Manage Host Hardware TPM Endorsement Keys
You can use
HTTP requests
to retrieve a list of configured TPM endorsement keys on a host and
information about each endorsement key. You can also retrieve the TPM event log and unseal a
secret that is bound to an endorsement key.You can retrieve the TPM event log for different
purposes, such as configuring firmware trust with an attestation service or
validating the boot time TPM measurements. You can unseal a secret that is bound to
an endorsement key to verify reported measurements. For example, you can verify
measurements from the TPM event log.
For details
about the unsealing operation, see the
REST API Reference
documentation.- List configured TPM endorsement keys on a host.GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/hosts/<host>/hardware/tpm/<tpm>/endorsement-keysYou receive the results in the response body. You can use the retrieved information to review the basic information of the available TPM endorsement keys.
- Retrieve detailed information about a specific TPM endorsement key.GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/hosts/<host>/hardware/tpm/<tpm>/endorsement-keys/<key>You receive the results in the response body. You can use the retrieved information to review the detailed information of the TPM endorsement key.
- Retrieve the event log associated with a TPM device.GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/hosts/<host>/hardware/tpm/<tpm>/event-logYou receive the information in the response body.
- Unseal a secret that is bound to an endorsement key.POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/hosts/<host>/hardware/tpm/<tpm>/endorsement-keys/<key>?action=unsealYou receive a string that contains the unsealed secret.