Amazon EC2 Supports NitroTPM and UEFI Secure Boot – InfoQ.com

Amazon EC2 Supports NitroTPM and UEFI Secure Boot – InfoQ.com

Live Webinar and Q&A: Web Server and Reverse-Proxy Cache 101 (Live Webinar June 16th, 2022) Register Now
Facilitating the Spread of Knowledge and Innovation in Professional Software Development


Avdi Grimm describes the future of development, which is already here. Get a tour of a devcontainer, and contrast it with a deployment container.
The panelists discuss main differences in how one should design and build services when embracing the Edge as part of the system architecture.
In this article, author Nikita Povarov discusses the role AI/ML plays in software development and how tasks like code completion, code search, and bug detection can be powered by machine learning. But he also explains why a complete replacement of programmers by algorithms isn’t going happen any time soon.
In this podcast Shane Hastie spoke to Dan Langevin of Vericred about onboarding people well and creating a culture of accountability and curiosity.
The panelists discuss the security for the software supply chain and software security risk measurement.
Learn how cloud architectures achieve cost savings, improve reliability & deliver value. Register Now.
Understand the emerging software trends you should pay attention to. Attend in-person on Oct 24-28, 2022.
InfoQ Homepage News Amazon EC2 Supports NitroTPM and UEFI Secure Boot
May 22, 2022 2 min read
by
Renato Losio
AWS recently announced the general availability of the UEFI Secure Boot and of NitroTPM, a virtual TPM module for EC2 instances based on the AWS Nitro System. The new features are designed for boot-process validation, key protection and digital rights management.
Presented for the first time at re:Invent, NitroTPM introduces measured boot, a process where the bootloader and operating system create cryptographic hashes of every boot binary and combine them with the previous values. The feature can be used to prove to remote entities the integrity of the instance's boot software, enabling remote attestation support.
Developed to provide hardware-based security functionalities, trusted platform modules (TPMs) can generate, securely store, and control the use of encryption keys, credentials, and other secret data. Sébastien Stormacq, principal developer advocate at AWS, explains:
You can use NitroTPM to store secrets, such as disk encryption keys or SSH keys, outside of the EC2 instance memory, protecting them from applications running on the instance. NitroTPM leverages the isolation and security properties of the Nitro System to ensure only the instance can access these secrets. It provides the same functions as a physical or discrete TPM. NitroTPM follows the ISO TPM 2.0 specification, allowing you to migrate existing on-premises workloads that leverage TPMs to EC2.
Kuniyasu Suzaki, senior researcher at the Cyber Physical Security Research Center of AIST, asks:
It sounds nice, but I wonder if I can "take ownership" of the TPM? It means that the TPM is owned by me and not shared by other persons.
The Unified Extensible Firmware Interface (UEFI) Secure Boot prevents unauthorized modification of the instance boot flow ensuring that the instance only boots software that is signed with cryptographic keys that are stored in the database of the UEFI non-volatile variable store.
Beside NitroTPM, the AWS Nitro System includes Nitro Cards, a family of cards that offloads and accelerates IO for functions, the Nitro Security Chip, the Nitro Hypervisor, a lightweight hypervisor that manages memory and CPU allocation, and Nitro Enclaves to create isolated compute environments to further protect and securely process highly sensitive data.
Currently only Intel and AMD instance types that support UEFI boot mode are supported. Graviton1, Graviton2, Xen-based, Mac, and bare-metal instances are not supported, a limitation that raised some concerns in the community.
Stormacq explains how BitLocker volume encryption keys are good first candidates to use the virtual TPM:
BitLocker automatically detects and uses NitroTPM when available. There is no extra configuration step beyond what you do today to install and configure BitLocker. Upon installation, BitLocker recognizes the TPM module and starts to use it automatically.
NitroTPM and UEFI Secure Boot are available in all AWS regions but the ones in China. There is no additional cost for using the new features.

Becoming an editor for InfoQ was one of the best decisions of my career. It has challenged me and helped me grow in so many ways. We’d love to have more people join our team.

D2iQ: The Leading Independent Kubernetes Platform. Learn more.
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example

We protect your privacy.
You need to Register an InfoQ account or or login to post comments. But there’s so much more behind being registered.
Get the most out of the InfoQ experience.
Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example

We protect your privacy.
Real-world technical talks. No product pitches.
Practical ideas to inspire you and your team.
QCon Plus – May 10-20, Online.

QCon Plus brings together the world’s most innovative senior software engineers across multiple domains to share their real-world implementation of emerging trends and practices.
Find practical inspiration (not product pitches) from software leaders deep in the trenches creating software, scaling architectures and fine-tuning their technical leadership to help you make the right decisions.
InfoQ.com and all content copyright © 2006-2022 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we’ve ever worked with.
Privacy Notice, Terms And Conditions, Cookie Policy

source


Leave a Reply

Your email address will not be published.