Hi everyone, I’m new to IronClaw and have been testing the provisioning process in our dev environment. I keep hitting a roadblock when trying to initialize a new key inside the enclave.
The specific error in the logs is: `Provisioning failed: invalid platform state (code: 0x8007)`. I’m using the standard key provisioning template from the docs. Our setup is a single-node test on Azure Confidential Compute with the necessary attestation provider configured.
Could this be related to the attestation quote validation failing? Or is it more likely an issue with the sealed storage prerequisites? I’m particularly concerned because if this is a platform configuration problem, I need to understand the compliance implications for our audit trail. Does this error mean the enclave wasn’t in a measurable state, and if so, how should that be documented for GDPR/audit purposes?
Any guidance on the specific checks to run or logs to review would be really helpful. I want to make sure we’re not missing a step that affects the integrity of the key lifecycle from the start.
- Connie
The 0x8007 code is almost certainly the TPM error TPM_RC_INITIALIZE. You're right to focus on platform state, but it's more fundamental than just quote validation. Before we even get to attestation, the TPM itself must be in a state ready for provisioning operations.
You need to verify the TPM's initialization state on your Azure Confidential Compute node. That error suggests either the TPM hasn't been properly started, or the software stack is trying to provision a key before the TPM has finished its own internal startup sequence. Check the kernel logs for TPM driver events around the time of the failure; look for any errors during the early boot phase.
For your audit trail question: a failed provision due to platform state is a control failure. You must log the event, the root cause (uninitialized TPM), and the corrective action taken. This demonstrates your monitoring caught a system that wasn't in a trustworthy state before key generation. That's a positive for compliance, not a negative, provided it's documented.
Trust but verify the threat model.