Processors
Intel® Processors, Tools, and Utilities
15357 Discussions

How to verify an Intel PTT endorsement key certificate

dhdj
Novice
‎06-02-2024 08:06 PM
3,458 Views
Solved Jump to solution

My cpu is a i9-14900K I've exported the ek cert using the powershell commands

 

 

$a=Get-TpmEndorsementKeyInfo
$a.manufacturerCertificates|Export-Certificate -filepath "D:\Downloads\test.cer"

 

 


but it is a self signed certificate signed with the private ek, I've also tried computing the pub hash and using https://ekop.intel.com/ekcertservice/ but it returned

{"message":"Forbidden"}

 I've noticed CN = CSME ADL PTT 01SVN but I have no idea where to find the certificate for this. How should I verify the certificate chain on the intel ptt ek certificate?

for example on AMD they have http://ftpm.amd.com/pki/aia/ and their ek cert comes with authority info that points to their certificate chain and easily verifiable.

0 Kudos
1 Solution
liranper
Employee
‎07-10-2024 02:29 PM
2,134 Views
Solved Jump to solution

Hello @dhdj and @Andox 

 

Starting 11th gen core, Intel PTT Endorsement Keys are certified using the Intel ODCA (On Die Certificate Authority) and no longer through EK Online Provisioning server (EKOP).

In order to walk through the certification path, you will need to obtain the embedded intermediate CAs (EICA) as described in 
TCG's EK Credential Profile section 2.2.1.5.2 "Handle Values for EK Certificate Chains".

The PTT's EKs are signed by the PTT EICA (as you saw "CSME ADL PTT 01SVN")

The PTT CA is signed by the CSME Kernel EICA, the Kernel EICA is signed by the CSME ROM EICA which finally contains an AIA URL to it's issuer as you used to..

As seen in the TCG EK Credential Profile, you will find the PTT, Kernel and ROM EICA in the NV range allocated for EK chain.

 

On windows you can use the optional tpmdiagnostics feature to read the embedded intermediate chain:

 

# Install TPM Diagnostic tool optional windows feature:
PS C:\> tpmtool oc add

# Check EICAs exists in NV:
PS C:\> tpmdiagnostics ekchainnv

# Read certificates as text (read all indices in chain range and stop when NV index is not defined, in your ADL device, 0x01c00101 should not be defined since the chain fit into one TPM NV index):

PS C:\> tpmdiagnostics ReadNVIndex 0x01c00100 > nv_0x01c00100.txt
PS C:\> tpmdiagnostics ReadNVIndex 0x01c00101 > nv_0x01c00101.txt

 

 

Note that the above will output the certificate chain (concatenated ROM || Kernel || PTT EICAs) in text and not in DER/PEM. and will need some hex editor to convert. 

another option is to look in the registry under:
“HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement\IntermediateCACertStore\Certificates”

 

Please let me know if this information helps and if you have more questions

View solution in original post

0 Kudos
Copy link

Link Copied

23 Replies
Andox
Novice
‎07-10-2024 11:29 PM
628 Views
Solved Jump to solution
In response to liranper

Thank you, Liranper, for this information!
I'll look into it and reply here if I encounter any issues.

Best regards

In response to liranper
0 Kudos
Copy link
Vikont
New User
‎09-06-2024 12:11 PM
16 Views
Solved Jump to solution
In response to liranper

Thanks @liranper . Your examples cover Windows. But is there a suggested solution for Linux with any of the available TPM tools packages?

 

Update # 1: After I asked, I figured out how to read the chain with tpm2-tools from the index you mentioned:

> tpm2_nvread -C o 0x01c00100 > ODCA_chain.der
WARN: Reading full size of the NV index

Now, that chain contains several concatenated certificates in DER. I can decode the first one in the chain (that happens to be CSME ADL ROM CA) or convert it to PEM using the OpenSSL conversion command. But how do I convert or decode the rest of the chain? DER binary certificates are not normally concatenated by simply being bundled together like PEM certificates. Even when looking with a HEX editor I don't know for sure where once certificate ends and another one begins. Is there a delimiter I could use? A specific offset?

 

Update #2: 30 82 seems to be a decoded delimiter. The problem is there are more of those than the certificates. I was able to manually extract the whole chain but need to find a way to do it programmatically. If you can point me to a less painful way of figuring out the certificate offsets within the NV index, that would be very helpful.

Thanks in advance.

In response to liranper
0 Kudos
Copy link
ACarmona_Intel
Moderator
‎07-26-2024 04:25 AM
386 Views
Solved Jump to solution

Hello, @dhdj and @Andox,


It seems that @liranper recommendation has already resolved your issue.


In regards to that, I would like to know if you would like us to close the case for you or if you still need further assistance.

 

Best regards,

Carmona A.

Intel Customer Support Technician


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.