Format of TPM public EK for DPS

bcb44 86 Reputation points
2021-04-16T17:55:30.087+00:00

I'm trying to use TPM based enrollment to my IoT Hub. We have a couple devices already in the field (running windows iot ent) so I've written a basic PS script to get their TPM public EK and enroll them manually in our DPS. The script produces a base64 string of the ASN.1 encoded public key. When I use that value in the Endorsement Key Field, I get a Bad Request error with the message : "Endorsement key is invalid, or does not match the Enrollment."

Am I using the wrong format to encode the public key? Is there another easy way to access the TPM public EK formatted as a base64 string?

Here is my script if that's helpful
$tpm = Get-TpmEndorsementKeyInfo -HashAlgorithm sha256
$hexPub = $tpm.PublicKey.Format($true).Replace(' ', '')
$pubBytes = New-Object byte[] -ArgumentList ($hexPub.Length / 2)
for ($i = 0; $i -lt $hexPub.Length; $i += 2) { $pubBytes[$i/2] = [System.Convert]::ToByte($hexPub.Substring($i, 2), 16) }
$pubString = [System.Convert]::ToBase64String($pubBytes)

Thanks so much

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,115 questions
0 comments
Accepted answer
  1. QuantumCache 20,031 Reputation points
    2021-04-17T06:40:11.543+00:00

    Hello @bcb44 I hope you have already visited the below section.

    IoT Hub Device Provisioning Services\SDK\azure-iot-provisioning-service\TpmAttestation:endorsementKey

    The endorsement key is an encryption key that is permanently embedded in the Trusted Platform Module (TPM) security hardware, generally at the time of manufacture. This private portion of the endorsement key is never released outside of the TPM. The public portion of the endorsement key helps to recognize a genuine TPM. The endorsement key is a base64 encoded value.

    88753-image.png

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest