Suggestion for #5 Device Health - Extending Health Attestation
Closed this issue · 1 comments
The guidance currently highlights the value of attestation of firmware and operating system, however multiple approaches have been pursued to extend health measurements to provide strong signals for more of the software stack. The NCSC Cloud Client project extends a measured boot process using a combination of DMVerity (with the hash tree verified as part of measured boot) and signed applications (with a certificate verified by measured boot). Cloud Client implements remote attestation compliant with the TCG Trusted Attestation Protocol.
Similarly, the TCG are developing the Remote Integrity Verification standard.
Would it therefore be worth considering adding something along the lines of:
Systems that implement attestation to gain confidence in initial device state, may include subsequent cryptographic checks of launched applications and services to extend the breadth of health measurements regarded as strong signals.
?
Thanks
Yep makes sense, I've added your lines.