Skip to content

Attestation Certificate

Overview

An Attestation Certificate is a digital document issued by a Verifier (like the HIRS ACA) that serves as a "seal of approval" for a computer’s security state.

HIRS Acceptance Test Pic

While a standard identity certificate is used to prove the identity of a computer, an Attestation Certificate is used to validate integrity of what the computer is running. In combination with the RIM Bundle it is used to confirm that the hardware and firmware have not been tampered with and match a known, trusted baseline.

TPM 2.0 Keys for Device Identity and Attestation Specification

The TCG's TPM 2.0 Keys for Device Identity and Attestation specifies how a device can provide what it is (identity) and what state it is in (integrity) using hardware-bound keys that cannot be spoofed or exported. It defines a standardized process for trusted entities (like a Verifier) to confirm a device’s identity and state over the internet.

This specification formalizes two specific types of keys:

  • Initial Device Identity (IDevID): A permanent, tamper-proof "birth certificate" burned into the TPM by the TPM manufacturer.
    It proves the device is genuine and came from a trusted factory.
  • Initial Attestation Key (IAK): A unique signing key used to "attest" (vouch for) the device. It allows a remote server to verify that the firmware and system state are authorized, securely, without risk of interception or tampering.

The IDevID and IAK are provided by the OEM and are verified using an OEM provided certificate chain. An LDevD and LAK certificate are generated locally. The HIRS ACA can produce both an LDevID or LAK certificate upon a successful provision.

In HIRS, the Attestation Certificate is used in a post delivery process after an initial provision has been successfully completed.

How It Works

The process generally follows these steps:

  1. Measurement: During the boot process, the computer stores "measurements" (hashes) of the UEFI, system configuration, and pre boot applications in the TPM's Platform Configuration Registers (PCRs). The measurements are also recorded in the TCG Event Log.

  2. Challenge: A remote Verifier asks the computer to prove it holding the Attestation Key by sending a random nonce as part of the exchange. The TPM signs a hash of the PCRs in an object referred to as the quote using the existing Attestation Key.

  3. Verification: The computer sends the quote, the Attestation Public Key (or existing Attestation Certificate), its hardware info, and TCG Event Log to the Verifier. The Verifier compares these against the "reference values" provided by certificates such as Platform Certificates, Reference Integrity Manifests, etc.

  4. Issuance: If all measurements match expected values the Verification passes. An Local Attestation Certificate and/or Local IdevID certificate is generated by the ACA if the ACA policy for producing the certificates is enabled.

Note

For more detailed information on the process, see Operational Flow.

What the Certificate Proves

An Attestation Certificate typically validates the following:

  1. Hardware Identity: The request came from a genuine TPM bound to that specific device.
  2. Firmware Integrity: BIOS/UEFI has not been altered.
  3. Component Integrity: (Upcoming) Will validate individual components' hardware and firmware.