Collaborate Disseminate
The TPM (Trusted Platform Module) has a feature called dynamic root-of-trust. If i understand correctly a measurement of the current system is taken (to enable attestation) by the CPU and transmitted to the TPM. To make sure that the measu… Continue reading Do microcontroller processors like Arm Cortex-M support the TPM’s Dynamic root of trust (similar to e.g. Intel TXT)?
Modern laptops and mobile phone platforms are built around a main, beefy SoC, which generally supports Secure Boot for its firmware and also has a unique hardware identity that is used to attest to a remote management system that it is gen… Continue reading How is the authenticity and integrity of the various chips inside laptops and mobile phones ensured by their vendors?
During remote attestation, a device sends the server the EK certificate, AK public, AK name. By using tpm2_makecredential/tpm2_activatecredential, the attestation sever can confirm that:
the EK is resident in the device TPM, and
the AK th… Continue reading How to bind TPM2.0 AK to the "AK name" used in tpm2_makecredential, and how is trust established in AIK?
For my attestation scenario, I need a unique, non-transferable signing (or decryption, it could also work) key from the remote machine in the form of a signing key. There are no privacy concerns at all so I could use the EK but EK can’t si… Continue reading How can we know the attestation key in "make credential" key is not duplicable?
For my attestation scenario, I need a TPM-generated, non-transferable RSA key (for signing and/or decryption) from a remote machine that would uniquely identify the remote machine.
There are no privacy concerns at all so I could use the E… Continue reading How can we (remotely) prove that a non-restricted RSA key in TPM is not duplicable (has fixedTPM flag)?
I want to know the use cases of DAA (Direct Anonymous Attestation) in the real world.
Continue reading Is there any use case of DAA (Direct Anonymous Attestation) in TPM?
I try to attest my vm running on a kvm+qemu host using qmp and this command:
echo ‘{ "execute": "qmp_capabilities" }\n{"execute":"query-sev-attestation-report","arguments":{"mnonce&quo… Continue reading Qemu: SEV: Failed to query the attestation report length ret=-22 fw_err=0 ()
I’ve been pondering some potential cybersecurity applications for enclaves. One of them being the problem of password hashing.
Some clients have enclave support, meaning part of their CPU can securely execute code in an encrypted and authe… Continue reading Practicality of outsourcing password hashing using enclaves
Among the things listed that a TPM chip can do I found something not like the others:
Remote Attestation: … This allows a third party to verify that the software has not been changed.
But in a certain way we know that’s not a feasible … Continue reading What’s the feasibility of making a hostile TPM chip?
It seems that the term “local attestation” is usually used to refer an attestation conducted within an Intel environment. While the term “remote attestation” is widely used with a big range of platforms.
Does the term local attestation … Continue reading Why local attestation?