POWER9 Trusted Remote Attestation on PowerVM

By Chris Engel posted Wed June 17, 2020 08:50 AM

POWER systems are known to provide a highly secured server platform. POWER9 hardware and firmware are making substantial improvements to make it even more secure for Cloud deployment with the addition of Secure Boot built on a host processor based chain of trust. Our previous blogs addressed the concepts and flow of Secure Boot. Here we will take a look at the associated trusted attestation framework and a reference implementation of a trusted remote attestation server.

Remote Attestation
Remote Attestation helps answer the question: Which software is running on a remote computer? Attestation is the process of vouching for the accuracy of information. It allows changes to the user's computer to be detected by authorized parties by attesting to the current status of both the Trusted Platform Module (TPM) and the platform on which it resides.  

PowerVM Attestation Framework
The evolution of cloud infrastructures towards hybrid cloud models reveals the greatest barrier to cloud migration is the twin challenges of security and compliance. As an increasingly large amount of private data is utilizing cloud services it is critical that IBM offer a solution to security admins that is best in trust, security and performance.

Physical attestation interfaces are provided to allow a trusted 3rd party client to retrieve information about the trusted boot state of the target PowerVM system.  This makes use of the systems physical TPM(s), which are TCG 2.0 compliant devices.  These TPM(s) are used by system firmware to extend measurements during the boot process.

PowerVM provides two paths to access the physical attestation data.  The trusted client can access the data using a socket interface to the FSP or using RTAS calls from a partition running on the system.
PowerVM Attestation Overview

The provisioning process allows a trusted 3rd party client to install a public key that it trusts enabling creation of attestation quote signatures with a target PowerVM system.  The client will validate the TPM vendor endorsement key (EK) certificate from the target system against known vendor root certificates.

The provisioning process only needs to be done once per client per system.  The client can store the attestation key pair and reuse the pair to perform multiple attestation quotes.  If the system has experienced a TPM failure it may select a new primary TPM for attestation.  At this point the client will need to restart with the provisioning process as further attempts to retrieve attestation quotes will fail.
PowerVM Attestation Flow
The quote process allows the trusted client to retrieve Platform Configuration Register (PCR) values, quote data and TPM event logs from the registered target system.  This allows the trusted client to do an attestation of the trusted boot state of the target PowerVM system.
PowerVM Attestation Quote
Contacting the PowerVM Team
Have questions for the PowerVM team or want to learn more?  Follow our discussion group on LinkedIn IBM PowerVM or IBM Community Discussions