The Pursuit of HAPPY…. Uhhh TPM AMD Happyness (Part 3)

The Pursuit of HAPPY…. Uhhh TPM AMD Happyness (Part 3)

This blog will hopefully show you some inside information on what issues you could run into when using AMD TPM attestation and Windows Autopilot for pre-provisioned deployments!

I will divide this blog into multiple parts

  1. The famous AMD AIK does not exist error
  2. Taking a better look at the AMD EKCert
  3. Taking a better look at the Key-Id’s
  4. Taking a better look at the Certificate Flow
  5. Let me correct me something!
  6. Sources used
  7. Conclusion

1.The famous AIK does not exist error

AKA:

0x800705b4 or,

Something Went Wrong or,

0x81039024 or,

The authority amd-keyid-578c545f796951421221a4a578acdb5f682f89c8.microsoftaik.azure.net does not exist

Let’s start with taking a good look at the CertReq_enrollaik_output.txt file first because troubleshooting TPM attestation errors will begin with running the mdmdiagnosticstool!

When you have exported the log, open it and I guess everyone that is trying to perform a white glove ahh damn… Windows Autopilot for pre-provisioned deployments… (WAPD from now on) will see the same AIK url failing

Afbeelding met tekst  Automatisch gegenereerde beschrijving

So what’s up with that? It is somehow strange that this AIK service url is failing for everyone?

2.Taking a better look at the AMD Ekcert

In the TPM happyness bog series part 2 I was showing you, how you could export this EKCert.

When you want to export the EKCert on an AMD device, the command line to export the EKCert is somehow different.

(Get-TpmEndorsementKeyInfo).AdditionalCertificates | Foreach-Object -Process { Set-Content -Value $_.RawData -Encoding Byte -Path “$($_.Thumbprint).crt” -Force }

You could see it for yourself by using this command: get-tpmendorsementketinfo -hash “sha256”. Instead of ManufacturerCertificates you will notice the AdditionalCertificates

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Now let’s take a look at the EK certificate itself

Afbeelding met tekst  Automatisch gegenereerde beschrijving

That’s a whole other CA than we noticed earlier of course!

3. Taking a better look at the Key-IDS

So we have 2 CA Issuer ids.

The first one: 578c545f796951421221a4a578acdb5f682f89c8

The Second one: 52fb59e29aa83a962fb9eef0fe5b4811de6b751e

*The first one: 578c545f796951421221a4a578acdb5f682f89c8:

Now take a good guess about what the first CA issuer id stands for

As shown above, this certificate is the AMDTPM Root CA

*The second one: 52fb59e29aa83a962fb9eef0fe5b4811de6b751e

And now for the second one!

As shown above, this is the PRG-RN Intermediate Certificate ( AMD-fTPM-RSA-ICA-RNFamily)

Afbeelding met tekst  Automatisch gegenereerde beschrijving

4. Taking a better look at the certificate flow

Like I also did with the Intel TPM and Discrete TPMS, here is the flow with an AMD (f)TPM

Now we have seen the flow, I am going to ask you a simple question…. Which cert do we need?

So Freaking Effing Excited GIFs - Get the best GIF on GIPHY

Yes!!! The intermediate one! So why the hell are we building/creating an AIK url to the AMD Root AIK Service? That’s totally not right

Just open your browser and try both of them to see what happens!

AMD Root CA

Intermediate Root CA

5. Let me correct me Something

Sometimes it’s late and you are tired and your brains just stop working…

Patrick Star Brain GIFs | Tenor

In my tweet, I posted I was asking myself what is happening with the AIK services that are older than one year.. Normally certificates are only valid for 1 year, so I had the stupid idea that could be the issue why AMD wasn’t working!… stupid me…

That’s totally not the case because The AIK certificates or signers are only replaced when they are revoked somehow. When they are revoked the new up to date and not revoked certificate is normally automatically updated.

6. Sources used

I can be quick about this… My own TPM blogs… learning about what is happening with the TPM during attestation and how the AIK is built showed me what to look for. Hopefully, this blog series showed you what to look out for!

7.Conclusion

So Microsoft/Windows is looking at the wrong cert to get the ISSUER id for Intel it needs to look at the ODCA intermediate certificate but for AMD it has to look at the EKCert to get the right Issuer ID.

Patience Padawan GIFs | Tenor

Again Microsoft is aware of this issue and is working on a fix so have patience. Just like with the Intel Tiger TPM that got fixed with the KB5007253 Update!

If you are interested in the whole Attestation series, go and check them out!

Attestation and Compliance Series – Call4Cloud

2 thoughts on “The Pursuit of HAPPY…. Uhhh TPM AMD Happyness (Part 3)

  1. How long until they fix it I guess is the next question. I know we just got the first patches for Ryzen on Win 11. I was hoping they would have bundled it in there but no luck.

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  68  =  77