Attestation is the process that establishes trust in Confidential Computing. Attestation acts as a digital verification mechanism, ensuring that confidential data is only processed within hardware-based Trusted Execution Environments (TEEs) that have been rigorously vetted.
Google Cloud Attestation provides a unified solution for remotely verifying the trustworthiness of all Google confidential environments. The service supports attestation of confidential environments backed by a Virtual Trusted Platform Module (vTPM) for SEV and the TDX Module for Intel TDX.
Google Cloud Attestation can be applied across the following Google Cloud services:
| Confidential Computing service | Confidential Computing technology | Google Cloud Attestation support |
|---|---|---|
| Confidential VM | AMD SEV | |
| Confidential VM | AMD SEV-SNP | |
| Confidential VM | Intel TDX | |
| Confidential Space | AMD SEV | |
| Confidential Space | Intel TDX | |
| Confidential GKE Nodes | AMD SEV |
How Google Cloud Attestation works
Google Cloud Attestation internally gathers endorsements directly from hardware vendors and upholds its own set of reference values and appraisal policies specifically tailored for each confidential environment. It provides APIs for Google Cloud users to fetch attestation result claims tokens.
Google Cloud Attestation collects information from your confidential environment and checks it against approved values and Google-maintained policies. These checks are converted into verifiable claims that adhere to the IETF Remote ATtestation ProcedureS (RATS) Entity Attestation Token (EAT) standard. Then, Google Cloud Attestation provides cryptographic proofs of these claims that can be used by services relying on such claims, such as Secret Manager and Google Identity and Access Management (IAM).
The cryptographic proofs can be validated in the following ways:
Using a public key. For more information, see OIDC tokens. This is the simpler option and works natively with OIDC compatible applications.
Using a root certificate. For more information, see PKI tokens. This option allows offline verification, without the need for each relying party to discover the verification key. For an end-to-end example of offline validation, see the Use Confidential Space with protected resources that aren't stored with a cloud provider codelab.
RATS architecture overview
The Remote ATtestation ProcedureS (RATS) architecture involves the following primary entities:
Attester: An entity providing evidence of its trustworthiness. In Google Cloud, this is a confidential environment (for example, Confidential VM, Confidential GKE Nodes, or Confidential Space).
Verifier: An entity evaluating the evidence and generating attestation results. This is Google Cloud Attestation.
Relying party: An entity relying on the attestation results to make decisions (for example, a mobile app, storage bucket, or key management system).
The RATS architecture encompasses the following key roles:
Relying party owner: An entity configuring the appraisal policy for the relying party.
Verifier owner: An entity configuring the appraisal policy for the verifier (for example, Google).
Endorser: An entity providing endorsements validating the attester's capabilities (for example, hardware OEMs like AMD, Intel, or Nvidia).
Reference value provider: An entity providing reference values for the verifier to validate the attester's claims.
Passport model attestation workflow
Google Cloud Attestation uses the passport model. The high-level workflow of the passport model involves the following steps:
The attester (confidential environment) requests an attestation result from the verifier (Google Cloud Attestation) by providing evidence.
The verifier evaluates the evidence and issues an attestation result.
The attester presents this result to the relying party.
In this workflow, Google Cloud Attestation acts as the verifier. Confidential environments such as (Confidential VM, Confidential GKE Nodes, or Confidential Space) act as the attester. Relying parties include Thales EKM, Google IAM, and other token brokers.
To ensure the freshness of attestation results, Google Cloud Attestation uses a cryptographic number that can't be reused. The attester can provide a random number, which is agreed upon with the relying party, to the verifier. The relying party can then validate this number to ensure freshness and correctness.