HPE Community
HPE OneView
1758535 Members
1893 Online
108872 Solutions
New Discussion

OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

 
pirx
Valued Contributor

‎01-11-2024 10:20 AM - last edited on ‎01-27-2024 06:09 PM by

‎01-11-2024 10:20 AM - last edited on ‎01-27-2024 06:09 PM by

OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

I did setup a few DL380Gen11 server a few weeks ago and did not get this warning. Now I've a few new DL320Gen11 and I've updates OV to v8.70 last week. I've update the firmwares of the server now.

I found this post PCR Measurements Changed, Component Type BIOS PCR ... - Hewlett Packard Enterprise Community (hpe.com)

The warning is triggered after each reboot (maybe power cycle) even without OS installed. What is the ToDo to make clear this permanently ?

 

 

PCR Measurements Changed, Component Type BIOS PCR Index PCR13

1/11/24  6:52:43 pm
15 minutes ago
Active
unassigned
Resolution 

Configuration change detected in above mentioned component, please verify if firmware version is as expected

Notes

Event details
  1. alertTypeID 

    Redfish.iLOEvents.6.5.PCRChanged

  2. correctiveAction 

    Configuration change detected in above mentioned component, please verify if firmware version is as expected

  3. eventTimestamp 

    2024-01-11T17:52:38Z

  4. ipv4Address 

    10.24.249.11

     
  5. ipv6Address 

    fe80:0:0:0:5eed:8cff:fead:5466

     
  6. lifeCycle 

    false

  7. Redfish.EventId 

    6dd9de92-dbe3-6bae-9c14-350a738d2d86

  8. Resource 

    /redfish/v1/Managers/1/SecurityService/

  9. resourceID 

    /redfish/v1/Managers/1/SecurityService/

  10. resourceUri 

    /rest/server-hardware/37323550-3636-5A43-4A44-303530313250

0 Kudos
Reply
11 REPLIES 11
Kashyap02
HPE Pro

‎01-15-2024 10:35 PM

‎01-15-2024 10:35 PM

Re: OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

Hello, 

Refer to the advisory. Advisory: HPE Integrated Lights-Out 6 (iLO 6) - "PCR Measurements Changed" Critical Error Message Displayed in HPE OneView

This is a known issue and will be resolved in future version of ILO firmware. 

I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
pirx
Valued Contributor

‎01-15-2024 11:11 PM - last edited on ‎01-19-2024 12:50 AM by

‎01-15-2024 11:11 PM - last edited on ‎01-19-2024 12:50 AM by

Re: OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

@Kashyap02 

Ok, thanks. One thing that I still dont understand... according to RBSU Common options | UEFI System Utilities User Guide for HPE ProLiant Gen11 Servers, and HPE Synergy the TpmActivePcrs should be set to "Not Specified". Then why is it set to Sha256Sha384?

 

TpmActivePcrs Server Security/TPM Options

  • Not Specified (default)
0 Kudos
Reply
Kashyap02
HPE Pro

‎01-21-2024 05:29 PM

‎01-21-2024 05:29 PM

Re: OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

Hello, 

 

Configuring Trusted Platform Module (TPM) options | UEFI System Utilities User Guide for HPE ProLiant Gen11 Servers, and HPE Synergy

 

  • Current TPM 2.0 Active PCRs: When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Options are:
    • SHA1 only
    • SHA256 only
    • SHA384 only
    • SHA1 and SHA256
    • SHA256 and SHA384
I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
pirx
Valued Contributor

‎01-21-2024 11:07 PM - last edited on ‎01-22-2024 11:36 PM by

‎01-21-2024 11:07 PM - last edited on ‎01-22-2024 11:36 PM by

Re: OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

@Kashyap02 Sorry, but I don't get the context of your answer. My question was:

Then why is it set to Sha256Sha384?

When documentation contains:

TpmActivePcrs Server Security/TPM Options

Not Specified (default)

 The first time I check this setting in RBSU it was Sha256Sha384. So is this the default or did it change to that from Not Specified because of some reason?


0 Kudos
Reply
Kashyap02
HPE Pro

‎01-26-2024 01:01 AM

‎01-26-2024 01:01 AM

Re: OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

Hello. 

@Prix

I have verified many servers in our lab. The TPM 2.0 Active PCRs are set to SHA256 and SHA384 on DL320 Gen11 servers. 
Looks like this is the default value which is set on these servers. 

We do see "Not Specified" option, but that is not selected as default. 

 

Refer to the below screenshots. 

I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
pirx
Valued Contributor

‎01-26-2024 01:05 AM

‎01-26-2024 01:05 AM

Re: OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

@Kashyap02  yes, I expected that. But then documentation is wrong.

0 Kudos
Reply
Kashyap02
HPE Pro

‎01-26-2024 01:10 AM

‎01-26-2024 01:10 AM

Re: OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

Looks like it. I will definitely provide a feedback to the concerned team.
Thank you for highlighting this.
I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
NJK-Work1
Occasional Advisor

‎03-15-2024 01:39 PM

‎03-15-2024 01:39 PM

Re: OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

So what is the fix for this?  I just updated to 1.57 (released end of Feb 2024) on a test machine and I am still getting these errors.  Is the fix still in the works for a future iLO firmware update or should be changing the settings in the UEFI to prevent that - if so, then what settings?

Thanks

NJK

0 Kudos
Reply
NJK-Work1
Occasional Advisor

‎03-15-2024 01:41 PM

‎03-15-2024 01:41 PM

Re: OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

I did notice that the AlertID changed from "Redfish.iLOEvents.6.5.PCRChanged" (6.5) to "Redfish.iLOEvents.6.6.PCRChanged" (6.6).  Not sure if that is circumvententing the previous fix...but figured I would mention it.

NJK

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.