How does ESXi 6.7 use a TPM 2.0 device?Īt a high level, TPM 2.0 is used to store measurements of a known good boot of ESXi. In this case we are using an attestation of a host to provide evidence that the host has booted with Secure Boot enabled thereby ensuring only signed code is used. It’s a declaration or evidence of a result. The term “attestation” is used by the InfoSec community quite a bit. You are not going to store 100’s of VM’s keys on a TPM! Attestation The amount of space to store measurements and credentials is measured in KB. A TPM would sign something to prove that it was signed by the TPM. A CPU is leaps and bounds faster for that. You’re not going to do every cryptographic operations with a TPM. Cryptographic SigningĪ TPM is not designed for high speed cryptographic operations. It typically lives on the same bus that serial devices, parallel ports and other low-speed devices live. TPM performance SpeedĪ TPM is a very slow device. New features in 6.7 do not use the TPM 1.2 device. If you are running 6.5 on a server with TPM 2.0 you will not see the TPM 2.0 device because there’s no support in 6.5 for TPM 2.0. For all intents and purposes, they are considered two different devices to ESXi. TPM 2.0 and TPM 1.2 are two entirely different implementations and there is no backwards compatibility. In 6.7 we have introduced support for TPM 2.0. Prior to 6.7 the API’s and functionality of TPM 1.2 was limited to 3 rd party applications created by VMware partners. Since ESXi 5.x, ESXi has had support for TPM 1.2.
I will attempt to provide a journeyman’s overview below.
The Trusted Computing Group has a great detailed overview of what a TPM is and does. A TPM can also be used to digitally sign content and store platform measurements that help ensure that the platform remains trustworthy. These artifacts can include measurements, passwords, certificates, or encryption keys. Trusted Platform Module or “TPM”Ī TPM (Trusted Platform Module) is a computer chip/microcontroller that can securely store artifacts used to authenticate the platform (your PC or laptop). I’ll also clarify some mis-conceptions and try to put into context what pieces are doing what during the boot of ESXi 6.7.įirst, we’ll start out with “What is a TPM?” and what its capabilities are. With vSphere 6.7 I’m happy to announce the support of TPM 2.0! This blog will go into detail on how we are leveraging the TPM 2.0 chip found on most modern servers.
0 kommentar(er)
