You can use interfaces from the com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm package to retrieve a list of configured TPM endorsement keys on a host and information about each endorsement key. You can also retrieve the TPM event log and unseal a secret that is bound to an endorsement key.
You can retrieve the TPM event log for different purposes, such as configuring firmware trust with an attestation service or validating the boot time TPM measurements. You can unseal a secret that is bound to an endorsement key to verify reported measurements. For example, you can verify measurements from the TPM event log.
Procedure
- List configured TPM endorsement keys on a host by calling the list(java.lang.String host, java.lang.String tpm, EndorsementKeysTypes.FilterSpec filter) method of the EndorsementKeys interface.
- Retrieve detailed information about a specific TPM endorsement key by calling the get(java.lang.String host, java.lang.String tpm, java.lang.String key) method of the EndorsementKeys interface.
- Retrieve the event log associated with a TPM device by calling the get(java.lang.String host, java.lang.String tpm) method of the EventLog interface.
- Unseal a secret that is bound to an endorsement key by calling the unseal(java.lang.String host, java.lang.String tpm, java.lang.String key, EndorsementKeysTypes.UnsealSpec spec) method of the EndorsementKeys interface.