Add configuration to enable NitroTPM support when registering an AMI

[alex-torok]

Description

NitroTPM support allows an AMI to be used with instances that have a virtual TPM module for securely storing secrets and providing secure boot. According to AWS docs, TPM support must be enabled as an option when the AMI is registered.

Use Case(s)

Supporting using TPM on EC2.

Potential configuration

source "amazon-ebs" "my_ami" {
  ...
  tpm_support = "v2.0"
  ...
}

Potential References

• AWS docs about Registering an AMI with TPM support through the aws CLI
• I'm guessing the change will need to happen when the AMI is registered here. I was looking for a way to set this for the ebs builder, but it looks like that one does not perform the RegisterImage step. I'm not familiar with the intricate details of how building/registering an AMI works, so perhaps it isn't possible to set this when building an AMI from another AMI?
• I believe that the option that will need to be set is RegisterImageInput.TpmSupport = "v2.0"

[ccravens]

Great feature suggestion, I think I'm gonna give this a shot at this fork here: https://github.com/ossys/packer-plugin-amazon

[ccravens]

Ok I added some updates on a tpm_support branch. I am by no means a packer plugin developer expert. It builds, I haven't tested yet, but I will sometime in the next few days, if you all wanna clone and take a look feel free thanks!

[ccravens]

PR Submitted: https://github.com/hashicorp/packer-plugin-amazon/pull/339

[glachac-safelishare]

This doesn't work for the ebs builder yet, only chroot, instance and surrogate with PR #379. Should this still be open since the initial request was for ebs builder?

[lbajolet-hashicorp]

Hi @glachac-safelishare,

Good call, the issue was automatically closed when we merged the PR for the other builders, I agree though that it would be good for EBS to support it eventually. Right now we're stuck a bit because of how we create AMIs using this builder, since we're using CreateImage instead of snapshotting + RegisterImage.

For similar problems in the past, we've had Amazon add the capability to other API calls, which we can then leverage for EBS. Alternatively, we could also look into supporting this workflow for the builder as well, but as I mentioned in the PR, I would tread carefully with this approach since it would be easy to break builds when we do.

All in all, I'll reopen this issue so we can keep an eye on it for EBS, and we can decide the approach later.

Thanks for pinging us on this!

[eamonnlambda]

Hi, all.

Has any progress been made towards building AWS images with TPMs (specifically with the EBS builder)? Is this something that would be open to contributions?

Thanks

[lbajolet-hashicorp]

Hi @eamonnlambda,

Unfortunately there's no changes on the AWS API that allow us to add this attribute to the commons without changing how we publish the AMI, since the ebs builder relies on CreateImage instead of RegisterAMI, and only the latter accepts the NitroTPM attribute.

One way to support this would be to change how the ebs builder publishes its images to use a snapshot+register workflow, but this may have some consequences on the permissions required for building images, we'd need to double-check that to ensure we don't inadvertently break how users build their images.

We are open to contributions however if you want to draft something along those lines, we'll happily review!

Thanks

[lorengordon]

One way to support this would be to change how the ebs builder publishes its images to use a snapshot+register workflow, but this may have some consequences on the permissions required for building images, we'd need to double-check that to ensure we don't inadvertently break how users build their images.

Would definitely need to make sure the product codes associated with the source image are preserved using a snapshot+register method. AWS suggests they might, but then clearly states to use CreateImage to preserve the product code.

AWS Marketplace product codes

If any snapshots have AWS Marketplace product codes, they are copied to the new AMI.

Windows and some Linux distributions, such as Red Hat Enterprise Linux (RHEL) and SUSE Linux Enterprise Server (SLES), use the Amazon EC2 billing product code associated with an AMI to verify the subscription status for package updates. To create a new AMI for operating systems that require a billing product code, instead of registering the AMI, do the following to preserve the billing product code association:

• Launch an instance from an existing AMI with that billing product code.
• Customize the instance.
• Create an AMI from the instance using CreateImage.

[lbajolet-hashicorp]

And this right here is why we're cautious about bringing about those changes. Thanks @lorengordon for the heads-up, that would have never crossed my mind for sure.