Remote attestation lets a remote party verify what code is running on a machine, without trusting the machine's operator. The hardware hashes the running code, signs the hash with a key burned into the chip, and the verifier checks the signature against a known-good measurement. The attestation proves the code, not the person.
What gets measured
At launch time, the hardware measures the code loaded into the enclave: the binary, its initial data, and the launch configuration. This measurement is a cryptographic hash. If a single byte of the code changes, the hash changes completely. It is deterministic: the same code always produces the same hash.
Scheme
; Attestation = hash(code) + sign(hash); The verifier knows what hash to expect.; If the measurement matches, the code is authentic.; Simulate with simple hash (real systems use SHA-256)
(define (simple-hash str)
(define (go chars acc)
(if (null? chars) (modulo acc 1000000007)
(go (cdr chars)
(modulo (+ (* acc 31) (char->integer (car chars)))
1000000007))))
(go (string->list str) 0))
; The "code" running in the enclave
(define honest-code "(define (auction bids) (apply max bids))")
(define tampered-code "(define (auction bids) (car bids))")
(define honest-hash (simple-hash honest-code))
(define tampered-hash (simple-hash tampered-code))
(display "Honest code hash: ") (display honest-hash) (newline)
(display "Tampered code hash: ") (display tampered-hash) (newline)
(display "Match? ") (display (= honest-hash tampered-hash)) (newline)
(newline)
; The verifier publishes the expected hash
(define expected-hash honest-hash)
(display "Verifier expects: ") (display expected-hash) (newline)
(display "Honest passes? ") (display (= honest-hash expected-hash)) (newline)
(display "Tampered passes? ") (display (= tampered-hash expected-hash))
The signing key is fused into the chip at manufacturing time. The operator cannot extract it, even with physical access. The chip manufacturer certifies the key, creating a chain of trust: chip manufacturer signs chip key, chip key signs attestation. The verifier traces the chain back to the manufacturer.
Scheme
; Chain of trust for attestation:; Manufacturer -> Chip -> Enclave measurement
(display "Trust chain:") (newline)
(display " 1. Manufacturer burns key into chip") (newline)
(display " 2. Manufacturer publishes chip's public key") (newline)
(display " 3. Enclave loads, hardware measures code") (newline)
(display " 4. Hardware signs measurement with chip key") (newline)
(display " 5. Verifier checks:") (newline)
(display " - Signature valid? (chip key)") (newline)
(display " - Chip key certified? (manufacturer)") (newline)
(display " - Measurement matches expected code?") (newline)
(newline)
(display "The operator never touches the signing key.") (newline)
(display "The verifier never trusts the operator.") (newline)
(display "Trust flows: manufacturer -> hardware -> code.")
What attestation proves (and does not prove)
Attestation proves what code is running, not what the code does. A verifier must independently audit the source code, compile it reproducibly, and compare the hash. Attestation closes the gap between "I audited this source" and "that source is what's actually running on that machine." Without attestation, the operator could run different code.
Scheme
; Attestation proves vs. does not prove
(display "Attestation PROVES:") (newline)
(display " - Exactly this binary is running") (newline)
(display " - The hardware is genuine (chip key)") (newline)
(display " - The operator did not swap the code") (newline)
(newline)
(display "Attestation DOES NOT PROVE:") (newline)
(display " - The code is correct or bug-free") (newline)
(display " - The code does what you want") (newline)
(display " - Side channels are absent") (newline)
(newline)
(display "You still need to audit the source.") (newline)
(display "Attestation bridges: source audit -> runtime.")
Remote attestation