Processors
Intel® Processors, Tools, and Utilities
15892 Discussions

404 error retrieving endorsement key certificate on Intel N100 fTPM

akowalsk
Beginner
‎10-24-2023 08:27 AM
1,565 Views

I am attempting to configure a new Intel N100-based mini-computer for tpm2 remote attestation.  However, I am unable to retrieve the endorsement certificate from the intel ekcertservice (this is built-in to the tpm2-tools commands).  Both the RSA and ECC versions fail with an HTTP 404 error from Intel's endpoint.

 

Desired behavior is the ekcertservice response with the correct endorsement key certificate.

 

I have attached screenshots of the system bios, the CPU information and the Trusted Computing configuration.  I am also attaching the verbose output from the tpm2 getekcertificate command (both ECC and RSA), as well as the output from the Intel® System Support Utility ran on the computer.

 

Preview file
3462 KB
Preview file
3021 KB
Preview file
3 KB
Preview file
8 KB
Preview file
3 KB
0 Kudos

Link Copied

2 Replies
DeividA_Intel
Employee
‎10-25-2023 11:53 AM
1,524 Views

Hello akowalsk,  


Thank you for posting on the Intel® communities. I understand you are having an issue retrieving the endorsement certificate.


I would like to let you know that the Intel® PTT is an integrated TPM that adheres to the 2.0 specifications and offers the same capabilities of a discrete TPM, only it resides in the system’s firmware, thus removing the need for dedicated processing or memory resources.


However, it’s possible that your TPM may have been turned off in the firmware by the computer manufacturer and may require you to enable it to meet the new requirement. Since this is a mini PC manufactured by PELADN, I recommend you to get in contact with PELADN to get further information related to TPM and endorsement certificate.


Please keep in mind that this thread will no longer be monitored by Intel.  


Regards,  

Deivid A.  

Intel Customer Support Technician  


0 Kudos
Copy link
akowalsk
Beginner
‎10-25-2023 01:24 PM
1,518 Views
In response to DeividA_Intel

The TPM is definitely enabled and definitely works (for example, I can seal information in it, etc.).  The issue is that the intel server is returning a 404 response when I try to retrieve the Endorsement Key Certificate using this command: https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_getekcertificate.1/

 

The tool makes a GET request to https://ekop.intel.com/ekcertservice/ZAj_57djofAHy6RPePTR7fULr1bPsLSrZ3Vk9hrSrDw%3D which returns a 404.  Other systems work just fine (the path param is different, I think that's unique to each TPM).  Intel is the company responsible for the endorsement certificate, not PELADN, since it's burned into the chip itself.

In response to DeividA_Intel
0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.