Remote Platform Integrity Attestation

By Muthu Ramalingam, Engineering Manager, R&D – Software & Security Engineering, AMI (USA)

The process of safely starting up a computer depends on the hardware and software being able to trust that each other will act in a predictable way. This is known as ‘platform integrity’ and continues from switch on until the operating system has fully booted and applications are running. Alongside establishing identity and protecting sensitive keys and data, platform integrity is one of the foundational standards of trusted computing.

The process of ensuring that the operating system of a computer in boot up mode is working in a predictable way is called platform attestation. This consists of two primary activities – measurement and attestation. Measurement is an act of obtaining cryptographic representations for the system state, whist attestation is the act of comparing those cryptographic measurements against expected values to determine whether the system is booted into an acceptable state or not.

The attestation maintains a database of expected measurements and compares actual boot time measurements from hosts. This process ensures that the measured components are in an acceptable or trusted state at the time of the last system boot. Remote attestation is easier and centrally manged, whilst at the same time does not halt the boot prosses which occurs during a local attestation. It also provides easier remediation for the administrator, so that administrator can take immediate actions to mitigate the issue.

AMI TruE™ Platform Attestation Solution

AMI TruE is a holistic data centre and edge security solution that delivers foundational security, leveraging security technologies from Intel® including Intel® Security Libraries and Intel® Software Guard Extensions. It is scalable, extensible, and built for cloud-to-edge applications, tracking the trusted compute status of servers and providing remediation measures for untrusted platforms.

AMI TruE leverages the TCG specification for a trusted boot process, extends measurements of platform components to registers in a TPM ans securely generates quotes of measurements from the TPM for remote comparison to expected values.

By incorporating these security technologies and TCG trusted boot process standards, AMI TruE can enable confidential computing, ease deployment of workload attestation, provide reliable workload launch time protection and secure encrypted application keys.

A key use case supported by AMI TruE is Platform Integrity Attestation. Because there is difficulty to differentiate hardware platforms by specific categories in cloud infrastructure. There is a need to organise and categories hardware to guarantee that these assigned categorisations or labels are secure.

Continuous monitoring is needed to make sure the platform is always secure. AMI TruE attestation service periodically attest the servers based on the good known platform measurements called flavors. Any tampering in the platform firmware, OS, Asset tags, and specific software will be identified and notified by attestation service.

To see Muthu outline the technology concepts underlying platform integrity please see his recent webinar presentation here – https://www.brighttalk.com/webcast/7423/540791?utm_source=TrustedComputingGroup&utm_medium=brighttalk&utm_campaign=540791.