-
Notifications
You must be signed in to change notification settings - Fork 14
FOSDEM CC devroom abstract
Remote attestation is the means by which a computational workload can provide trust metrics about itself as well as the processing environment on which it executes.
Evidence produced by an "attester" is typically used by a relying party to ascertain its security posture, and therefore as a building block to establish trust between the parties involved in distributed computations -- especially those that require a high level of security and privacy, such as in Confidential Computing.
However, an attestation is pointless if its trustworthiness can't be verified.
Verification is, in fact, the central function the entire remote attestation architecture relies upon.
An attestation verifier sits amid a complex network of trust relationships and processes -- including device manufacturing, software life-cycle, and product certification -- and has to make sense of a vast and messy amount of information in order to give the relying party the simple answer it needs to instruct its authorisation policy.
Veraison [1] is an OSS project that aims at sensibly reducing the complexity associated with the verification of attestation evidence.
It provides pre-canned software packages addressing different attestation technologies that can be composed into a verification service.
To reduce complexity and fragmentation, Veraison embraces standard interfaces as much as possible while at the same time providing enough flexibility to adapt to technology- and deployment-specific needs.
Veraison is a project adopted by the Confidential Computing Consortium in the Linux Foundation.
[1] https://github.com/veraison
Veraison BoM:
- Packages for manipulating attestation-related formats:
- Evidence
- Attestation results
- Reference and endorsed values
- Trust anchors
- REST APIs that model the most common interaction patterns
- A verification and provisioning pipeline that can be easily extended and customised
- Pre-built verification and provisioning plug-ins
- A reference implementation of a complete service
- Emulators of attesters, relying parties and supply chain actors