Approving Trusted TPM for Dell PowerEdge 13G Servers in Windows Host Guardian Service

Approving Trusted TPM for Dell PowerEdge 13G Servers in Windows Host Guardian Service

Disclaimer: Dell does not offer support for Windows Server 2016 at this time. Dell is actively testing and working closely with Microsoft on Windows Server 2016, but since it is still in development, the exact hardware components/configurations that Dell will fully support are still being determined. The information divulged in our online documents prior to Dell launching and shipping Windows Server 2016 may not directly reflect Dell supported product offerings with the final release of Windows Server 2016. We are, however, very interested in your results/feedback/suggestions. Please send them to

To provide a secure environment for virtual machines, Windows Server 2016 has introduced the Guarded Fabric which comprises Host Guardian Service (HGS) and Guarded Hosts hosting a set of shielded VMs. HGS uses the Remote Attestation Service to ensure that only known, healthy hosts can run shielded VMs, and the Key Protection Service to securely release the keys for Shielded VMs.

As recommended, TPM-Trusted attestation (vs. Admin-Trusted attestation, which is weaker) uses UEFI Secure Boot, in conjunction with code integrity measurement, to ensure that the Hyper-V host is healthy and running only trusted code. Dell 13th Generation PowerEdge servers are available for order with TPM 2.0, as a configurable option.

To deploy TPM-Trusted attestation, HGS uses the TPM Identifier (EKpub) to determine whether a particular host is authorized on the guarded fabric. Dell TPM 2.0 modules are manufactured with a built-in Endorsement Key (EK) certificate (except TPM 2.0 in the China market. See: China TPM Note at the end of this document). Being the root of trust in remote attestation, genuineness of a TPM module is essential to the full trust chain. Dell TPM 2.0 modules are fully certified (such as FIPS, Common Criteria, or Trusted Computing Group) for this scenario.

This blog, coauthored with Qiang Wang (Microsoft Corporation), provides HGS administrators with a walkthrough on how to manually retrieve the TPM EK certificate and its certificate authority chain. After trustworthiness has been verified, the signer certificate authority is registered with HGS server for enforcement, i.e., only a host that contains a TPM 2.0 with an EK certificate that chains to the registered signer certificate authority is allowed to be a Guarded Host. A Dell server also ensures a binding between the TPM module and the server to prevent the same TPM from being used on multiple Dell servers.

To start this process, first verify the TPM is a v 2.0 module and it is ready on the host by using the TPM Management Console (tpm.msc) or running Get-Tpm in an elevated PowerShell window. If the TPM is not ready or "Ready with reduced functionality", run Clear TPM in the TPM Management Console or run the following commands in the PowerShell window. (The system will need to reboot.)

$tpm = gwmi -class win32_tpm -namespace root/cimv2/security/microsofttpm

In order to validate the TPM EK certificate, a chain of trust is established from a trusted certificate to the EK certificate. The TPM 2.0 on Dell PowerEdge 13G servers do not contain any intermediate certificates in the chain, i.e., the root certificate directly signs the EK certificate. A Windows-logo-compliant EK certificate contains an Authority Information Access (AIA) extension that includes a URL for the issuing Certificate Authority. The AIA extension allows the issuing certificate to be discovered so it can be retrieved. Run the following commands in the elevated PowerShell window on any Guarded Host:

# Retrieve the EK cert
$ekCert = (Get-TpmEndorsementKeyInfo).ManufacturerCertificates

# Obtain the X509 AIA extension
$aiaExt = $ekCert.Extensions | where { $_.Oid.Value -eq "" }
Retrieve the EK cert

Figure 1: Retrieve the EK cert

# Retrieve the URL from the AIA extension
$aiaExt.Format($false) -match "URL=([^,]*)"

# Retrieve the root certificate per the URL and save it to a file. You may use any name to save the file on disk.
$caFilePath = "C:\certs\Nuvoton TPM Root CA 1110.cer"
Invoke-WebRequest $matches[1] -OutFile $caFilePath
Retrieve the URL

Figure 2: Retrieve the URL

# Review the root certificate file you obtained (change the file name and path if needed). The screen shot below is a signer certificate from a known good Dell 13th Generation PowerEdge server. You may use it as a reference.

New-Object Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList (,[byte[]](Get-Content -Encoding Byte "C:\certs\Nuvoton TPM Root CA 1110.cer")) | fl

Review the root certificate

Figure 3: Review the root certificate

On an HGS server node that you intend to register and validate the Guarded Hosts, securely transfer the root certificate file you retrieved on the Guarded Host to the HGS server node, and import the root certificate file for the Guarded Host with the following commands. This step must be performed after the HGS server node is initialized by Initialize-HgsServer.

$certStore = "Cert:\LocalMachine\TrustedTpm_RootCA"

# Modify path to the file you created
$caFilePath = "E:\Nuvoton TPM Root CA 1110.cer"

Import-Certificate $caFilePath -CertStoreLocation $certStore
On an HGS server node
Figure 4: On an HGS server node

The above procedure is required for each TPM model. All Dell 13th Generation PowerEdge servers share the same TPM model, with the exception of the China market. Therefore, you only need to do it once for your entire Dell Guarded Host fabric.

Your HGS server can now validate the host identity (EKpub) captured from your TPM 2.0-enabled Dell servers, and add them to the Attestation services in HGS.
  • To obtain the EKpub, run the following on the guarded host:
    • (Get-PlatformIdentifier -Name MyGuardedHost).Save("C:\MyGuardedHost.xml")
  • Copy the EKPub file, e.g., C:\MyGuardedHost.xml, to the HGS Server or servers – all Hosts will need to have this process performed. Be sure to give each EKpub file for each server a unique name.
  • Run the following command on the HGS server to add the Dell server as a TPM-trusted guarded host to the Attestation service in HGS:
Add-HgsAttestationTpmHost –Path MyGuardedHost.xml –Name MyGuardedHost
#verify the added TPM-trusted guarded host
TPM-trusted guarded host
Figure 5: TPM-trusted guarded host
  • Repeat these steps for each Guarded Host system.
Note on China TPM:

On the PowerEdge servers being shipped in China, the TPM 2.0 modules do not contain a built-in EK certificate due to Chinese government regulations. In this case, you may use a 3rd party service to certify the EKpub or simply skip the validation with the use of "-Force" if the setup is deemed to be secure.

Add-HgsAttestationTpmHost –Path MyGuardedHost.xml –Name MyGuardedHost -Force

Follow the instructions in Step-by-Step Guide: Deploy Guarded Hosts and Shielded Virtual Machines to complete the deployment of the Guarded Fabric. Together, Windows Server 2016 and Dell PowerEdge Servers with TPM 2.0 can enable you to build a secured datacenter solution to protect your tenants’ workloads from the host administrators and possibly tempered datacenter environment.

Article ID: SLN311421

Last Date Modified: 08/17/2018 04:28 AM

Rate this article

Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.