You can use HTTP requests to retrieve a list of configured TPM endorsement keys on a host and information about each endorsement key. You can also retrieve the TPM event log and unseal a secret that is bound to an endorsement key.

You can retrieve the TPM event log for different purposes, such as configuring firmware trust with an attestation service or validating the boot time TPM measurements. You can unseal a secret that is bound to an endorsement key to verify reported measurements. For example, you can verify measurements from the TPM event log. For details about the unsealing operation, see the REST API Reference documentation.

Procedure

  1. List configured TPM endorsement keys on a host. 
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/hosts/<host>/hardware/tpm/<tpm>/endorsement-keys

    You receive the results in the response body. You can use the retrieved information to review the basic information of the available TPM endorsement keys.

  2. Retrieve detailed information about a specific TPM endorsement key. 
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/hosts/<host>/hardware/tpm/<tpm>/endorsement-keys/<key>

    You receive the results in the response body. You can use the retrieved information to review the detailed information of the TPM endorsement key.

  3. Retrieve the event log associated with a TPM device. 
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/hosts/<host>/hardware/tpm/<tpm>/event-log

    You receive the information in the response body.

  4. Unseal a secret that is bound to an endorsement key. 
    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/hosts/<host>/hardware/tpm/<tpm>/endorsement-keys/<key>?action=unseal

    You receive a string that contains the unsealed secret.