The TPMs are on separate chips from the main processor. If something were to man-in-the-middle the communications with the TPM, the hash digests can be "corrected" so the TPM thinks the boot artifacts were in the intended state. At least the ones I've worked with were SPI, but I've seen I2C ones as well. Either way, these are low speed, easy to mess with buses.
Also you want to pay real close attention to how you onboard new devices. The article states
> The EK comes with a x509 cert signed by the manufacture’s PKI. So the EK proves the TPM is legit.
This lets you know the TPM you are performing remote attestation of is made by a particular manufacturer, but an attacker can go buy a TPM chip from the right manufacturer off digikey, and feed it the intended hashes in pcr extend commands. For the attacks the TPM is supposed to prevent, you have to assume they could re-direct the tpm requests your remote validation service is trying to run to their own device by compromising the boot artifacts. You still have to figure out how to make sure your workflows are onboarding the TPM from _your_ hardware, not just a TPM from the same manufacturer.
I had made a dummy client as example and I must say that on development perspectives, it is wild.
There are some Go libraries, which support only RSA instead of EC for TPM Keys, on the C++ side you get most of results in Windows through the CryptoProvider, on Linux and Mac exists own OS solutions/access.
Implementing it isn't trivial at all, otherwise you would already seen (not vibe-coded) open source implementions spawning on GitHub.
Good take - remote attestation doesn't solve all problems on its own but it is a very powerful tool in the platform security toolbox (and very cool "to boot" :P)
Ironic how this post got upvoted in parallel to polar opposite in the #1 slot: "John Deere owners will get the right to repair equipment under FTC settlement" https://news.ycombinator.com/item?id=48838876
Engineers may debate about what-about-isms of vulnerabilities and counterexamples of TPM failures, but that misses the point: We should be debating about where society will be when devices you paid for serve other masters.
Probably we should just write/vibe/demand better software. Otherwise we're going to end up with a law demanding TPMs that watch more than just your firmware...
> If your infra consistently enforces mTLS
This is for mutual authentication in corporate infrastructure. Attestation is a critical security property for these environments.
No it's not. Every corporate network to which I've connected worked just fine without it.
Just because it appears to be working fine doesn't mean you are in control of it. Without hardware attestation, how do you know the machines are running the software you think they are?
If by "debate", you mean I take their advice into consideration and then make my own decision without blindly trusting them, then yes I do.
It is not just about employee devices, but about literally every workload or host running in your corporate infrastructure.
> (Get challenged on that.)
> omg you don't know anything, being without the thing is primitive and everyone sophisticated uses it.
You can see how you can be accused of not actually presenting any arguments here, right? If you're gonna appeal to authority, at least back that appeal up with something.
It's not my job to write an essay in the comments about why mutual authn with RA is desirable in corporate networks, and why the complaints about "freedom" are totally and utterly nonsensical in this context. This is something he can look up very quickly.
> Using a TPM, we can remotely, cryptographically prove a couple of things:
Unless there are exploits..
HN is bizarre. This is just standard infrastructure security practice at any tech company of meaningful size. You are misunderstanding the target use case and audience of this article.
But it's also useful for DRM stuff like authorized 4k blu-ray playback on PCs... which is only allowed on systems with Intel SGX.
Yes, there can be exploits, but hardware exploits over a restricted interface (TPM2) are significantly rarer then normal software vulns. Everything is about risk mitigation, there is no perfect security.
SGX does not cryptographically guarantee this. It cryptographically guarantees that the processor contains a legitimate provisioning key signed by Intel. Intel pinky promises that its processor will then only use this provisioning key in certain ways. This promise is essentially unauditable, and previous SGX bugs have shown that Intel isn't really in a position to make it anyway.
The most likely attacks on Signal involve trusted insiders or configuration errors, and SGX mostly prevents these, since to exploit it, you'd need to bribe insiders in both Signal and Intel, or find configuration errors in both of their software stacks.
Collusion is certainly still possible, but it's much harder to pull off, since it typically requires nation-state-level resources to exploit. Signal does actually have nation-state adversaries, but the vast majority of other software projects don't.
(I personally think that remote attestation is the single biggest risk to the free software movement, but I begrudgingly accept that Signal is a very good use case for it.)
Since there have been multiple SGX key extraction vulnerabilities already, all you would have to do is compromise Signal and then use the key extracted from any of those devices, and "compromise Signal" is the same thing you would have to do if they weren't using SGX at all.
Since there have been with bypass on service X, we should remove auth because all you need is the vulnerability.
Address space layout randomization wouldn't exist with this mindset, and yet it does and helps for many exploits.
SGX is not fully secure. But neither are the other part of the stack. Security (or trust in this case) is done through layers because it's a question of when you'll be vulnerable, not ifs.
That is, the thing that people are actually talking about when they use that term: The means for companies and governments to usurp the ownership of consumer devices.
I'd read the confidential computing post! (used to work in this space myself)
The only way to make remote attestation into a neutral technology is to prohibit privileged keys being loaded (and retained) by device manufacturers. This would make it impossible for arbitrary protocol counterparties to know if their attestation requests are being answered by hardware, or merely emulated in software. This approach is the only way to preserve computing freedom (ie the very concept of protocols that mediate between mutually-untrusting parties) in the presence of this technology.
I'd not be able to put up with that, but more importantly, I'd not want to be in the position where I can't even protest anything because there's no alternative to switch to..
One of the valid use cases on consumer devices is video game anti-cheat software. Theoretically remote attestation can enable them to be less invasive.
With enterprise devices you can enroll a specific device and only allow its key. Someone who finds a vulnerability in a different device model, or even the same device model when they don't have one of your actual devices, can't use it because it's not enrolled. (That doesn't actually require remote attestation, the same works without any kind of TPM, but it mitigates a gaping hole that remote attestation has otherwise.)
Because in the video game case the cheater can choose whatever device they want, so they choose one with a vulnerability, which the developers can't prevent without blocking the millions of innocent people who have the same hardware. It's also the solution to yesterday's problem because cheaters are now using cheat hardware that acts as a user input device, and then attesting to what software is running buys you nothing because the cheating is happening in hardware.
There's also Memory Integrity Enforcement on the iPhone 17 chips which makes all memory exploits detectable by the OS so it can trigger a reboot and report the bug to Apple.
And even when exploits are found, the boot chain attestation means rebooting your iphone always clears out any malware that made it past normal sandboxing. Particularly at risk individuals should enable lockdown mode and periodically reboot.
The main attack left is brute forcing the lock screen password and bypassing the cooldown timer. This seems to be the method most used for getting access to phones. This is defeated by having an actual text password rather than the 6 digit password.
So yes they have advanced hacking tech, but the iphone security is remarkably effective and as a user there are a couple of simple measures that make it pretty much unbreakable.
If you believe you are at risk of having your phone taken and plugged in to a Cellebrite like device, enable Lockdown Mode, set a good password and if possible hit the power button 5 times to disable face id.
As one of our Founding Fathers put it: "Those who give up freedom for security deserve neither."
Remote Attestation: Just Say No.
Ensuring our remote employees’ machines are secure is a serious problem for us, and it’s absolutely impossible to require employees to be diligent. We require attestation upon connection to our corporate VPN that checks for basic things such as latest security patches, certain tools installed, etc.
If your device will attest that it's running their code then they refuse access to the service under any other conditions, and then you can't do any of those things because their code won't allow it.
It's also a huge antitrust problem because it precludes new independent platforms from being used, since it cements the chicken and egg problem that people won't use a device that can't access existing services and the services won't support a system nobody uses. In other words, WINE is banned and Firefox is banned and everyone is stuck with IE/Edge on Windows forever.
It's not that remote attestation can't be used for good. Obviously it can. It's that there's so many ways we can use it for evil, and given the track the world is on, it's quite obvious it will be.
Ben Franklin understood that and so included qualifiers in the quote, which was "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety".
> If your infra consistently enforces mTLS
You won't be able to send email or bank if you aren't running the snitch or any configuration where you could defeat it.
Hell in a boring dystopia run by adults this could theoretically be a good thing! Never miss the next obvious school shooter!
Then look at who actually runs our country.