64295
Attester Identity type | Process-based | VM-based | HSM-based |
---|---|---|---|
chip-vendor | Mandatory | Mandatory | Mandatory |
chip-hardware | Mandatory | Mandatory | Mandatory |
target-environment | Mandatory | Mandatory | Optional |
target-developer | Mandatory | Optional | Optional |
ae-instance | Optional | Optional | Optional |
Trustworthiness Claim | Definition | +/- |
---|---|---|
ae-instance-recognized | A Verifier has verified an Attesting Environment's unique identity based on some hardware based private key signing | affirming |
ae-instance-unknown | A Verifier has attempted and failed to verify an Attesting Environment's unique hardware protected identity | detracting |
config-insecure | A Verifier has appraised an Attester's configuration, and has found security issues which should be addressed | detracting |
config-secure | A Verifier has appraised an Attester's configuration, and has found no security issues | affirming |
executables-fail | A Verifier has appraised that an Attester has installed into runtime memory executables, scripts, or files other than approved ones | detracting |
executables-verified | A Verifier has appraised that an Attester has installed into runtime memory only a genuine set of approved executables, scripts, and files during and after boot | affirming |
file-system-anomaly | A Verifier has found a passively stored file on an Attester which should not be present | detracting |
hw-authentic | A Verifier has appraised an Attester as having authentic hardware and firmware | affirming |
hw-verification-fail | A Verifier has appraised that an Attester has failed its hardware or firmware verification | detracting |
runtime-confidential | A Verifier has appraised that an Attester's executing target environment is opaque to the operating system, any virtual machine manager, and any applications outside the target environment. This is a more secure superset of 'target-isolation'. See O.RUNTIME_CONFIDENTIALITY from |
affirming |
secure-storage | A Verifier has appraised that an Attester has a Trusted Execution Environment which encrypts persistent storage using keys unavailable outside protected hardware. Protections must meet the capabilities of |
affirming |
source-data-integrity | A Verifier has appraised that the Attester is operating upon data inputs from an external Attester having a Trustworthiness Vector with no less than the current Vector. | affirming |
target-isolation | A Verifier has appraised that an Attester has both execution and storage space which is inaccessible from any other parallel application or Guest VM running on the Attester's physical device. Note that a host operator may still have target environment visibility however. See O.TA_ISOLATION from |
affirming |
Trustworthiness Claim | TPM |
---|---|
ae-instance-recognized | Optional |
ae-instance-unknown | Optional |
config-insecure | Optional |
config-secure | Verifier evaluation of Attester reveals no configuration lines which expose the Attester to known security vulnerabilities. |
executables-refuted | If PCR checks fail for the static operating system, and for any tracked files subsequently loaded |
executables-verified | If PCRs check for the static operating system, and for any tracked files subsequently loaded |
file-system-anomaly | Verifier evaluation of Attester reveals an unexpected file. |
hw-authentic | If PCR check ok from BIOS checks, through Master Boot Record configuration |
hw-verification-fail | If PCR don't check ok |
runtime-confidential | TPMs do not provide a sufficient technology base for this claim. |
secure-storage | Minimal secure storage space exists and is writeable by external applications. This space would typically just be used to store keys. |
source-data-integrity | Optional |
target-isolation | This can be set only if no other applications are running on the Attester |
Trustworthiness Claim | Process-based |
---|---|
ae-instance-recognized | Optional |
ae-instance-unknown | Optional |
config-insecure | Optional |
config-secure | Optional |
executables-refuted | Optional |
executables-verified | Optional |
file-system-anomaly | n/a |
hw-authentic | Implicit in signature |
hw-verification-fail | Implicit if signature not ok |
runtime-confidential | Implicit in signature |
target-isolation | Implicit in signature |
secure-storage | Implicit in signature |
source-data-integrity | Optional |
Trustworthiness Claim | Process-based |
---|---|
ae-instance-recognized | Optional |
ae-instance-unknown | Optional |
config-insecure | Optional |
config-secure | Optional |
executables-refuted | Optional |
executables-verified | Optional |
file-system-anomaly | Optional |
hw-authentic | Chip dependent |
hw-verification-fail | Chip dependent |
runtime-confidential | Implicit |
target-isolation | Implicit in signature |
secure-storage | Chip dependent |
source-data-integrity | Optional |