This knowledge base is intended for experienced audience in confidential computing.

Remote Attestation

Remote attestation procedures allow a relying party to make its decision on the basis of evidence provided by its peer systems whether or not to trust the remote systems. Trust in the context of remote attestation is defined as (i) having a strongly bound identity; (ii) being built of known, good parts; and (iii) being directly or indirectly observed via a trusted third party operating as expected. Relying parties obtain an attestation evidence from the attester reflecting its behavior or configuration. The evidence is then evaluated by an appraiser or verifier allowing the relying party to make a trust decision based on results. The sole purpose of remote attestation is not to eliminate the threat of undetected change once and for all but rather to limit attacker’s ability to modify the system without detection.

What it means for a system to be trustworthy would vary based on the context we are discussing. Assessing the trustworthiness of a device must account for the function it performs.

What matters in remote attestation:

Measurement content: what should be contained in the evidence required by the relying party to determine if the remote system is trustworthy.
Orders of measurement: if a target system consists of multiple components then the ordering matters.
Meta-evidence: Compound evidence must contain not only the underlying measurement evidence but also meta-evidence that allows an appraiser to determine evidence gathering order and the party responsible for its gathering.

TPM?

The Trusted Platform Module is complimentary to the TEE on platforms without such hardware-assisted confidential environment. TPM is able to perform measured boot and, like a TEE, can provide root of trust and perform remote attestation. While a TPM looks alike a TEE, it cannot provide a secure hardware-based computing environment as TEEs can do. The cryptographic operations must performed by the software stack and TPM can only manage the security keys.

In short, a TPM is a secure crypto processor: it creates, stores, and uses crypto keys.

TPM or TEE…?

In short, a TPM protects data in storage while a TEE protects data in use. See also

https://security.stackexchange.com/questions/122738/difference-between-tpm-tee-and-se

TPM also serves a root of trust when but TEE is stronger than TPM since TEE can emulate a TPM and provide another root of trust. The de-facto implementation of mobile TPMs today are protected environments through hardware-based trusted execution environment (TEE) [23, 24, 32, 45, 46, 54], like ARM TrustZone that is available on virtually all mobile platforms today, where the TPM is implemented as protected software application inside the TEE.