Lenovo ThinkSystem SR950 Setup Manual page 344

– Below 4 steps must also be used to 'lock' the TPM_TCM_POLICY when using OneCli/ASU
commands:
5. Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked , command as
below:
OneCli.exe config show imm.TpmTcmPolicyLock --override --imm <userid>:<password>@<ip_address>
The value must be 'Disabled', it means TPM_TCM_POLICY is NOT locked and must be set.
6. Lock the TPM_TCM_POLICY:
OneCli.exe config set imm.TpmTcmPolicyLock "Enabled"--override --imm <userid>:<password>@<ip_address>
7. Issue reset command to reset system, command as below:
OneCli.exe misc ospower reboot --imm <userid>:<password>@<ip_address>
During the reset, UEFI will read the value from imm.TpmTcmPolicyLock, if the value is 'Enabled' and
the imm.TpmTcmPolicy value is valid, UEFI will lock the TPM_TCM_POLICY setting.
Note: The valid values for imm.TpmTcmPolicy include 'NeitherTpmNorTcm', 'TpmOnly', and
'NationZTPM20Only'.
If the imm.TpmTcmPolicyLock is set as 'Enabled' but imm.TpmTcmPolicy value is invalid, UEFI will
reject the 'lock' request and change imm.TpmTcmPolicyLock back to 'Disabled'.
8. Read back the value to check whether the 'Lock' is accepted or rejected. command as below:
OneCli.exe config show imm.TpmTcmPolicy --override --imm <userid>:<password>@<ip_address>
Note: If the read back value is changed from 'Disabled' to 'Enabled' that means the TPM_TCM_
POLICY has been locked successfully. There is no method to unlock a policy once it has been set
other than replacing system board.
imm.TpmTcmPolicyLock is defined as below:
Value 1 uses string "Enabled" , which means lock the policy. Other values are not accepted.
Assert Physical Presence
Before you can assert Physical Presence, the Physical Presence Policy must be enabled. By default, the
Physical Presence Policy is enabled with a timeout of 30 minutes.
There are two ways to assert the Physical Presence:
1. If the Physical Presence Policy is enabled, you can assert Physical Presence through the Lenovo
XClarity Provisioning Manager or through the Lenovo XClarity Controller.
2. Switch the hardware jumpers on the system board.
Notes: If the Physical Presence Policy has been disabled:
1. Set the hardware Physical Presence jumper on the system board to assert Physical Presence.
2. Enable the Physical Presence Policy using either F1 (UEFI Settings) or Lenovo XClarity Essentials
OneCLI.
Assert Physical Presence through the Lenovo XClarity Controller
Complete the following steps to assert Physical Presence through the Lenovo XClarity Controller:
1. Log in to the Lenovo XClarity Controller interface.
For information about logging in to the Lenovo XClarity Controller, see the "Opening and Using the
XClarity Controller Web Interface" section in the XCC documentation version compatible with your
server at
https://sysmgt.lenovofiles.com/help/topic/lxcc_frontend/lxcc_overview.html
2. Click BMC Configuration ➙ Security and verify that Physical Presence is set to assert.
ThinkSystem SR950 Setup Guide
340
.