Lenovo ThinkSystem SR950 Setup Manual page 343

There are two methods available to set the TPM policy:
• From Lenovo XClarity Provisioning Manager
To set the TPM policy from Lenovo XClarity Provisioning Manager:
1. Start the server and press F1 to display the Lenovo XClarity Provisioning Manager interface.
2. If the power-on Administrator password is required, enter the password.
3. From the System Summary page, click Update VPD.
4. Set the policy to one of the following settings.
– NationZ TPM 2.0 enabled - China only. Customers in the Chinese Mainland should choose this
setting if a NationZ TPM 2.0 adapter is installed.
– TPM enabled - ROW. Customers outside of the Chinese Mainland should choose this setting.
– Permanently disabled. Customers in the Chinese Mainland should use this setting if no TPM
adapter is installed.
Note: Although the setting undefined is available as a policy setting, it should not be used.
• From Lenovo XClarity Essentials OneCLI
Note: Please note that a Local IPMI user and password must be setup in Lenovo XClarity Controller for
remote accessing to the target system.
To set the TPM policy from Lenovo XClarity Essentials OneCLI:
1. Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked:
OneCli.exe config show imm.TpmTcmPolicyLock --override --imm <userid>:<password>@<ip_address>
Note: The imm.TpmTcmPolicyLock value must be 'Disabled', which means TPM_TCM_POLICY is
NOT locked and changes to the TPM_TCM_POLICY are permitted. If the return code is 'Enabled'
then no changes to the policy are permitted. The planar may still be used if the desired setting is
correct for the system being replaced.
2. Configure the TPM_TCM_POLICY into XCC:
– For customers in Chinese Mainland with no TPM, or customers that require to disable TPM:
OneCli.exe config set imm.TpmTcmPolicy "NeitherTpmNorTcm" --override --imm <userid>:<password>@<ip_address>
– For customers in Chinese Mainland that require to enable TPM:
OneCli.exe config set imm.TpmTcmPolicy "NationZTPM20Only" --override --imm <userid>:<password>@<ip_address>
– For customers outside Chinese Mainland that require to enable TPM:
OneCli.exe config set imm.TpmTcmPolicy "TpmOnly" --override --imm <userid>:<password>@<ip_address>
3. Issue reset command to reset system:
OneCli.exe misc ospower reboot --imm <userid>:<password>@<ip_address>
4. Read back the value to check whether the change has been accepted:
OneCli.exe config show imm.TpmTcmPolicy --override --imm <userid>:<password>@<ip_address>
Notes:
– If the read back value is matched it means the TPM_TCM_POLICY has been set correctly.
imm.TpmTcmPolicy is defined as below:
– Value 0 use string "Undefined" , which means UNDEFINED policy.
– Value 1 use string "NeitherTpmNorTcm", which means TPM_PERM_DISABLED.
– Value 2 use string "TpmOnly", which means TPM_ALLOWED.
– Value 4 use string "NationZTPM20Only", which means NationZ_TPM20_ALLOWED.
Appendix B. Component reference
339