TPM EK Certificate Retrieval

smo4201 · ‎12-20-2021

For remote attestation, I would like to retrieve the TPM EK certificates of my machines.

Therefore, I am creating the CertificateURL with the public key and requesting the EK certificate from:

https://ekop.intel.com/ekcertservice/

This is working from a python script just fine. However, when trying to do the same thing in go (golang), I get the following:

Response Status: 200 OK
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 15434485138692575302</body></html>

I did this with standard parameters (literally just http.Get("<url>")) as well as different parameters for TLS1.2 and TLS1.3. The handshake works, I get the Response Status 200 OK but somehow the reject is rejected.

Of course, for various other websites, the code is just working fine, so its not a general issue.

Can you tell me which parameters are required for the TLS connection to not get blocked or how I can retrieve the certificates?

AdrianM_Intel · ‎12-21-2021

Hello smo4201,

Thank you for posting on the Intel® communities.

To better assist you can you please provide us the following information:

How many systems are deployed?
Are you using Intel EMA or Intel SCS?
Is this a new configuration?

Regards,

Adrian M.

Intel Customer Support Technician

smo4201 · ‎12-21-2021

Hi,

I am using neither EMA nor SCS. I only have a few machines for a development setup.

Right now, I am simply trying to retrieve the EK certificate for one of my machines from my work laptop. I just send the simple HTTP GET request to https://ekop.intel.com/ekcertservice/<pub-key-hash-of-machine>

And as said, I am perfectly able to retrieve the EK certificate via my browser or a python script. I just need to do this in go (golang) and there, the request is also successful (HTTP Status 200 OK) but somehow the Intel server rejects to return the EK certificate but instead just prints the rejection message.

AdrianM_Intel · ‎12-21-2021

Hello smo4201,

Thank you for your response.

I appreciate the details, I will further investigate your question and I will post back soon.

Regards,

Adrian M.

Intel Customer Support Technician

AdrianM_Intel · ‎12-22-2021

Hello smo4201,

Thank you for your patience.

Can you please let us know more details about the Intel hardware you are using?

What is your hardware configuration?
Is this an Intel server? if so what is the model of the server?

Can you please provide us with the following information:

Intel® System Support Utility for Windows* (https://www.intel.com/content/www/us/en/download/18377/intel-system-support-utility-for-windows.html)

Steps:

https://www.intel.com/content/www/us/en/support/articles/000057926/memory-and-storage.html

If it is an Intel server, please share the following log:

Download System Information Retrieval Utility (SysInfo) https://www.intel.com/content/www/us/en/download/17949/29677/system-information-retrieval-utility-sysinfo.html?product=61020

EFI method:

Copy the uncompressed .zip file into a local directory (for example, fs0:\sysinfo).
Go to the UEFI folder.
Run sysinfo.efi.
The utility collects system information and writes it into three different log files in the LogFiles folder within the current directory.

Regards,

Adrian M.

Intel Customer Support Technician

smo4201 · ‎12-22-2021

Hi,

the machine I am currently trying to do the HTTP GET request from is a Lenovo T490s notebook. The machines with the Intel TPMs are Intel NUCs with Intel Pentium Silver J5005 processors. This is just a small development setup and neither machine runs Windows (all run minimal Linux distributions).

However, I am not sure, why the machine is relevant, as I only want to do an HTTP GET request, which should work from any machine, right?

And as said, Indeed this is perfectly working, e.g., if I am doing this request from a python script. So the following simple python code perfectly gets me the EK certificate for the NUC from the Intel EK certificate service:

import requests
res = requests.get("https://ekop.intel.com/ekcertservice/Dw8OvJJ0Pb4z7jBnicWOA1cWhICnD4TSmSJl6kmfSzE=")
print(res.text)

However, the same simple code written in go does not work:

func GetEkCert() {
    resp, _ := http.Get("https://ekop.intel.com/ekcertservice/Dw8OvJJ0Pb4z7jBnicWOA1cWhICnD4TSmSJl6kmfSzE=")
    content, _ := ioutil.Readall(resp.Body)
    fmt.Println(string(content))
}

This gets me HTTP Status 200 OK as well, but in the body, I do not find the certificate, but the rejection message:

<html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 15434485138692575302</body></html>

As the TLS handshake and the HTTPS connection succeeds, it's hard for me to tell why the Intel server rejects my request from one programming language, but not from the other. Of course the go code in general works on other sites.

Note: The EK public key hash is the actual hash from one of the NUCs so you can reproduce the issue if you want. It is just a development machine so the EK Public Key is not privacy sensitive at all.

AdrianM_Intel · ‎12-22-2021

Hello smo4201,

Thank you for your response.

This thread will be moved to a different forum, so you can get better assistance with

Intel® NUC machines.

Regards,

Adrian M.

Intel Customer Support Technician

Alberto_R_Intel · ‎12-23-2021

smo4201, Thank you for posting in the Intel® Communities Support.

In reference to your request, "Can you tell me which parameters are required for the TLS connection to not get blocked or how I can retrieve the certificates?", we will do further research on this matter in order to verify if we have the information that you are looking for or if we can point you in the right direction so you can gather those details.

As soon as I get any updates I will post all of them on this thread.

Regards,

Albert R.

Intel Customer Support Technician

Alberto_R_Intel · ‎12-23-2021

Hello smo4201, I just received an update on this matter.

For us to be able to continue with our research on this matter, please attach the SSU report so we can verify further details about the components in your platform, check all the options in the report including the one that says "3rd party software logs":

https://www.intel.com/content/www/us/en/download/18895/26735/intel-system-support-utility-for-the-linux-operating-system.html?

Any questions, please let me know.

Regards,

Albert R.

Intel Customer Support Technician

smo4201 · ‎12-24-2021

I Attached the ssu.sh logs of the NUC the TPM actually resides on as well as a development notebook. On both machines, the request in python does work fine but in go it gets blocked. So I believe this has rather something to do with how go and python handle http requests than with the specific machine.

Alberto_R_Intel · ‎12-24-2021

smo4201, Thank you very much for providing that information and the SSU report.

We will continue with our research on this matter, as soon as I get more details I will post all the updates on this thread.

Regards,

Albert R.

Intel Customer Support Technician

Alberto_R_Intel · ‎12-28-2021

Fuqua15, Thank you for posting in the Intel® Communities Support, we will keep sharing and hopefully, that information will be very useful and helpful for you and other peers looking at this thread.

Hello smo4201, I just received an update on this matter.

After reviewing the case, we would like to let you know that this NUC doesn't support TPM, it supports IPTT instead, please refer to:

https://www.intel.com/content/www/us/en/products/sku/126137/intel-nuc-kit-nuc7pjyh/specifications.html

If this certificate is TPM only, at this point we don't see any reference to IPTT, then we believe this will not be supported on this platform:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation

So, just to confirm, by any chance do you know if the same applies to IPPT?

Regards,

Albert R.

Intel Customer Support Technician

smo4201 · ‎12-30-2021

Yes, some of my machines have a phyiscal TPM and some (like the NUC) have PTT (fTPM). This has nothing to do with the problem!

As I stated above: I am perfectly able to retrieve the (f)TPM/PTT EK Certificate for all of my machines, including the NUCs. But I can only do this with the Python code snippet I posted above.

My problem is, that another piece of code (the golang code snippet), doing the same request, gets rejected by the Intel server hosting the certificate. So this has nothing to do with the machines or with their TPMs/PTT. The only problem is that the Intel server rejects the request, because it thinks it is malicious. However, requests to other sites work with this code work perfectly fine.

I had a quick search what the rejection message I get means:

<html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 15434485138692575302</body></html>

And found that it might be produced by a firewall from F5 Networks called Application Security Manager (ASM). Are you using this for the Intel EK certificate server and can you tell me what the exact reason for the rejection is from the support ID?

Alberto_R_Intel · ‎12-30-2021

Hello smo4201, Thank you very much for clarifying that information.

In order to answer your question and to try to provide the details that you are looking for, we will continue with our research on this matter, as soon as I get more updates I will post all of them on this thread.

Regards,

Albert R.

Intel Customer Support Technician

Ronny_G_Intel · ‎01-04-2022

Hi smo4201,

I have escalated this issue up to the Product Team for further review, I cant promise a satisfactory answer since we usually do not troubleshoot any kind of code or programming but let me check and I will get back to you as soon as possible.

Regards,

Ronny G

smo4201 · ‎01-05-2022

Thank you. I totally understand that you do not troubleshoot any code or programming, I just pasted the snippets in case you want to reproduce this easily. As I said, the code works fine for any other HTTP request I tested (to other servers).

I really think this is just some issue with the firewall thinking the request is malicious. However, not knowing the reason, it's hard for me to proceed.

Alberto_R_Intel · ‎01-20-2022

Hello smo4201, I Just received an update on this matter.

I sent you an email, please verify your inbox.

Regards,

Albert R.

Intel Customer Support Technician

smo4201 · ‎01-25-2022

Hi,

You sent me the EK certificate, but I do not understand why. As I stated repeatedly, I am able to get the certificate myself. HOWEVER, I am only able to do so from some of my programs. From certain other programs, the valid HTTP request gets blocked by a firewall or something that is running on the Intel server holding the certificates.

I just want to get information why the Intel Server https://ekop.intel.com/ekcertservice/ does block my requests which are (from my perspective) perfectly valid.

Alberto_R_Intel · ‎01-26-2022

Hismo4201, Thank you very much for your response.

We will continue with our research on this matter, and as soon as I get more updates I will post all the details on this thread.

Regards,

Albert R.

Intel Customer Support Technician

Ronny_G_Intel · ‎01-28-2022

Hi @smo4201,

I have been investigating this issue but unfortunately, I made no progress this far.

We know that the URL https://ekop.intel.com/ekcertservice/ works when tested directly or via the Phyton script and that the server rejects the request when using a Goland snippet.

I have exhausted all my internal support options and can only recommend that you check/ask for help in Go forums, for example: https://forum.golangbridge.org/

Unfortunately, this is all I have for now.

Regards,

Ronny G

Ronny_G_Intel · ‎01-28-2022

I found these 2 URLS that may be related to this issue:

https://stackoverflow.com/questions/40402998/angular-jsonp-get-rejected-although-status-code-200-ok

https://pkg.go.dev/github.com/google/go-attestation/attest#EK