Amazon EC2 supports NitroTPM and UEFI Secure Boot
AWS recently announced the general availability of UEFI Secure Boot and NitroTPM, a virtual TPM for EC2 instances based on the AWS Nitro system. The new features are designed for boot process validation, key protection and digital rights management.
First presented at re: Invent, NitroTPM present measured boot, a process where the boot loader and operating system create cryptographic hashes of each boot binary and combine them with previous values. The feature can be used to prove to remote entities the integrity of instance boot software, thus enabling support for remote attestation.
Developed to provide hardware-based security features, Trusted Platform Modules (TPMs) can generate, securely store, and control the use of encryption keys, credentials, and other secret data. Sebastien Stormacqleading developer advocate at AWS, Explain:
You can use NitroTPM to store secrets, such as disk encryption keys or SSH keys, outside of EC2 instance memory, protecting them from applications running on the instance. NitroTPM leverages the isolation and security properties of the Nitro system to ensure that only the instance can access these secrets. It offers the same functions as a physical or discrete TPM. NitroTPM follows the ISO TPM 2.0 specification, allowing you to migrate existing on-premises workloads that leverage TPMs to EC2.
Kuniyasu Suzaki, Senior Researcher at AIST Physical Cybersecurity Research Center, request:
Sounds nice, but I’m wondering if I can “own” the TPM? This means that the TPM belongs to me and is not shared by other people.
UEFI (Unified Extensible Firmware Interface) secure boot Prevents unauthorized modification of the instance’s boot flow by ensuring that the instance only boots software signed with cryptographic keys stored in the UEFI Nonvolatile Variable Store database.
Besides NitroTPM, the AWS Nitro System includes Nitro Cards, a family of cards that offloads and speeds up I/O for functionsthe Nitro Security Chip, the Nitro Hypervisor, a lightweight hypervisor that manages memory and CPU allocation, and Nitro enclaves to create isolated compute environments to further protect and securely process highly sensitive.
Currently, only Intel and AMD instance types that support UEFI boot mode are supported. Graviton1, Graviton2, Xen-based, Mac, and bare metal instances are not supported, a limitation that has raised some concerns in the community.
Stormacq explains how BitLocker volume encryption keys are good prime candidates for using the virtual TPM:
BitLocker automatically detects and uses NitroTPM when available. There are no additional setup steps beyond what you do today to install and configure BitLocker. During installation, BitLocker recognizes the TPM and starts using it automatically.
NitroTPM and UEFI Secure Boot are available in all AWS Regions except those in China. There is no additional cost for using the new features.