An attestation service is responsible for assessing the integrity of cloud compute nodes through techniques introduced by the trusted computing technology and trusted platform modules (TPMs). The TPM creates a hash of a boot component and validates the hash against a set of securely stored values.
A remote attestation service is critical for implementing secure compute platforms in the cloud. It checks whether a platform is launched with known-good firmware and software components, communicates the security trust level or trustworthiness of a platform to consumers, and supports visibility and auditability.
In Figure 1, the attestation service receives signed attestations from secure boot verification services. The attestation service validates the signatures on boot measurements and makes the attestations available to authenticated administrators, workflow engines and orchestration engines that need to know the security status of a resource before dispatching a workload.