Linux Security Summit North America 2025

This talk will present an empirical study of layered attestation for a cross-domain system. The presentation will overview how we boot the system into a trusted state and extend trust to a runtime.

Using IMA and TPM 2.0 we boot a verified attestation manager into a measured state where it may access its signing key. We prove the key can be used only if the right attestation system makes a request in a good state. Thus, a signature's presence on evidence strongly binds that evidence to the attestation manger.

Once booted, the attestation manger measures and appraises the cross-domain system according to a Copland attestation protocol. It calls LKIM and checks SELinux policy to ensure the underlying Linux system is in a good state. Then it measures CDS components and configurations for runtime appraisal.

We then discuss formal verification and empirical study of the attestation system. Specifically, why should trust the link from boot to runtime and the signing key's signature. We then discuss empirical studies that simulate various attacks illustrating design choices, assumptions and limitations.

Note: Co-authors are - Will Thomas, Logan Schmalz, Adam Petz and Sarah Scott