Open travier opened 2 years ago
What specifically are you thinking for "enable" here? I think it'd make sense to test that tpm2 bound LUKS works for sure.
Are you suggesting we switch to Secure Boot/UEFI mode by default? Looking at the docs there it's quite interesting, seems to be oriented towards enrolling user-managed keys. I like that direction.
Oh I see, we do need to opt-in on our AMIs for tpm2: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-support-on-ami.html
What specifically are you thinking for "enable" here?
I don't really know thus the reason why I created this issue: to track things and try to figure it out 🙂. Testing would be great indeed!
UEFI Measured Boot is just one use case. Another use case: using the AWS VMs for performing data sealing/unsealing (typically what TPM v2.0's offer today are bit too vast) especially in context of an HSM offered security.
I found out that currently, FCOS on Azure and GCP provides TPMs off the shelf, accessible via /dev/tmp0
directly. So we can run trusted execution environment (TEE) based software on a FCOS in these other cloud providers but not on AWS.
If I understand https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-support-on-ami.html correctly, this means either setting UEFI+TPM for all our AMIs (not sure about compatibility) or publishing another AMI with those options set (not great).
@davdunc Do you know if all instance types on AWS support UEFI/TPM?
Describe the enhancement
Some (all?) AWS instance types now support TPM, UEFI & Secure Boot: https://aws.amazon.com/about-aws/whats-new/2022/05/amazon-ec2-nitrotpm-uefi-secure-boot/. Let's enable that for FCOS as possible.
System details