Comment by digiown

21 hours ago

You can't implement remote attestation without a full chain of exploits (from the perspective of the user). Remote attestation works on Android because there is dedicated hardware to directly establish communication with Google's servers that runs independent (as a backchannel). There is no such hardware in PCs. Software based attestation is easily fooled on previous Android/Linux.

9 comments

digiown

tapoxi 21 hours ago

The call asks the TPM to display the signed boot chain, you can't fake that because it wouldnt be cryptographically valid. The TPM is that independent hardware.

digiown 21 hours ago
How would that be implemented? I'd be curious to know.
I'm not aware that a TPM is capable of hiding a key without the OS being able to access/unseal it at some point. It can display a signed boot chain but what would it be signed with?
If it's not signed with a key out of the reach of the system, you can always implement a fake driver pretty easily to spoof it.
- vbezhenar 20 hours ago
  
  I guess something like that: https://tpm2-software.github.io/tpm2-tss/getting-started/201...
  Basically TPM includes key that's also signed with manufacturer key. You can't just extract it and signature ensures that this key is "trusted". When asked, TPM will return boot chain (including bootloader or UKI hash), signed by its own key which you can present to remote party. The whole protocol is more complicated and includes challenge.
  
  1 reply →
- tapoxi 21 hours ago
  
  This is called the Endorsement Key, and you're correct, it never leaves the TPM. The TPM is a "black box" to the OS.
  
  4 replies →