Trusted platform modules (TPMs) got a bad rap for headaches they caused some PC enthusiasts. One place they are arguably more palatable is the datacenter, or so AWS, at least, hopes with the actual, real launch of its NitroTPM for Elastic Compute Cloud (EC2).
By headaches, we mean, for instance, Windows 11’s strict requirement for a TPM 2.0. A TPM can be an independent hardware module fitted inside a computer, or firmware can provide the equivalent functionality using the host chipset or processor. Either way, it can generate, securely store, and control the use of encryption keys, credentials, and other secret data. It can also be used to ensure a system is booted as intended and no one’s made unauthorized changes to allow hidden malware to snoop on the box.
At the AWS re:Invent conference last winter, NitroTPM was teased as a coming-soon virtualized TPM running on Amazon’s Nitro smartNICs. Now, we’re told, it’s actually available. It’s said to be compliant with the TPM 2.0 standard, and provides AWS customers with protections against rootkits, malicious firmware, and other threats.
Sealing the key
One of the biggest benefits to EC2 customers is to store secrets — disk encryption or SSH keys, for example — separately from an EC2 instance, Sébastien Stormacq, principal developer advocate at AWS, said in a Wednesday announcement.
This process is referred to as “sealing the key to the TPM,” Stormacq explained, adding that once sealed, the NitroTPM will only unseal those keys if the operating system and the instance are in a known good state. According to AWS, this makes it well suited for things like digital rights management and secure database access. It’s accessible on both Windows and Linux instances via BitLocker, dm-verity, or the Linux unified key setup.
The tech can also be used for platform attestation by taking advantage of the NitroTPM’s measured boot functionality. This process compares platform measurements from the bootloader and operating system to determine if the boot state is valid and as expected.
If, for example, malware or a miscreant were to modify the operating system kernel, these checks would render an invalid result, Stormacq explained.
Support for some
NitroTPM is supported by most Windows and Linux operating systems running on EC2, we’re told. Red Hat Enterprise Linux 8, SUSE Linux Enterprise Server 15, Ubuntu 18.04 and 20.04, and Windows Server 2016, 2019, and 2022 have all been validated.
AWS notes the technology must be used on Nitro-based EC2 instances powered by Intel or AMD processors. Graviton1, Graviton2, Xen-based, Mac, and bare-metal instances are not supported at this time.
Finally, for Linux users, the Amazon machine image (AMI) must be flagged to use a UEFI bios and NitroTMP at the time of their creation. Windows AMIs provided by AWS are flagged by default. In the case of Windows BitLocker disk encryption, NitroTPM is automatically detected, and no additional configuration is required.
NitroTPM is available today in all AWS regions outside of China, including in AWS GovCloud, at no additional cost.
The launch comes more than a year after Microsoft Azure rolled out virtual TPM (vTPM) support to select instance types. The vTPM allows administrators to deploy virtual machines with verified and signed bootloaders, kernels, and boot policies.
Meanwhile, Google Cloud Platform introduced TPM support with Shielded VMs in 2018, and enabled it on all VMs by default almost two years ago. ®