Attestation Methods

The different Confidential Computing architectures of the different manufactures are all supporting attestation/remote attestation. The attestation however is realized differently from each manufacturer. In addition the current attestation methods are also getting extended with virtualized Trusted Platform Modules (TPM) in order to enable a wider range of measurements.

The measurements that are being taken through the means of the manufacturer or the TPM are cryptographically sound and capture a snapshot of the systems configuration for the given moment. Through the hardware embedded keys in the TPM or the processor of the CPU manufactures a user can prove that the measurements have been taken through a trusted entity. Interpreting and trusting the results is up to the verifying user.

In order to cover a wide variety of different use cases different attestation methods will be discussed in the chapter. First of all the raw attestation provides the simplest way of measuring the system configuration for a given CPU vendor however due to being a low-level CPU bound implementation not many measurements are being taken. Extending the initial measurements with Secure Boot allows to verify the boot chain with predefined measurements. Adding a vTPM for taking measurements allows the verifier to also verify everything after the Kernel has been launched and attested through earlier measurements from Secure Boot/Vendor Attestation. Last but not least instead of using a vTPM, which has been implemented through vendor specific means, a paravirtualized TPM can be supplied through standard device drivers while providing the same functionality as a vendor specific vTPM.