How to verify the AWS NitroTPM endorsement key (EK Certificate)?

Question

Amazon AWS announced their own TPM in their Nitro Systems, aka the NitroTPM. They seem to be very quiet about the technical details though.

I am interested in using the NitroTPM for remote attestation. I use the tpm2_tools to interact with the TPM. Reading transient, permanent or persistent values seems not to reveal any EK Certificates.

$ sudo tpm2_getcap handles-persistent
$ sudo tpm2_getcap handles-permanent

Some other cloud providers like azure publish their certificate hierarchie but I couln't find anything on the side of AWS.

Am I missing something or does AWS really not provide any technical information regarding their Endorsement Certificates?

Answer 1

See https://aws.amazon.com/about-aws/whats-new/2024/05/amazon-ec2-api-public-endorsement-key-nitrotpm/ , where an API is added to fetch the EK from a Nitro TPM.

Answer 2

I recently contacted AWS support about this issue, this is the response I received:

I understand that you are looking to retrieve the public component of the endorsement key from outside the instance or retrieve a signed endorsement key certificate from inside the instance. At this time, no EK cert exists for NitroTPM on EC2. I can, however, confirm that the responsible internal team is working on this and it is a priority feature on their roadmap. An ETA has not been provided as yet. The idea is to provide an EC2 API that allows retrieval of the endorsement key.

Answer 3

A TPM typically provides an Endorsement Certificate (chain) in its non-volatile (NV) memory. This is specified in the TCG EK Credential Profile:

• EK certificate (ECC NIST P256): NV index 0x01c0000a
• EK Certificate (RSA 2048): NV index 0x01c00002

You also want to have a look at the tpm2_getekcertificate tool.