Community
Search Options
Search Options
Log in
Skip to main content (Press Enter).
Sign in
Skip auxiliary navigation (Press Enter).
Community
Power
Topic groups
Automation with Power
Business Continuity
Enterprise Infrastructure as a Service
IBM i
ISV Solutions
Modernization with IBM Power
Open Source
Operating Systems
Power Developer eXchange
Power Global
Power Security
Programming Languages
Virtualization
Groups
AI
Automation
Data
Security
Sustainability
Cloud
IBM Z & LinuxONE
Power
Storage
IBM Champions
IBM Japan
All Groups
Champions
User groups
Power user groups
All user groups
Events
IBM TechXchange Conference
Upcoming Power events
IBM TechXchange Webinars
All IBM TechXchange Community Events
Participate
Welcome Corner
Blogging in the Community
Directory
Community Leaders
Resources
Gamification
Marketplace
Marketplace
IBM Power
Connect, learn, share, and engage with IBM Power.
Ask a question
Missed IBM TechXchange Dev Day: Virtual Agents? On-demand viewing is available
here
Skip main navigation (Press Enter).
Toggle navigation
Search Options
PowerVM
Virtualization
View Only
Group Home
Threads
460
Library
18
Blogs
110
Events
0
Members
1.1K
Share
POWER9 Trusted Remote Attestation on PowerVM
By
Chris Engel
posted
Wed June 17, 2020 08:50 AM
0
Like
POWER systems are known to provide a highly secured server platform. POWER9 hardware and firmware are making substantial improvements to make it even more secure for Cloud deployment with the addition of Secure Boot built on a host processor based chain of trust. Our previous blogs addressed the concepts and flow of Secure Boot. Here we will take a look at the associated trusted attestation framework and a reference implementation of a trusted remote attestation server.
Remote Attestation
Remote Attestation helps answer the question: Which software is running on a remote computer? Attestation is the process of vouching for the accuracy of information. It allows changes to the user's computer to be detected by authorized parties by attesting to the current status of both the Trusted Platform Module (TPM) and the platform on which it resides.
PowerVM Attestation Framework
The evolution of cloud infrastructures towards hybrid cloud models reveals the greatest barrier to cloud migration is the twin challenges of security and compliance. As an increasingly large amount of private data is utilizing cloud services it is critical that IBM offer a solution to security admins that is best in trust, security and performance.
Physical attestation interfaces are provided to allow a trusted 3rd party client to retrieve information about the trusted boot state of the target PowerVM system. This makes use of the systems physical TPM(s), which are TCG 2.0 compliant devices. These TPM(s) are used by system firmware to extend measurements during the boot process.
PowerVM provides two paths to access the physical attestation data. The trusted client can access the data using a socket interface to the FSP or using RTAS calls from a partition running on the system.
Provisioning
The provisioning process allows a trusted 3rd party client to install a public key that it trusts enabling creation of attestation quote signatures with a target PowerVM system. The client will validate the TPM vendor endorsement key (EK) certificate from the target system against known vendor root certificates.
The provisioning process only needs to be done once per client per system. The client can store the attestation key pair and reuse the pair to perform multiple attestation quotes. If the system has experienced a TPM failure it may select a new primary TPM for attestation. At this point the client will need to restart with the provisioning process as further attempts to retrieve attestation quotes will fail.
Quotes
The quote process allows the trusted client to retrieve Platform Configuration Register (PCR) values, quote data and TPM event logs from the registered target system. This allows the trusted client to do an attestation of the trusted boot state of the target PowerVM system.
Contacting the PowerVM Team
Have questions for the PowerVM team or want to learn more? Follow our discussion group on LinkedIn
IBM PowerVM
or IBM Community
Discussions
#PowerVM
#powervmblog
#powervmsecurity
0 comments
19 views
Permalink
Community
Power
Topic groups
Automation with Power
Business Continuity
Enterprise Infrastructure as a Service
IBM i
ISV Solutions
Modernization with IBM Power
Open Source
Operating Systems
Power Developer eXchange
Power Global
Power Security
Programming Languages
Virtualization
Groups
AI
Automation
Data
Security
Sustainability
Cloud
IBM Z & LinuxONE
Power
Storage
IBM Champions
IBM Japan
All Groups
Champions
User groups
Power user groups
All user groups
Events
IBM TechXchange Conference
Upcoming Power events
IBM TechXchange Webinars
All IBM TechXchange Community Events
Participate
Welcome Corner
Blogging in the Community
Directory
Community Leaders
Resources
Gamification
Marketplace
Marketplace
Powered by Higher Logic