The presentation discusses attestation in a confidential computing environment and the threats around misconfiguring the platform and guest on its launch. It covers platform measurements, guest measurements, authenticity of attestation reports, and connecting the dots between different components.
- Attestation is necessary to delegate security decisions to a remote relying party
- The trusted computing base for a guest running an SP starts at the hardware root of trust
- The TCB version is reported in the attestation report for the identity of the mutable firmware
- Guest measurements include image, metadata, and runtime environment
- Authenticity of attestation reports can be determined by comparing the report ID of the migration agent
- Connecting the dots between different components involves chaining trust from a small kernel bootloader to the rest of the system