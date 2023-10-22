One of my current engineering efforts is in support of the concept of hardware attestation. What is that? Here’s my attempt at a summary:

Attestation is a way of showing something is true. In this case, it is proving that the software you are talking to is from a trusted vendor. In my case, that software is the Firmware for the System-on-A-Chip. While there are many levels of Attestation, they all resolve down to the lowest level software. It doesn’t matter if the Operating System is good if the Firmware is bad, there is the potential for a violation. This is no guarantee that there is not a violation. Attestation is necessary-but-not-sufficient.

How do we attest? Well, we have to talk to a server. There are two different types of servers I have been exposed to in my current effort: BMC and Operating System. They do roughly the same thing. Some external program makes a connection to either the BMC or the OS, and and makes an attestation request. “Show me the firmware you are running and a cryptographic signature for it.” Basically, I am back in the world of X509 certificates. Although attestation does not need to be done with X509, it needs all the stuff from X509 and so it is easiest to explain in terms of X509.