Remote Attestation
2 hours ago
- #remote-attestation
- #TPM-security
- #measured-boot
- Remote attestation uses a TPM to cryptographically verify a host's hardware, firmware, kernel, init image, and root filesystem.
- It enables measured boot, which records hashes in PCRs to ensure boot integrity, unlike secure boot that blocks boot.
- Applications include encrypting root filesystems with TPM sealing, issuing mTLS certificates only to attested hosts, and backing TLS certs with TPMs.
- The process involves Endorsement Keys (EK), Attestation Keys (AK), and LDevIDs to prove host legitimacy and tie keys to specific TPMs.
- While not perfect against physical attacks, remote attestation provides a trust foundation for EDR, immutable filesystems, and workload security.