In computing, Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. There are three key advantages of using TPM technology. First, you can generate, store, and control access to encryption keys outside of the operating system. Second, you can use a TPM module to perform platform device authentication by using the TPM’s unique RSA key, which is burned into it. And third, it may help to ensure platform integrity by taking and storing security measurements.
During re:Invent 2021, we announced the future availability of NitroTPM, a virtual TPM 2.0-compliant TPM module for your Amazon Elastic Compute Cloud (Amazon EC2) instances, based on AWS Nitro System. We also announced Unified Extensible Firmware Interface (UEFI) Secure Boot availability for EC2.
I am happy to announce you can start to use both NitroTPM and Secure Boot today in all AWS Regions outside of China, including the AWS GovCloud (US) Regions.
You can use NitroTPM to store secrets, such as disk encryption keys or SSH keys, outside of the EC2 instance memory, protecting them from applications running on the instance. NitroTPM leverages the isolation and security properties of the Nitro System to ensure only the instance can access these secrets. It provides the same functions as a physical or discrete TPM. NitroTPM follows the ISO TPM 2.0 specification, allowing you to migrate existing on-premises workloads that leverage TPMs to EC2.
The availability of NitroTPM unlocks a couple of use cases to strengthen the security posture of your EC2 instances, such as secured key storage and access for OS-level volume encryption or platform attestation for measured boot or identity access.
Secured Key Storage and Access
NitroTPM can create and store keys that are wrapped and tied to certain platform measurements (known as Platform Configuration Registers – PCR). NitroTPM unwraps the key only when those platform measurements have the same value as they had at the moment the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. NitroTPM only unseals keys when the instance and the OS are in a known good state. Operating systems compliant with TPM 2.0 specifications use this mechanism to securely unseal volume encryption keys. You can use NitroTPM to store encryption keys for BitLocker on Microsoft Windows. Linux Unified Key Setup (LUKS) or dm-verity on Linux are examples of OS-level applications that can leverage NitroTPM too.
Platform Attestation
Another key feature that NitroTPM provides is “measured boot” a process where the bootloader and operating system extend PCRs with measurements of the software or configuration that they load during the boot process. This improves security in the event that, for example, a malicious program overwrites part of your kernel with malware. With measured boot, you can also obtain signed PCR values from the TPM and use them to prove to remote servers that the boot state is valid, enabling remote attestation support.
How to Use NitroTPM
There are three prerequisites to start using NitroTPM:
How to Create an AMI with TPM Enabled
AWS provides AMIs for multiple versions of Windows with TPM enabled. I can verify if an AMI supports NitroTPM using the DescribeImages
API call. For example:
aws ec2 describe-images --image-ids ami-0123456789
When NitroTPM is enabled for the AMI, “TpmSupport”: “v2.0”
appears in the output, such as in the following example.
{
"Images": [
{
...
"BootMode": "uefi",
"TpmSupport": "v2.0"
}
]
}
I may also query for tpmSupport
using the DescribeImageAttribute
API call.
When creating my own AMI, I may enable TPM support using the RegisterImage
API call, by setting boot-mode
to uefi
and tpm-support
to v2.0
.
aws ec2 register-image
--region us-east-1
--name my-image
--boot-mode uefi
--architecture x86_64
--root-device-name /dev/xvda
--block-device-mappings DeviceName=/dev/xvda,Ebs={SnapshotId=snap-0123456789example} DeviceName=/dev/xvdf,Ebs={VolumeSize=10}
--tpm-support v2.0
Now that you know how to create an AMI with TPM enabled, let’s create a Windows instance and configure BitLocker to encrypt the root volume.
A Walk Through: Using NitroTPM with BitLocker
BitLocker automatically detects and uses NitroTPM when available. There is no extra configuration step beyond what you do today to install and configure BitLocker. Upon installation, BitLocker recognizes the TPM module and starts to use it automatically.
Let’s go through the installation steps. I start the instance as usual, using an AMI that has both uefi
and TPM v2.0
enabled. I make sure I use a supported version of Windows. Here I am using Windows Server 2022 04.13.
Once connected to the instance, I verify that Windows recognizes the TPM module. To do so, I launch the tpm.msc
application, and the Trusted Platform Module (TPM) Management window opens. When everything goes well, it shows Manufacturer Name: AMZN under TPM Manufacturer Information.
I open the servermanager.exe
application and select Manage at the top right of the screen. In the dropdown menu, I select Add Roles and Features.
I select Role-based or feature-based installation from the wizard.
I select Next multiple times until I reach the Features section. I select BitLocker Drive Encryption, and I select Install.
I wait a bit for the installation and then restart the server at the end of the installation.
After reboot, I reconnect to the server and open the control panel. I select BitLocker Drive Encryption under the System and Security section.
I select Turn on BitLocker, and then I select Next and wait for the verification of the system and the time it takes to encrypt my volume’s data.
Just for extra safety, I decide to reboot at the end of the encryption. It is not strictly necessary. But I encrypted the root volume of the machine (C:
) so I am wondering if the machine can still boot.
After the reboot, I reconnect to the instance, and I verify the encryption status.
I also verify BitLocker’s status and key protection method enabled on the volume. To do so, I open PowerShell
and type
manage-bde -protectors -get C:
I can see on the resulting screen that the C:
volume encryption key is coming from the NitroTPM module and the instance used Secure Boot for integrity validation. I can also view the recovery key.
I left the recovery key in plain text in the previous screenshot because the instance and volume I used for this demo will not exist anymore by the time you will read this. Do not share your recovery keys publicly otherwise.
Important Considerations
Now that I have shown how to use NitroTPM to protect BitLocker’s volume encryption key, I’ll go through a couple of additional considerations:
RegisterImage
API via the AWS CLI and not via the Amazon EC2 console.ModifyInstanceAttribute
API is not supported on running or stopped instances.ImportImage
API, will omit NitroTPM data.At the moment, we support all Intel and AMD instance types that supports UEFI boot mode. Graviton1, Graviton2, Xen-based, Mac, and bare-metal instances are not supported. Some additional instance types are not supported at launch (I shared the exact list previously). We will add support for these soon after launch.
There is no additional cost for using NitroTPM. It is available today in all AWS Regions, including the AWS GovCloud (US) Regions, except in China.
And now, go build 😉
Source: AWS News