Raw Attestation with Secure Boot
The attestation with Secure Boot resembles the principals of UEFI Secure Boot where the integrity of the UEFI is attested.
Last updated
Was this helpful?
The attestation with Secure Boot resembles the principals of UEFI Secure Boot where the integrity of the UEFI is attested.
Last updated
Was this helpful?
Secure Boot is a standard feature of the UEFI firmware interface designed to secure the pre-boot process. It works by maintaining a database of approved cryptographic signatures for bootloaders and operating system kernels. Before executing any pre-boot binary, the UEFI firmware verifies its signature against this database. If the signature is not recognized or has been tampered with, the boot process is halted.
Role in Remote Attestation
While Raw Attestation verifies the integrity of the firmware and initial platform configuration, it does not cover the operating system's bootloader or kernel. Secure Boot bridges this gap, extending the chain of trust from the hardware into the OS layer.
The attestation process integrates Secure Boot as follows:
Firmware Verification: The process begins with Raw Attestation. The platform's security processor measures the UEFI firmware. Since the Secure Boot component and its configuration are part of this firmware, their integrity is verified at this stage.
Boot Chain Verification: Once the firmware is trusted, it begins the boot process. The Secure Boot mechanism then takes over, verifying the signature of each subsequent component—such as the OS bootloader and the kernel—before it is loaded.
Outcome
By combining these two methods, a relying party can achieve a more comprehensive security guarantee. If the measurements from Raw Attestation confirm that a genuine, untampered firmware with Secure Boot was loaded, the relying party can be confident that the entire boot chain, up to and including the operating system kernel, has also been verified. This makes it possible to detect any malicious modification to the boot process.
