nitro-tpm-pcr-compute
| Crates.io | nitro-tpm-pcr-compute |
| lib.rs | nitro-tpm-pcr-compute |
| version | 1.1.0 |
| created_at | 2025-10-22 16:07:22.749461+00 |
| updated_at | 2025-12-01 13:13:00.469868+00 |
| description | Precompute NitroTPM Platform Configuration Register (PCR) values based on a Unified Kernel Image (UKI) |
| homepage | |
| repository | https://github.com/aws/NitroTPM-Tools |
| max_upload_size | |
| id | 1895909 |
| size | 53,232 |
Nitro Enclaves (github:aws:nitro-enclaves)
documentation
README
NitroTPM PCR Compute
This utility enables you to precompute NitroTPM Platform Configuration Register (PCR) 4, 7, and 12 values based on a Unified Kernel Image (UKI). These are the same PCR values that are included in the attestation document returned by the NitroTPM. You can use the precomputed PCR values to create AWS KMS key policies that grant or deny key access based on these values. The utility supports PE/COFF images in both standard boot and UEFI Secure Boot environments. In Secure Boot mode, these images can be signed with X.509 certificates. Measurements are precomputed according to the TCG PC Client Platform Firmware Profile Specification.
Usage
Standard boot
To precompute measurements for standard boot:
cargo run --package nitro-tpm-pcr-compute -- --image <UKI.efi>
UEFI Secure Boot
To precompute measurements with UEFI Secure Boot enabled:
cargo run --package nitro-tpm-pcr-compute -- \
--image <UKI.efi> \
--PK <PK.esl> \
--KEK <KEK.esl> \
--db <db.esl>
Output
The utility returns measurements in the following JSON format:
{
"Measurements": {
"HashAlgorithm": "SHA384",
"PCR4": "<hex string>",
"PCR7": "<hex string>",
"PCR12": "<hex string>"
}
}