Private bug reported:
Platform Attestation is a security capability that enables verification
of a system’s integrity and trustworthiness by providing cryptographic
proof of its hardware, firmware, and software state. It allows remote or
local entities (e.g., cloud orchestrators, security services) to
validate that a platform is running trusted and unmodified components.
Attestation is typically rooted in a hardware-based Root of Trust such
as a Trusted Platform Module (TPM) or CPU-based technologies (e.g., AMD
SEV-SNP, Intel TDX). During boot, measurements of firmware, bootloaders,
and OS components are recorded (e.g., in PCRs – Platform Configuration
Registers). These measurements are then signed and reported as
attestation evidence.
Platform Attestation is a key enabler for confidential computing, zero-
trust security models, and secure workload placement in cloud
environments. It ensures that workloads are only deployed on trusted
platforms that meet defined security policies.
In the Linux kernel, attestation support exists through TPM drivers,
Integrity Measurement Architecture (IMA), and user-space tools (e.g.,
tpm2-tools). However, comprehensive integration across firmware, kernel,
virtualization stacks, and cloud orchestration layers requires further
enhancements.
Feature Request:
Requested details to be enabled on OS:
Enable full platform attestation support using TPM and CPU-based attestation
mechanisms.
Integrate boot-time measurement collection (BIOS/UEFI, bootloader, kernel,
modules).
Support attestation evidence generation and signing (quotes).
Expose attestation data via kernel interfaces and user-space APIs.
Integrate with IMA/EVM for runtime integrity measurement and appraisal.
Support remote attestation workflows (verifier interaction, certificate
handling).
Enable attestation for confidential computing environments (e.g., SEV-SNP,
TDX).
Provide libraries/tools for attestation verification and reporting.
Integrate with orchestration frameworks (e.g., Kubernetes) for trusted
workload placement.
Ensure secure key provisioning and lifecycle management.
Enable logging and auditing of attestation events.
Document attestation architecture, workflows, and deployment models.
Business Justification:
Establishes trust in platform integrity for enterprise and cloud
environments.
Enables secure workload placement and policy enforcement.
Supports confidential computing and zero-trust architectures.
Enhances compliance with security standards and regulatory requirements.
Protects against firmware and software tampering.
Improves visibility into system security posture.
References:
Trusted Computing Group (TCG) TPM 2.0 Specifications
Linux Kernel TPM, IMA, and EVM Documentation
Confidential Computing Attestation (SEV-SNP, Intel TDX)
NIST Guidelines for Platform Integrity and Attestation
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Public to Private
** Summary changed:
- Request for Security Support – Platform Attestation
+ Request for Security Support – Platform Attestation in Ubuntu 26.04
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2146713
Title:
Request for Security Support – Platform Attestation in Ubuntu 26.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2146713/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
