TPM - Trusted Platform Module

(tpm2_tools (Linux)

endorsement key (EK)

A TPM2 Endorsement Key (EK) Certificate is a digital certificate, usually burned into the Trusted Platform Module (TPM) chip during manufacturing, that validates the authenticity of the TPM's unique endorsement key ( ). It acts as a trusted, hardware-backed identity, allowing external parties to verify that a device uses a genuine TPM.

Key details about the EK Certificate:

Purpose

The EK is an RSA or ECC key pair used to verify the TPM's legitimacy. The private key never leaves the TPM, ensuring security.

Issuer

It is typically signed by the TPM manufacturer's certificate authority (CA), certifying the TPM's legitimacy.

Use Cases

It is critical for Remote Attestation, where a server checks the EK certificate to ensure a client device has a real, untampered TPM before sharing secrets.

Accessing the Certificate

EK certificates can be found in the TPM’s Non-Volatile (NV) memory or retrieved from manufacturer web servers (like Intel's) using specialized tools.

Difference from other Keys

Unlike the Storage Root Key (SRK), the EK is permanent. It is not used for signing operations, but for encryption.

 heth@tpm2:~$ sudo tpm2_getekcertificate | od -h
0000000 8230 9c04 8230 8403 03a0 0102 0202 7604
0000020 e292 3095 060d 2a09 4886 f786 010d 0b01
0000040 0005 8130 3183 300b 0609 5503 0604 0213
0000060 4544 2131 1f30 0306 0455 0c0a 4918 666e
....
0003640 b7c4 c27d 04da 3c75 c145 a234 e32b c20f
0003660 9cff 006c

Links

• Microsoft Official TPM 2.0 Reference Implementation (Includes TPM2 Simulator)