpm-status' utility. -- Run the command: tmsh run sys integrity status-check

Fix Information

None

Behavior Change