Before updating the database, the administrator must verify physical reality.
In a secure provisioning workflow, a management server or database (db) records the public portion of the EK ($EK_{pub}$) when a host is first registered. When the host attempts to re-attest or provision new certificates, the server compares the presented EK against the stored record. If the server returns an error stating the keys do not match, it indicates a fundamental discrepancy between the expected identity and the physical hardware presenting itself. Before updating the database, the administrator must verify
To minimize the likelihood of TPM Endorsement Key mismatches: Before updating the database
To resolve a TPM Endorsement Key mismatch, consider the following strategies: consider the following strategies: