NitroTPM Attestation Document contents - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

NitroTPM Attestation Document contents

An Attestation Document is generated by the NitroTPM and it is signed by the Nitro Hypervisor. It includes a series of platform configuration registers (PCR) values related to an Amazon EC2 instance. The following PCRs are included in the Attestation Document:

Important

PCR0 and PCR1 are generally used to measure the initial boot code, which is controlled by Amazon. To allow safe updates of early boot code, these PCRs will always contain constant values.

  • PCR0 — Core System Firmware Executable Code

  • PCR1 — Core System Firmware Data

  • PCR2 — Extended or pluggable executable code

  • PCR3 — Extended or pluggable Firmware Data

  • PCR4 — Boot Manager Code

  • PCR5 — Boot Manager Code Configuration and Data and GPT Partition Table

  • PCR6 — Host Platform Manufacturer Specifics

  • PCR7 — Secure Boot Policy

  • PCR8 - 15 — Defined for use by the Static Operating System

  • PCR16 — Debug

  • PCR23 — Application Support

PCR4 and PCR7 specifically are used to validate that an instance was launched using an Attestable AMI. PCR4 can be used to validate with standard boot, and PCR7 can be used to validate with Secure Boot.

  • PCR4 (Boot Manager Code) — When an instance starts, the NitroTPM creates cryptographic hashes of all the binaries executed by its UEFI environment. With Attestable AMIs, these boot binaries embed hashes that prevent future loading of binaries that do not have matching hashes. This way, the single boot binary hash can describe exactly what code an instance will execute.

  • PCR7 (Secure Boot Policy) — UEFI boot binaries can be signed with a UEFI Secure Boot signing key. When UEFI Secure Boot is enabled, UEFI will prevent execution of UEFI boot binaries that do not match the configured policy. PCR7 contains a hash of the instance’s UEFI Secure Boot policy.

    If you need to maintain a single KMS policy that persists across instance updates, you can create a policy that validates against PCR7 to validate a UEFI Secure Boot certificate. During creation of an Attestable AMI, you can then sign the boot binary with your certificate and install it as the only permitted certificate in the AMI’s UEFI-data. Keep in mind that this model requires you to still generate a new certificate, install it in your policy and update AMIs if you want to prevent instances launched from old (untrusted) AMIs from passing your KMS policy.