Private bug reported:
Platform Attestation is a security capability that enables verification
of a system's integrity and trustworthiness by providing cryptographic
proof of its hardware, firmware, and software state. It allows remote or
local entities (e.g., cloud orchestrators, security services) to
validate that a platform is running trusted and unmodified components.
Attestation is typically rooted in a hardware-based Root of Trust such
as a Trusted Platform Module (TPM) or CPU-based technologies (e.g., AMD
SEV-SNP, Intel TDX). During boot, measurements of firmware, bootloaders,
and OS components are recorded (e.g., in PCRs – Platform Configuration
Registers). These measurements are then signed and reported as
attestation evidence.
Platform Attestation is a key enabler for confidential computing, zero-
trust security models, and secure workload placement in cloud
environments. It ensures that workloads are only deployed on trusted
platforms that meet defined security policies.
In the Linux kernel, attestation support exists through TPM drivers,
Integrity Measurement Architecture (IMA), and user-space tools (e.g.,
tpm2-tools). However, comprehensive integration across firmware, kernel,
virtualization stacks, and cloud orchestration layers requires further
enhancements.
Feature Request:
Requested details to be enabled on OS:
Enable full platform attestation support using TPM and CPU-based attestation mechanisms.
Integrate boot-time measurement collection (BIOS/UEFI, bootloader, kernel, modules).
Support attestation evidence generation and signing (quotes).
Expose attestation data via kernel interfaces and user-space APIs.
Integrate with IMA/EVM for runtime integrity measurement and appraisal.
Support remote attestation workflows (verifier interaction, certificate handling).
Enable attestation for confidential computing environments (e.g., SEV-SNP, TDX).
Provide libraries/tools for attestation verification and reporting.
Integrate with orchestration frameworks (e.g., Kubernetes) for trusted workload placement.
Ensure secure key provisioning and lifecycle management.
Enable logging and auditing of attestation events.
Document attestation architecture, workflows, and deployment models.
Business Justification:
Establishes trust in platform integrity for enterprise and cloud environments.
Enables secure workload placement and policy enforcement.
Supports confidential computing and zero-trust architectures.
Enhances compliance with security standards and regulatory requirements.
Protects against firmware and software tampering.
Improves visibility into system security posture.
References:
Trusted Computing Group (TCG) TPM 2.0 Specifications
Linux Kernel TPM, IMA, and EVM Documentation
Confidential Computing Attestation (SEV-SNP, Intel TDX)
NIST Guidelines for Platform Integrity and Attestation
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Public to Private
** Summary changed:
- Request for Security Support – Platform Attestation
+ Request for Security Support – Platform Attestation in Ubuntu 26.04
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2146713
Title:
Request for Security Support – Platform Attestation in Ubuntu 26.04
Status in linux package in Ubuntu:
New
Bug description:
Platform Attestation is a security capability that enables
verification of a system's integrity and trustworthiness by providing
cryptographic proof of its hardware, firmware, and software state. It
allows remote or local entities (e.g., cloud orchestrators, security
services) to validate that a platform is running trusted and
unmodified components.
Attestation is typically rooted in a hardware-based Root of Trust such
as a Trusted Platform Module (TPM) or CPU-based technologies (e.g.,
AMD SEV-SNP, Intel TDX). During boot, measurements of firmware,
bootloaders, and OS components are recorded (e.g., in PCRs – Platform
Configuration Registers). These measurements are then signed and
reported as attestation evidence.
Platform Attestation is a key enabler for confidential computing,
zero-trust security models, and secure workload placement in cloud
environments. It ensures that workloads are only deployed on trusted
platforms that meet defined security policies.
In the Linux kernel, attestation support exists through TPM drivers,
Integrity Measurement Architecture (IMA), and user-space tools (e.g.,
tpm2-tools). However, comprehensive integration across firmware,
kernel, virtualization stacks, and cloud orchestration layers requires
further enhancements.
Feature Request:
Requested details to be enabled on OS:
Enable full platform attestation support using TPM and CPU-based attestation mechanisms.
Integrate boot-time measurement collection (BIOS/UEFI, bootloader, kernel, modules).
Support attestation evidence generation and signing (quotes).
Expose attestation data via kernel interfaces and user-space APIs.
Integrate with IMA/EVM for runtime integrity measurement and appraisal.
Support remote attestation workflows (verifier interaction, certificate handling).
Enable attestation for confidential computing environments (e.g., SEV-SNP, TDX).
Provide libraries/tools for attestation verification and reporting.
Integrate with orchestration frameworks (e.g., Kubernetes) for trusted workload placement.
Ensure secure key provisioning and lifecycle management.
Enable logging and auditing of attestation events.
Document attestation architecture, workflows, and deployment models.
Business Justification:
Establishes trust in platform integrity for enterprise and cloud environments.
Enables secure workload placement and policy enforcement.
Supports confidential computing and zero-trust architectures.
Enhances compliance with security standards and regulatory requirements.
Protects against firmware and software tampering.
Improves visibility into system security posture.
References:
Trusted Computing Group (TCG) TPM 2.0 Specifications
Linux Kernel TPM, IMA, and EVM Documentation
Confidential Computing Attestation (SEV-SNP, Intel TDX)
NIST Guidelines for Platform Integrity and Attestation
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2146713/+subscriptions
Комментариев нет:
Отправить комментарий