Skip to content

AWS TPM support#35

Draft
kfox1111 wants to merge 2 commits into
masterfrom
aws
Draft

AWS TPM support#35
kfox1111 wants to merge 2 commits into
masterfrom
aws

Conversation

@kfox1111

@kfox1111 kfox1111 commented Apr 4, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
@kfox1111
kfox1111 marked this pull request as draft April 4, 2026 02:12
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Comment thread pkg/agent/agent.go
}

switch method {
case "metadata":

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NitroTPM is only available on Nitro instances, and as far as I am aware board_asset_tag always is available on Nitro instances https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/identify_ec2_instances.html

so i don't know if we need the metadata fallback here at all

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using BoardAssetTag makes the agent-side AWS-agnostic by the way. Which is nice. Maybe we should rename the setting.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @arianvp. thanks for reviewing.

I'm actually becoming more and more convinced as I implement further into this, that we may have no choice but to use the metadata route and send the iid over to the server.

The reason being, the aws api ratelimit can be abused by an agent. We must call the aws function to fetch the ek of the vm for validation. if the iid is used, the server validation can verify the token is from aws before issuing the call to aws to get the ek, validating the region/instanceid is reasonable. If it is unvalidated, a rouge agent can claim any instance id randomly, forcing the server to make the call to aws, working against the rate limit. with enough calls, someone could denial of service the servers access to aws.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we can use https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html instead of the IID instead if we wanna avoid depending on IMDS/IID

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

interesting. Thanks for the info.

It seems like the instanceid is not directly in the doc, but it is encoded in the module id, so that would be good enough.

It doesnt contain the region id, but since rate limits are per region, I think this is ok.

The main issue I see with this approach, is it supports its own attestation mechanism outside of the normal tpm flow itself. So I think it may be better to make a spire-node-attesotor-nitro-tpm plugin directly, or maybe better yet, add nitro-tpm-nodeattestor support into the existing aws-iid attestor, rather then add it to this plugin. I'm not sure what this plugin would buy us other then some extra steps to extra validate the tpm.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another way to solve this is to not put the EK API call in the hot path. Set up a background loop that does ec2:DescribeInstances or even better set up an EventBridge listener that listens for newly spawned instances, call get-instance-tpm-ek-pub once in the background, and then cache the result forever.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah. I had already prototyped a loop to fetch instances, calculated a rate that it should poll to make sure nodes could join in a reasonable time frame, etc. was leaning towards just using the iid though. solves all of this. but, I think the nitro tpm api is probably even better.

arianvp added a commit to arianvp/systemd that referenced this pull request Apr 24, 2026
Exposes /sys/class/dmi/id/board_asset_tag via hostnamed's D-Bus,
Varlink and hostnamectl interfaces, mirroring the ChassisAssetTag
support added in PR systemd#36487.

This is useful for attestation on AWS EC2, where the EC2 instance ID
is exposed as board_asset_tag [1]. The instance ID can then be used
to fetch the instance's Endorsement Key via the EC2 API [2]. 
I am planning to use this in SPIRE's TPM attestation plugin [3].

[1] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/identify_ec2_instances.html
[2] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/retrieve-ekpub.html
[3] spiffe/spire-tpm-plugin#35

Co-developed-by: Claude Opus 4.7 <noreply@anthropic.com>
arianvp added a commit to arianvp/systemd that referenced this pull request Apr 24, 2026
Exposes /sys/class/dmi/id/board_asset_tag via hostnamed's D-Bus,
Varlink and hostnamectl interfaces, mirroring the ChassisAssetTag
support added in PR systemd#36487.

This is useful for attestation on AWS EC2, where the EC2 instance ID
is exposed as board_asset_tag [1]. The instance ID can then be used
to fetch the instance's Endorsement Key via the EC2 API [2]. 
I am planning to use this in SPIRE's TPM attestation plugin [3].

[1] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/identify_ec2_instances.html
[2] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/retrieve-ekpub.html
[3] spiffe/spire-tpm-plugin#35

Co-developed-by: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants