Remote Attestation

liamcvw.com

93 points by lcvw 9 hours ago


imglorp - 8 hours ago

We use SPIFFE/SPIRE at work. It works well for our use case, remote embedded workflows that need to phone home. It's very exacting: everything must be exactly right for the attestation to succeed. So it takes extra effort when you commit to that path.

madduci - 3 hours ago

The German Healthcare System is moving to the TelematikInfrastruktur 2.0, which has foundations in Zero Trust security, which includes also remote attestation and proof with TPM.

I had made a dummy client as example and I must say that on development perspectives, it is wild.

There are some Go libraries, which support only RSA instead of EC for TPM Keys, on the C++ side you get most of results in Windows through the CryptoProvider, on Linux and Mac exists own OS solutions/access.

Implementing it isn't trivial at all, otherwise you would already seen (not vibe-coded) open source implementions spawning on GitHub.

whiatp - 3 hours ago

Something worth calling out is that, as far as I've seen, most server TPM implementations are not great against physical access attacks. If servers might be physically compromised (eg. you are leaving a server unsupervised in a colo) shenanigans are still possible.

The TPMs are on separate chips from the main processor. If something were to man-in-the-middle the communications with the TPM, the hash digests can be "corrected" so the TPM thinks the boot artifacts were in the intended state. At least the ones I've worked with were SPI, but I've seen I2C ones as well. Either way, these are low speed, easy to mess with buses.

Also you want to pay real close attention to how you onboard new devices. The article states

> The EK comes with a x509 cert signed by the manufacture’s PKI. So the EK proves the TPM is legit.

This lets you know the TPM you are performing remote attestation of is made by a particular manufacturer, but an attacker can go buy a TPM chip from the right manufacturer off digikey, and feed it the intended hashes in pcr extend commands. For the attacks the TPM is supposed to prevent, you have to assume they could re-direct the tpm requests your remote validation service is trying to run to their own device by compromising the boot artifacts. You still have to figure out how to make sure your workflows are onboarding the TPM from _your_ hardware, not just a TPM from the same manufacturer.

Cider9986 - 2 hours ago

GrapheneOS has an implementation of this with their Auditor app. You can use their service or you can use another Android. No freedom lost, just security gained.

https://attestation.app/about

There's also Android's hardware attestation API which apps can use to verify integrity in a more secure and privacy-respecting way than Google Play Integrity. An increasing number of apps are officially supporting GrapheneOS through this, and that number will only grow as GrapheneOS gains users.

https://grapheneos.org/articles/attestation-compatibility-gu...

nondescript2887 - 8 hours ago

>But what about attacks after boot? That’s your EDR’s problem. Trusted boot provides the bedrock to build a bunch of other primitives on top of. Including cryptographic proof your EDR is installed and running (at boot), immutable filesystems (verified at boot), signed upgrades, confidential computing, etc. Without it you can’t trust your hosts themselves and can’t make further security guarantees. Houses built on sand and all that.

Good take - remote attestation doesn't solve all problems on its own but it is a very powerful tool in the platform security toolbox (and very cool "to boot" :P)

davidfiala - 5 hours ago

Attestation of any type: A double edged sword, where you are guaranteed to lose freedom. Attestation entrenches, empowers, and enriches other entities that aren't you.

Ironic how this post got upvoted in parallel to polar opposite in the #1 slot: "John Deere owners will get the right to repair equipment under FTC settlement" https://news.ycombinator.com/item?id=48838876

Engineers may debate about what-about-isms of vulnerabilities and counterexamples of TPM failures, but that misses the point: We should be debating about where society will be when devices you paid for serve other masters.

Probably we should just write/vibe/demand better software. Otherwise we're going to end up with a law demanding TPMs that watch more than just your firmware...

zb3 - 9 hours ago

It would be a nice addition if big tech didn't abuse this to shove user-hostile software into devices which the user has paid for (like smartphones).. thanks to this attitude, whenever I see "remote attestation" I associate this with "hostile"..

> Using a TPM, we can remotely, cryptographically prove a couple of things:

Unless there are exploits..

Uptrenda - 6 hours ago

It's a nice idea, but I wouldn't design any system on the assumption that a TPM needs to stay secure for the system to be safe. There's been so many exploits. We can consider the iphone as an R & D platform for doing blackbox computations. In that nothing is allowed to run that Apple doesn't want. Protecting that is apples bread and butter and they care about it enough to value critical exploits in the millions. Yet people still find them all the time. I feel like if a company that invests millions in the concept can't make it secure then the concept probably isn't that great.

userbinator - 5 hours ago

This is the dream of corporate authoritarians everywhere. The dystopian nightmare we all warned about because we saw it coming. "Security" is the "think of the children" fearmongering of the current environment.

As one of our Founding Fathers put it: "Those who give up freedom for security deserve neither."

Remote Attestation: Just Say No.

michaelmrose - 6 hours ago

Waiting for when one can't boot Windows without running snitch software which analyzes everything you do first to ensure you aren't a pedophile then that you aren't a terrorist then that aren't disloyal or un-American.

You won't be able to send email or bank if you aren't running the snitch or any configuration where you could defeat it.

Hell in a boring dystopia run by adults this could theoretically be a good thing! Never miss the next obvious school shooter!

Then look at who actually runs our country.