Show HN: Containerized remote attestation with TPM-style hash chaining (opens in new tab)

(github.com)

3 pointsCalebp1y ago2 comments

I’ve been exploring how remote attestation works and wanted to understand it more deeply, so I built a simple prover–verifier system in Python. It uses TPM-style PCR hash extension, nonces for freshness, and Docker to simulate real-world isolation. The verifier has a web UI where you can upload files to define trusted state, and the prover measures those files and submits a signed quote.

It’s not production-grade, but I’d love feedback if you’re into systems security or want to learn a bit about how attestation works under the hood.

2 comments

hamid_ra1y ago

Does it also run the container in a TEE to attest to code execution, or does it only use a TPM to load the keys for signing resources? Either way, it sounds like a very cool idea! I have to dive into the code.

CalebpOP1y ago

It doesn't use a TEE or a real TPM. I may try to simulate a TPM to get a better feel for what working with that is like, or maybe use the secure enclave. The main thing the project demonstrates is verifying the integrity of files in one container to another container - similar to how measured boot work in remote attestation (or at least my understanding of it).

j / k navigate · click thread line to collapse

2 comments

hamid_ra1y ago

CalebpOP1y ago

j / k navigate · click thread line to collapse