Platform-agnostic remote attestation with WebAssembly components

Abstract

When communicating with services and functions in the cloud and at the edge, it’s often essential to verify that the communication takes place with a node operating with a trusted configuration, e.g., a specific piece of software running in a Trusted Execution Environment. Remote attestation plays a critical role in establishing such trust between distributed nodes. However, vendor-provided attestation evidence formats differ across hardware platforms (e.g., AMD SEV-SNP, Intel TDX), making verification with different TEE platforms a complex undertaking. This thesis proposes a solution in which each platform’s verification logic is encapsulated into a sandboxed WebAssembly component, which a verifier can load and use through a single, uniform interface with minimal overhead. The implementation leverages the Trustee attestation service framework and implements two WebAssembly components that support the verification of attestation evidence for both AMD SEV-SNP and Intel TDX, facilitating multi-platform attestation in a consistent and secure manner. In addition, the attestation service is integrated with an In-Network Data Fabric to demonstrate its applicability.