Physical TPM Attestation Keys and certificates

Intel Trust Authority can be used as a certificate authority to issue attestation keys (AK) and certificates (AK certificate) to physical TPMs. This feature doesn't apply to vTPMs.

You can provision a TPM with an AK certificate endorsed by an Intel Trust Authority. Intel Trust Authority AK provisioning does the following:

  1. Verifies the TPM Endorsement Key (EK) against a known list of EK Certificate Authorities.
  2. Generates a signed AK certificate.
  3. Provisions the TPM with an AK certificate.

Endorsement Key (EK)

TPMs have a unique endorsement key (EK) key pair set by the TPM manufacturer. Prior to issuing an AK certificate, Intel Trust Authority checks the TPM for authenticity by verifying the EK Certificate against a publicly available list of known TPM manufacturer CAs.

Attestation Key (AK)

A TPM Attestation Key (AK) is a key pair used during TPM attestation, bound to the TPM by an AK Certificate issued by a trusted signing authority (in this case, Intel Trust Authority). TPM quotes, the evidence used during TPM attestation, are signed by the AK private key. When a verifier (such as Intel Trust Authority) receives a TPM quote for attestation, the verifier uses the AK certificate to verify that the AK has been endorsed by a trusted CA, and then uses the public key in the AK cert to verify the quote signature. This cryptographically proves that the quote was generated by a TPM endorsed by the CA.

A TPM can have more than one AK provisioned. Each AK is referenced by a unique "handle," such that quotes can be generated using AKs endorsed by different CAs. For example, if the same TPM will be used for attestation with different verifiers where each trust different CAs, each CA can be used to generate a different AK bound to the TPM using different handles. Intel Trust Authority can only verify AK certificates that were issued by Intel Trust Authority. AK certificates issued by other CAs cannot be used to endorse a quote for verification by Intel Trust Authority.

Intel Trust Authority defaults

A TPM can have one or more AK handles referencing different AKs. You can specify which handle to use with Intel Trust Authority by editing the ak_handle field in the Go attestation client CLI configuration file.

If user specified AK or EK handles are less than 0x8100000 or greater than 0x817FFFFF, the provision-ak command will return an error and exit.

Intel Trust Authority AK and EK handle defaults are as follows.

  • AK handle: 0x81000800
  • EK handle: 0x81000801

Running the provision-ak command will report an error and exit when the AK handle specified, or the default handle if not specified, already contains an existing AK. Existing AKs can be deleted using the examples below.

Warning

Deleting existing AK handles is permanent. After an AK handle is deleted, there is no way to restore it.

The following example uses tpm2-tools to delete existing handles.

tpm2_evictcontrol -c 0x81000801
tpm2_evictcontrol -c 0x81000800

To initiate AK provisioning, clear any existing handles and then proceed with the provisioning process.

AK provisioning command

To initiate AK provisioning, use the provision-ak command.

AK certificates are written to stdout. Redirect or copy the AK Certificate according to your preference. Make sure the AK certificate path is specified in config.json as "file://<path>".

The following is an example of the ak_certificate field in the configuration file.

"tpm": {
        "ak_certificate": "file:///home/user/akcert.pem"
}

Use the following command to collect an AK certificate from Intel Trust Authority.

./trustauthority-cli provision-ak -c ~/config.json

Use the following command to collect and copy the AK certificate to the location specified in config.json (For example, ~/akcert.pem).

./trustauthority-cli provision-ak -c ~/config.json > ~/akcert.pem

Generate a TPM quote and request attestation from Intel Trust Authority

With EK and AK handles specified, an Intel Trust Authority signed AK certificate, and config.json pointing to that certificate, use the following command to collect a token from Intel Trust Authority.

./trustauthority-cli token --tpm --tdx -c ~/config.json

Troubleshooting provision-ak

The provision-ak command reports an error and exits when the TPM cannot be accessed due to permission, authentication, or an existing AK at the user configured ak_handle. The provision-ak command reports the following.

  • An error and exit if the EK handle already exists at ek_handle.
  • An error and exit if an AK already exists at ak_handle.
  • An error and exit if there are any errors when requesting an AK certificate from Intel Trust Authority (network issues or server errors).

During attestation, Intel Trust Authority will return an error if the Intel Trust Authority AK certificate is expired or revoked.