Skip to main content

Hardware Attestation

Bridge supports hardware attestation for bare metal servers during the discovery phase. When enabled, Bridge uses a TPM 2.0 chip on the host server to cryptographically verify the host's boot state and firmware integrity before the server is admitted into the infrastructure. Servers that fail attestation are not provisioned and remain in an untrusted state.

Overview

Hardware attestation answers the question: has this server booted from trusted, unmodified firmware? The host's TPM 2.0 chip records a series of measurements (PCR values) that reflect the firmware and boot software loaded during startup. Bridge submits these measurements to a verification service, which compares them against known-good baselines. Only hosts that pass verification receive a valid identity certificate and proceed to the Ready state.

ConceptDescription
TPM 2.0Tamper-resistant hardware chip that stores cryptographic keys and records boot measurements
PCR (Platform Configuration Register)TPM registers that accumulate hash values of each firmware component loaded during boot
Endorsement Key (EK)Factory-provisioned asymmetric key pair unique to each TPM, used to verify TPM identity
Attestation Key (AK)Ephemeral key pair created during attestation, used to sign PCR quotes
PCR QuoteCryptographically signed snapshot of PCR values, proving the TPM's current state
Event LogBinary record of every measurement extended into the TPM during boot

Attestation Workflow

Bridge runs attestation as part of the host discovery phase (Phase 4 of the DPU boot sequence). The workflow proceeds in six steps:

TPM 2.0 attestation workflow — six-step sequence from key creation through quote verification and certificate issuance

Step 1: Key Creation

The Bridge Scout agent running on the host interacts with the TPM to create the attestation key hierarchy:

  1. The Scout agent unlocks the TPM dictionary (tpm2_dictionaryUnlocked).
  2. A Token Key (TK) context pair is created.
  3. An Endorsement Key (EK) handle is loaded — the EK is factory-provisioned and cannot be exported.
  4. An Attestation Key (AK) is created: ak-create_ak(ak_handle, SHA256, RSA-PSS).
  5. The public portions of both keys (AK public key, AK name, EK public key) are read and prepared for registration.

Step 2: Register Machine and Receive Challenge

Scout sends the AK and EK public information to Bridge as part of DiscoverMachineHardware. Bridge's attestation service then:

  1. Looks up the EK certificate and validates it against the TPM manufacturer's certificate authority (CA).
  2. Generates a random 32-byte nonce (secret).
  3. Creates a credential challenge using make_credential(ak_pub, ek_pub, ak_name, secret) — this RSA-encrypts the nonce using the EK public key, bound to the AK name.
  4. Stores the (secret, AK public key) pair for later verification.
  5. Returns the credential blob and encrypted secret to Scout.

The certificate is not issued at this stage — the host must prove it controls the TPM before being trusted.

Step 3: Activate Credential (Prove AK Ownership)

Scout passes the credential blob and encrypted secret to the TPM:

  1. An authentication session is opened using HMAC policy.
  2. The Endorsement Hierarchy policy secret is applied.
  3. ActivateCredential(ak_handle, ek_handle, cred_blob, encrypted_secret) is called.
  4. The TPM uses its private EK key to decrypt the nonce, and verifies that the AK name matches the bound name.
  5. The decrypted nonce is returned to Scout.

This step proves that the Scout agent is running on a system with access to the correct TPM — a software attacker without the physical TPM cannot pass this step.

Step 4: Get PCR Quote (Platform Measurements)

Scout requests a signed PCR quote from the TPM:

  1. The PCR hash algorithm is detected (SHA256 or SHA384 depending on the platform).
  2. A quote is generated over PCR registers 0–11, covering all firmware and boot components from power-on through OS loader.
  3. The TPM signs the hash of the PCR values using the AK private key (RSA-PSS/SHA256).
  4. The attestation struct and signature are returned to Scout.
PCR RangeWhat Is Measured
PCR 0–3UEFI firmware and platform configuration
PCR 4–5Boot manager and boot variables
PCR 6Platform manufacturer data
PCR 7UEFI Secure Boot policy and certificate databases
PCR 8–11OS loader and kernel

Step 5: Collect Event Log

Scout reads the binary BIOS event log from the host:

/sys/kernel/security/tpm0/binary_bios_measurements

The event log records every individual measurement that was extended into the TPM during the boot sequence. The log enables the verification service to replay the boot sequence and independently compute expected PCR values.

Step 6: Submit Quote for Verification

Scout submits the complete attestation package to Bridge:

  • Attestation struct and AK signature
  • Decrypted credential (nonce from Step 3)
  • PCR values
  • Machine ID
  • Binary event log

Bridge's verification service then:

  1. Looks up the AK public key by the submitted credential.
  2. Verifies the AK signature over the attestation bytes using the AK public key.
  3. Verifies the PCR hash: recomputes the PCR digest from the submitted PCR values and compares against the attest.quote.pcrDigest field.
  4. Replays the event log to verify that the reported PCR values are consistent with the boot sequence.
  5. Compares computed values against known-good baselines.
  6. Stores the measurement report (machine ID, PCR values) in the Bridge database.

If attestation passes: Bridge issues a valid identity certificate to the machine, which transitions to Ready state.

If attestation fails: The machine remains untrusted and is not provisioned.

Integration with Host Discovery

Hardware attestation is integrated into the Bridge host discovery flow and runs automatically when enabled:

EventBridge Action
Host boots Scout agent (Phase 4)Bridge generates attestation challenge and delivers it to Scout
Scout completes TPM key creationAK/EK information registered with Bridge attestation service
Scout submits PCR quote and event logBridge verifies measurements against baseline
Attestation passedMachine identity certificate issued, host moves to Ready
Attestation failedHost remains in untrusted state, provisioning blocked
Last updated on