Those NitroTPMs Amazon teased now really are coming to AWS EC2

Yes, give those smartNICs something to do


Trusted platform modules (TPMs) got a bad rap for headaches they caused some PC enthusiasts. One place they are arguably more palatable is the datacenter, or so AWS, at least, hopes with the actual, real launch of its NitroTPM for Elastic Compute Cloud (EC2).

By headaches, we mean, for instance, Windows 11's strict requirement for a TPM 2.0. A TPM can be an independent hardware module fitted inside a computer, or firmware can provide the equivalent functionality using the host chipset or processor. Either way, it can generate, securely store, and control the use of encryption keys, credentials, and other secret data. It can also be used to ensure a system is booted as intended and no one's made unauthorized changes to allow hidden malware to snoop on the box.

At the AWS re:Invent conference last winter, NitroTPM was teased as a coming-soon virtualized TPM running on Amazon's Nitro smartNICs. Now, we're told, it's actually available. It's said to be compliant with the TPM 2.0 standard, and provides AWS customers with protections against rootkits, malicious firmware, and other threats.

Sealing the key

One of the biggest benefits to EC2 customers is to store secrets — disk encryption or SSH keys, for example — separately from an EC2 instance, Sébastien Stormacq, principal developer advocate at AWS, said in a Wednesday announcement.

This process is referred to as “sealing the key to the TPM,” Stormacq explained, adding that once sealed, the NitroTPM will only unseal those keys if the operating system and the instance are in a known good state. According to AWS, this makes it well suited for things like digital rights management and secure database access. It's accessible on both Windows and Linux instances via BitLocker, dm-verity, or the Linux unified key setup.

The tech can also be used for platform attestation by taking advantage of the NitroTPM’s measured boot functionality. This process compares platform measurements from the bootloader and operating system to determine if the boot state is valid and as expected.

If, for example, malware or a miscreant were to modify the operating system kernel, these checks would render an invalid result, Stormacq explained.

Support for some

NitroTPM is supported by most Windows and Linux operating systems running on EC2, we're told. Red Hat Enterprise Linux 8, SUSE Linux Enterprise Server 15, Ubuntu 18.04 and 20.04, and Windows Server 2016, 2019, and 2022 have all been validated.

AWS notes the technology must be used on Nitro-based EC2 instances powered by Intel or AMD processors. Graviton1, Graviton2, Xen-based, Mac, and bare-metal instances are not supported at this time.

Finally, for Linux users, the Amazon machine image (AMI) must be flagged to use a UEFI bios and NitroTMP at the time of their creation. Windows AMIs provided by AWS are flagged by default. In the case of Windows BitLocker disk encryption, NitroTPM is automatically detected, and no additional configuration is required.

NitroTPM is available today in all AWS regions outside of China, including in AWS GovCloud, at no additional cost.

The launch comes more than a year after Microsoft Azure rolled out virtual TPM (vTPM) support to select instance types. The vTPM allows administrators to deploy virtual machines with verified and signed bootloaders, kernels, and boot policies.

Meanwhile, Google Cloud Platform introduced TPM support with Shielded VMs in 2018, and enabled it on all VMs by default almost two years ago. ®


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022