« All posts

Remote Attestation: Proving Server Integrity with TPMs

Remote attestation uses TPMs to cryptographically prove a host's boot integrity, helping infrastructure detect and reject compromised machines automatically.

When a host joins a fleet and starts serving traffic, it's surprisingly hard to verify it's actually running trusted hardware and a trusted boot chain rather than a compromised stack. The source explains how TPM-based remote attestation closes this gap: hashes of hardware, firmware, kernel and root filesystem are measured into PCRs during boot, letting operators cryptographically prove the exact state a host is in after every reboot. Unlike secure boot, measured boot doesn't block booting outright — it produces signed measurements, and the real power comes from tying those measurements to key release (TPM sealing) and signed attestations (TPM quotes) that gate certificate issuance.

The piece walks through the chain of trust built from three TPM keys: the Endorsement Key (EK) proves the TPM's authenticity via a manufacturer-signed certificate, the Attestation Key (AK) is derived from it and restricted to signing quotes, and the LDevID is a general-purpose signing key representing node identity, typically sealed to known-good PCR values. Combined with mTLS and TPM-backed certificates, a host that fails attestation — or reboots into a bad state — simply can't obtain certificates or authenticate into production, making persistence across reboots effectively impossible for attackers.

For engineers, the takeaway is that most environments extend blind trust to hosts once they're provisioned, regardless of what happens afterward. Remote attestation provides a solid foundation that catches kernel- and driver-level supply chain attacks bypassing userland defenses, and underpins higher-level guarantees like EDR verification at boot, immutable filesystems, signed upgrades, and confidential computing. The tradeoff is real engineering effort: rolling this out means rethinking how firmware, init images, and kernels are built and distributed across an entire fleet.