Device Attestation Flow (TPM Remote Attestation)
sequenceDiagram
autonumber
participant V as Verifier
(VPN / cloud service) participant D as Device
(laptop or VM) participant T as TPM / HW Root of Trust V->>D: Attestation request (nonce N) D->>T: Quote PCRs with nonce N, sign with AIK T-->>D: Quote = sign_AIK(PCR0..23 plus N) D->>V: Quote + AIK cert + EK cert chain Note over V,D: Verifier checks all four:
1. cert chains to known manufacturer
2. signature is valid
3. nonce matches (no replay)
4. PCRs match acceptable-boot policy V-->>D: Attestation token (or denial)
(VPN / cloud service) participant D as Device
(laptop or VM) participant T as TPM / HW Root of Trust V->>D: Attestation request (nonce N) D->>T: Quote PCRs with nonce N, sign with AIK T-->>D: Quote = sign_AIK(PCR0..23 plus N) D->>V: Quote + AIK cert + EK cert chain Note over V,D: Verifier checks all four:
1. cert chains to known manufacturer
2. signature is valid
3. nonce matches (no replay)
4. PCRs match acceptable-boot policy V-->>D: Attestation token (or denial)
Trust depends on two things: the manufacturer's EK certificate
(proves the TPM is genuine) AND the verifier's policy of acceptable PCR values
(defines a "good" boot state). Both must be current — a stale policy accepts a
boot state that should now be rejected, and that is the operational footgun.