How to provision NitroTPM

0

I created an ubuntu EC2 instance with NitroTPM enabled. When I tried to get the EK key, either with tpm2_getekcertificate or tpm2_nvreadpublic, it failed:

tpm2_getekcertificate

ERROR: Must specify the EK public key path

tpm2_nvreadpublic 0x01c0002 (RSA_EK_CERT_NV_INDEX)

ARNING:esys:src/tss2-esys/api/Esys_NV_ReadPublic.c:309:Esys_NV_ReadPublic_Finish() Received TPM Error ERROR:esys:src/tss2-esys/esys_tr.c:210:Esys_TR_FromTPMPublic_Finish() Error NV_ReadPublic ErrorCode (0x0000018b) ERROR:esys:src/tss2-esys/esys_tr.c:321:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x0000018b) ERROR: Esys_TR_FromTPMPublic(0x18B) - tpm:handle(1):the handle is not correct for the use ERROR: Failed to read the public part of NV index 0x11C0002 ERROR: Unable to run tpm2_nvreadpublic

It seems that the TPM is not provisioned. How do I provision the NitroTPM? Thanks,

asked a year ago253 views
2 Answers
0
Accepted Answer

Thank you very much for your reply. I ran "describe-instances" on my instance and the result showed that both "TpmSupport" and "uefi" boot mode were enabled. Thanks for the info about EK cert/EK pub access are currently not supported. I wonder if there is a list of currently supported tpm2 commands. I would like to see what other tpm2 commands used in our codebase are not supported. Thanks.

answered a year ago
0

Hello, thank you for your post.

I understand that you are trying to retrieve EK key using tpm2_getekcertificate or tpm2_nvreadpublic and with both commands you are receiving errors.

To verify whether TPM is enabled, you will need to verify that the “BootMode” and “TpmSupport” parameters are present when using the following commands[1]:

$ aws ec2 describe-instances --instance-ids {instance_id}
$ aws ec2 describe-images --image-ids {ami_id}

You should find the parameters with the following values:

BootMode": "uefi",

"TpmSupport": "v2.0",

To provision an instance with TPM support, you would need to make sure all of the prerequisites[2] are met.

As for EK cert / EK pub access, unfortunately this is not supported at this time. With that said, I can confirm that this feature is in development but there is no ETA at this time. I suggest you keep an eye on the AWS news blog[3] for any future announcements regarding this feature.

References:
[1] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-nitrotpm-support-on-ami.html
[2] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html
[3] https://aws.amazon.com/blogs/aws/

AWS
SUPPORT ENGINEER
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions