Skip to content

doc: add TPM deployment walkthrough and reference architecture#6775

Open
Pittu-Sharma wants to merge 5 commits into
spiffe:mainfrom
Pittu-Sharma:doc-tpm-deployment-walkthrough
Open

doc: add TPM deployment walkthrough and reference architecture#6775
Pittu-Sharma wants to merge 5 commits into
spiffe:mainfrom
Pittu-Sharma:doc-tpm-deployment-walkthrough

Conversation

@Pittu-Sharma

Copy link
Copy Markdown

Pull Request check list

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

Affected functionality
Documentation for TPM-based node attestation (non-Kubernetes).

Description of change
Created doc/tpm_deployment_walkthrough.md to provide a comprehensive reference architecture and redundant setup guide for SPIRE on TPM 2.0. Updated doc/using_spire.md with a link to the new guide for easy discoverability.

Which issue this PR fixes
fixes #5291

Signed-off-by: pittu sharma <pittusharma47@gmail.com>
@Pittu-Sharma

Copy link
Copy Markdown
Author

Hi maintainers, I have added the TPM deployment walkthrough and reference architecture. Please review when convenient. Thanks!

@sorindumitru

Copy link
Copy Markdown
Member

Thanks @Pittu-Sharma for opening this PR. Some initial thoughts:

  • Some of this could leave in the plugin configuration for tpm_devid (agent and server)
  • Could you also expand a bit on section 1 on how the certificates can be provisioned for the nodes? That is an important step in configuring the plugin.
  • Could you also mention why you need a registration entry created (or state that it is optional)?

Signed-off-by: pittu sharma <pittusharma47@gmail.com>
Comment thread doc/tpm_deployment_walkthrough.md Outdated

Before configuring SPIRE, each node's TPM must be provisioned with a Local Device Identifier (LDevID) out-of-band. This process typically involves:

1. **Key Generation**: Using a tool like `tpm2-tools`, generate an asymmetric key pair securely within the TPM. The private portion of the key never leaves the hardware.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should have more detailed information here, exactly what commands should you run to generate the right key.

@sorindumitru sorindumitru Apr 18, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Pittu-Sharma, checking in to see if you are still planning on addressing this.

@MarcosDY MarcosDY added this to the 1.15.1 milestone May 12, 2026
@sorindumitru
sorindumitru enabled auto-merge May 21, 2026 07:05
@sorindumitru
sorindumitru disabled auto-merge May 21, 2026 07:05
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Copilot AI review requested due to automatic review settings June 6, 2026 18:08

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new non-Kubernetes TPM 2.0 deployment guide and links it from existing SPIRE docs to improve discoverability and provide an end-to-end reference for TPM-based node attestation.

Changes:

  • Added doc/tpm_deployment_walkthrough.md describing a TPM-based redundant SPIRE deployment and provisioning flow.
  • Linked the walkthrough from doc/using_spire.md.
  • Added “Prerequisites” sections in the agent/server tpm_devid plugin docs linking to the walkthrough.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

File Description
doc/using_spire.md Adds a “TPM” section linking to the new walkthrough for discoverability.
doc/tpm_deployment_walkthrough.md New TPM deployment/provisioning walkthrough and reference architecture notes.
doc/plugin_server_nodeattestor_tpm_devid.md Adds prerequisites and cross-link to the walkthrough from the server plugin doc.
doc/plugin_agent_nodeattestor_tpm_devid.md Adds prerequisites and cross-link to the walkthrough from the agent plugin doc.

Comment thread doc/tpm_deployment_walkthrough.md Outdated
Comment on lines +13 to +14
- **Agent Nodes**: Physical or virtual infrastructure with `/dev/tpm0`
available.
Comment thread doc/tpm_deployment_walkthrough.md Outdated

## Requirements

- **TPM 2.0 hardware**: Accessible via `/dev/tpm0`.
Comment thread doc/tpm_deployment_walkthrough.md Outdated
Comment on lines +20 to +21
- **Pre-provisioned DevID**: Key blobs and certificates must be on-node before
starting the agent.
Comment thread doc/tpm_deployment_walkthrough.md Outdated
Comment on lines +133 to +136
(in dev shell) # ./bin/spire-server entry create \
-spiffeID spiffe://example.org/node/primary \
-node \
-selector tpm_devid:subject:cn:node-01.example.org
Comment thread doc/tpm_deployment_walkthrough.md Outdated
Comment on lines +139 to +146
## Scaling and Recovery

**Horizontal Scaling**: Add server instances to the cluster by pointing them
to the same datastore. Scale agents by provisioning new TPM-backed nodes.

**Trust Recovery**: If an agent's certificate expires or the node is wiped,
re-provision the TPM and refresh the agent's identity. The agent will
re-attest using the new hardware-bound DevID on its next cycle.
Comment on lines +11 to +13
The server must be configured with the CA certificate(s) that signed the agents'
LDevID certificates (`devid_ca_path`). These are the same CA certificates used
during the out-of-band node provisioning process. See the
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>

@sorindumitru sorindumitru left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I follow the guide I get:

unable to start a new TPM session: cannot load DevID key on TPM: tpm2.DecodePublic failed: decoding TPMT_PUBLIC: unexpected EOF

-r /opt/spire/conf/agent/devid.priv.blob \
-c /tmp/devid.ctx

tpm2_evictcontrol -C o -c /tmp/devid.ctx 0x81000001

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there some way to figure out the right 0x81000001 value to use? I had to use a different once since this one was already in use:

WARNING:esys:src/tss2-esys/api/Esys_EvictControl.c:330:Esys_EvictControl_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_EvictControl.c:114:Esys_EvictControl() Esys Finish ErrorCode (0x000001c4)
ERROR: Esys_EvictControl(0x1C4) - tpm:parameter(1):value is out of range or is not correct for the context
ERROR: Unable to run tpm2_evictcontrol

@MarcosDY MarcosDY modified the milestones: 1.15.2, 1.15.3 Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Documentation / deployment walk through for SPIRE on TPM.

4 participants