Hardware Attestation
What is Hardware Attestation?
Hardware AttestationA cryptographic protocol by which a device proves its identity and software measurements to a remote verifier using a key rooted in tamper-resistant hardware.
Hardware attestation lets a remote verifier cryptographically check that a device is genuine and runs an expected software stack. The device signs a quote of its boot-time and runtime measurements (PCRs, TCB version, code hashes) with an attestation key derived from a hardware root of trust - typically a TPM Endorsement Key, an Intel SGX/TDX or AMD SEV-SNP attestation key (VCEK/VLEK), or a DICE-derived Compound Device Identifier (CDI). Standards include TCG Remote Attestation Procedures (RATS, RFC 9334), DICE (Device Identifier Composition Engine), Android Key Attestation, and Apple App Attest. Use cases span confidential computing, FIDO2 device attestation, secure boot policy enforcement, software supply-chain integrity, and zero-trust device posture checks.
● Examples
- 01
Confidential VMs send an SEV-SNP attestation report to a relying party before key release.
- 02
Android Key Attestation proves a private key was generated inside StrongBox/TEE.
● Frequently asked questions
What is Hardware Attestation?
A cryptographic protocol by which a device proves its identity and software measurements to a remote verifier using a key rooted in tamper-resistant hardware. It belongs to the Cryptography category of cybersecurity.
What does Hardware Attestation mean?
A cryptographic protocol by which a device proves its identity and software measurements to a remote verifier using a key rooted in tamper-resistant hardware.
How does Hardware Attestation work?
Hardware attestation lets a remote verifier cryptographically check that a device is genuine and runs an expected software stack. The device signs a quote of its boot-time and runtime measurements (PCRs, TCB version, code hashes) with an attestation key derived from a hardware root of trust - typically a TPM Endorsement Key, an Intel SGX/TDX or AMD SEV-SNP attestation key (VCEK/VLEK), or a DICE-derived Compound Device Identifier (CDI). Standards include TCG Remote Attestation Procedures (RATS, RFC 9334), DICE (Device Identifier Composition Engine), Android Key Attestation, and Apple App Attest. Use cases span confidential computing, FIDO2 device attestation, secure boot policy enforcement, software supply-chain integrity, and zero-trust device posture checks.
How do you defend against Hardware Attestation?
Defences for Hardware Attestation typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Hardware Attestation?
Common alternative names include: Remote attestation, Device attestation.
● Related terms
- cryptography№ 546
Intel SGX
Intel Software Guard Extensions, a CPU instruction set that creates encrypted memory enclaves to protect code and data from a compromised OS or hypervisor.
- cryptography№ 044
AMD SEV / SEV-SNP
AMD EPYC technology that encrypts and integrity-protects each virtual machine's memory, isolating guests from a malicious or compromised hypervisor.
- cryptography№ 981
Secure Boot
UEFI feature that verifies the cryptographic signature of every boot component, refusing to launch a bootloader, kernel, or driver not signed by a trusted authority.
- cloud-security№ 208
Confidential Computing
Protecting data while it is being processed by running workloads inside hardware-based Trusted Execution Environments that isolate them from the host and the cloud operator.
● See also
- № 060ARM TrustZone
- № 679Microsoft Pluton