Remote attestation | How much freedom will it take?

Remote attestation has been a technology around for decades now. Richard Stallman railed about the freedom it would take in 2005 (gnu.org). A U.S. Senator introduced a bill pushing for mandatory trusted computing chips (ethz.ch). Microsoft developed the Palladium project (later NGSCB) to improve “security” and bring remote attestation and trusted computing to the masses (en.wikipedia.org). Then it all fell apart — Palladium was canceled, the bill didn’t pass, and TPM chips have quietly existed in our PCs for years but have generally been considered benign.

For those who do not know what remote attestation is:

  • Remote attestation lets an external system validate, cryptographically, certain properties about a device.
  • For example, proving to a remote system that Secure Boot is enabled on your Windows PC, with no ability to forge that proof. And by extension, potentially loading a kernel driver that can prove certain installed applications have not been tampered with.
  • TPM chips first introduced around 2003–2004 by the Trusted Computing Group were feared because they enabled this capability (en.wikipedia.org). Until recently, they were used primarily in corporate environments for BitLocker and basic device encryption.

When it was first invented, it was widely feared by Linux users and by Richard Stallman, especially after Secure Boot was rolled out. Could an internet network require that users run up-to-date Windows, with Secure Boot on, and thus completely lock out Linux or anyone who is running Windows in a way Microsoft does not intend? With remote attestation, absolutely.

In practice though, only corporate networks adopted remote attestation to join, and only on their business PCs through the TPM chip (no BYOD here). TPMs have a ludicrous number of certificates needing trust, many in different formats and algorithms (1,681 right now, to be exact), and almost everything that isn’t a PC doesn’t have a TPM. Because of that, building a remote attestation setup with support for a broad variety of devices was, and is, very difficult. Easy for a business with a predictable fleet on one platform, almost impossibly complicated for the random assortment of general devices. And so, the threat of the TPM and remote attestation in general was dismissed as being fearmongering from 2 decades ago that never became reality.

If only it stayed that way. Remote attestation is coming back and is, in my opinion, a legitimate threat to user freedom once more, and almost nobody has noticed. Not even on Hacker News or Linux circles like Phoronix where many such new technologies and changes are discussed.

Consider the past few years:

Why is Microsoft building their own chip, the Pluton, into new Intel, AMD, and Qualcomm processors? Pluton integrates TPM 2.0 functions and acts as a silicon root of trust for Windows 11 security features (learn.microsoft.com).

Why does Windows 11 require a TPM 2.0 module? (techcommunity.microsoft.com)

Why has every PC since 2016 been mandated to have TPM 2.0 installed and enabled?

What’s with some new video games requiring TPM and Secure Boot on Windows 11? (help.ea.com)

Why do so many apps on Android, from banking apps to McDonalds, now require SafetyNet or Play Integrity checks to ensure your device hasn’t been rooted? (en.wikipedia.org)

What’s the business with Cloudflare, Apple, and “Private Access Tokens” for bypassing CAPTCHAs? Cloudflare’s new approach uses attestation on iOS/macOS to confirm user authenticity (blog.cloudflare.com).

Remember that remote attestation has been possible for decades, but was overly complicated, unsupported on many devices, and just not practical outside of corporate networks. But in the last few years, things have changed.

  • What was once a fraction of PCs with TPMs, is now approaching 100% because of the 2016 requirement change, and because of the Windows 11 mandate. In ~5 more years, almost all consumer PCs will have a TPM installed.
  • macOS and iOS added attestation already with the DeviceCheck and App Attest frameworks starting with iOS 11 / macOS 10.15 (developer.apple.com).
  • Google has had SafetyNet for a while, now replaced by Play Integrity, powered by ARM TrustZone. Rooting your device invalidates these attestations, requiring complex workarounds that are gradually disappearing (en.wikipedia.org).

For the first time, remote attestation will no longer be a niche thing, only on some devices and not others. Within a few years, the number of devices supporting remote attestation in some form will quickly approach 100%, allowing remote attestation to jump for the first time from corporate networks into public networks. Remote attestation is a technology that doesn’t make sense when only 70%, or 80%, or 90% of devices have it — only when it reaches >99% adoption does it make sense to deploy, and only then do its effects start to be felt.

We’re already seeing the first signs of remote attestation in our everyday lives:

macOS 13 and iOS 16 now use remote attestation to prove that you are a legitimate user, allowing you to bypass Cloudflare CAPTCHAs via Private Access Tokens (developer.apple.com).

Some video games are already requiring Secure Boot and TPM on Windows 11. According to public reports, they have not fully locked out users without these features, as they still allow virtualized TPMs, Windows 10, and so forth. However, they absolutely do not have to and can disable virtualized (untrusted) TPMs and loading without Secure Boot as soon as adoption of Windows 11 and TPM is great enough. Once they shut the door, Windows 11 + Secure Boot + Unaltered Kernel Driver will be the only way to connect to an online multiplayer, and it will be about as cryptographically secure against cheating as your PlayStation.

Cisco Meraki powers an insane number of corporate networks. Even in my own life, it was my school’s WiFi, my library’s WiFi, the McDonalds WiFii. Cisco is also a member of the Trusted Computing Group that developed the original TPM and Remote Attestation to begin with. All they must do, once adoption becomes great enough, is update their pre-existing “AnyConnect” app to use TPM/Pluton on Windows, DeviceCheck on iOS/macOS, and Play Integrity on Android/ChromeOS before you join the network. Anyone with an unlocked or rooted device need not apply.

I cannot say how much freedom it will take. Arguably, some of the new features will be “good.” Massively reduced cheating in online multiplayer games is something many gamers could appreciate (unless they cheat). Being able to potentially play 4K Blu-ray Discs on your PC again would be convenient.

What is more concerning is how many freedoms it will take in a more terrifying and unappreciable direction. For example, when I was visiting friends in college, we had to jump through many, many hoops to connect to school WiFi. WPA2 Enterprise, a special private key, a custom client connection app, it wasn’t fun and even for me it was almost impossible without the IT desk. If remote attestation was ready back then, they would have absolutely deployed it. Cloudflare has already shown it is possible for websites to use it to verify the humanity of a user and skip CAPTCHAs on macOS. What happens when Windows gains that ability? Linux users will be left out in the cold completely, as it is simply not practical to digitally approve every Linux distribution, kernel version, distribute a kernel module for them all, and then use the kernel module to verify if the browser is signed in the same way with all its variations, without leaving any holes.

Thus, for Linux users, it will start with having to complete CAPTCHAs that their Windows and Mac-using friends will not. But will it progress beyond that? Will websites mandate it more? On an extremely paranoid note, will our government or a large corporation require a driver’s license for the internet, with a digital attestation binding a device to your digital ID in an unfalsifiable way? Microsoft is already requiring a Microsoft Account for Windows 11, including the Pro version. Will a grand cyberattack send deployment of this technology everywhere, and lock out Linux and rooted/jailbroken/Secure-Boot-disabled devices from most of the internet? Will you be able to use a de-Googled phone without being swarmed with CAPTCHAs and having countless apps deny access?

This is a major change of philosophy from the copy protection and DRM systems of yesteryear. Old copy protection systems tried to control what your PC could do and were always defeated. Remote attestation by itself permits your PC to do almost anything you want but ensures your PC can’t talk to any services requiring attestation if they don’t like what your PC is doing or not doing. This wouldn’t have hurt nearly as much back in 2003 as it does now. What if Disney+ decides you can’t watch movies without Secure Boot on? With remote attestation, they could.

I think I’ll end with a reference to Palladium again, Microsoft’s failed first attempt at a security chip from ~2003, cancelled from backlash. It had an architecture that looked like this:

Now compare that diagram with Microsoft’s own FASR (Firmware Attack Surface Reduction). FASR is a “Secured Core” PC technology that is not mandatory yet and not necessarily part of Pluton, but very likely will be required in the future.

All they did was flip the sides around, have a hypervisor instead of separate hardware abstraction layers, and rename NEXUS to “Secure Kernel.” Otherwise, it is almost entirely the exact same diagram as from 2003 that was cancelled from backlash. They just waited ~20 years to try again and updated the terminology. (Also, of note, is the use of the word “Trustlet,” originally coined by ARM TrustZone which powers Android’s remote attestation system.)

Some things never change.