Troubleshooting the TPM failures

This topic contains information for troubleshooting TPM failures.

Recovering TPM during Failures

The following table below describes the different failures and recovery procedure:
Table 1. Recovery procedure
Failure Recovery procedure

TPM/system board is failed

on a canister.
  1. Replace the TPM/motherboard/canister.
  2. Take ownership of TPM.
  3. Create the NV slot in the new TPM with the same NV slot ID of the peer canister node where the key is present.
  4. Migrate master encryption key (MEK) from the peer canister node.
A canister is failed.
  1. Replace the TPM/motherboard/canister.
  2. Take ownership of TPM.
  3. Create the NV slot in the new TPM with the same NV slot ID of the peer canister node where the key is present.
  4. Migrate MEK from the peer canister node.
When two canisters failed (rare scenario).
  1. Replace both canisters.
  2. Take ownership of TPM on both canisters.
  3. If it is a multi-building block where the same key is used across, create the NV slots in the new TPMs with the same NV slot ID as the peer building block nodes where the key is present.
  4. If it is a single building block scenario, create the NV slot in the new TPM with the same NV slot ID as the backup EMS Utility node where the key is present.
  5. If it is a multi-building block scenario where the same key is used across, migrate the key from the other building block and restore it.
  6. If it is a single building block scenario, use the third copy of the key. Use esstpmkeyto restore it to one canister and migrate it to the other canister.