Attestation

Introduction

Have you asked yourself how to verify through the Internet the fact that workload runs indeed in the enclave? You can't go to the datacenter, knock on the door, and scrutinise the servers providing workload. With confidenital computing, security processors have the capability to act in the role as attestors/auditors and measure the workload.

Each processor has a certified identity from the CPU manufacturer what allows to verify if the security processor is trusted. The CPU audits the workload by measuring the integrity of the workload and issues the attestation report. Technically the vHSM CLI System shim retrieves the attestation report and sends it to Nitride for validation.

What is Attestation?

In the context of computer security attestation refers to the process of verifying the trustworthiness of a platform or system. It's essentially a way for one entity to gain confidence that another entity is genuine and operates as expected.

Here's a breakdown of the attestation process:

1. Establishing a Root of Trust: There needs to be a starting point, a trusted entity that everyone can rely on. This could be a cryptographic key held by a trusted manufacturer or a pre-installed security module on the device.

2. Building a Chain of Trust: Using cryptography, the root of trust signs other keys or pieces of information. These signed elements become trusted because of their connection to the verified root. This creates a chain of trust where each link verifies the one below it.

3. Verification by the Requesting Entity: The entity seeking to verify the platform obtains the public keys or certificates associated with the chain of trust. It then cryptographically verifies the signatures, working its way back to the trusted root.

By successfully completing this verification, the requesting entity gains assurance about the platform's trustworthiness.