Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Remote Attestation

A reliable system must remain secure and provide verifiable evidence of its security. Remote attestation is a security mechanism based on the hardware RoT. It employs cryptographic techniques to remotely verify the integrity of system hardware and software. Verified integrity values are reported, to provide assurance that the computing environment can be trusted to execute securely.

The measured objects vary depending on the trusted hardware, and may include the underlying firmware, OS kernel, hypervisor, core configurations, and even upper-layer applications. For example, the TPM provides 24 PCRs, where PCR 0 to PCR 7 are generally used in the boot process, while PCRs starting from 8 are used by the OS. PCR 0 records the SRTM and BIOS status, PCR 2 records UEFI driver/application status, and PCR 7 records the secure boot status. PCRs starting from 8 record the kernel status. The trusted hardware collects the actual status of the measured objects and generates measurement evidence (quote) through the hardware RoT signature for remote attestation. To ensure quote timeliness and prevent replay attacks, a user-provided nonce is typically embedded in the quote.

Remote attestation uses the hardware public key certificate to perform cryptographic verification on the quote. By parsing the quote and comparing its hash value with the baseline value, it can determine the authenticity, security, and timeliness of the current environment.

Remote attestation can be implemented in various ways, such as Remote Attestation over TLS (RA-TLS), which embeds the quote directly into the TLS certificate to enable one-way or two-way TLS based on attestation. There is also universal remote attestation service, typically including a server and a client, as shown in Figure 1. The client detects the type of trusted hardware, collects the actual runtime state of the current environment. It then generates a quote and sends it to the server, either directly or via a third-party forwarder. The server provides interfaces for external systems to perform cryptographic verification on the quote, applies flexible attestation policies and comparison against baseline values, and generates verification reports.

Remote attestation is a prerequisite for trusted computing. Remote attestation is based on the hardware RoT and endorses the authenticity and integrity of the trusted environment. It serves as the authoritative verifier of the trusted environment.

Figure 1 Remote attestation server/client