Brussels / 4 & 5 February 2023


Project Veraison (VERificAtIon of atteStatiON)

(Trying to) making sense of chaos

Veraison is an OSS project that aims at sensibly reducing the complexity associated with the verification of attestation evidence.

Remote attestation is the means by which a computational workload can provide trust metrics about itself as well as the processing environment on which it executes.

Evidence produced by an "attester" is typically used by a relying party to ascertain its security posture, and therefore as a building block to establish trust between the parties involved in distributed computations -- especially those that require a high level of security and privacy, such as in Confidential Computing.

However, an attestation is pointless if its trustworthiness can't be verified.

Verification is, in fact, the central function the entire remote attestation architecture relies upon.

An attestation verifier sits amid a complex network of trust relationships and processes -- including device manufacturing, software life-cycle, and product certification -- and has to make sense of a vast and messy amount of information in order to give the relying party the simple answer it needs to instruct its authorisation policy.

It provides pre-canned software packages addressing different attestation technologies that can be composed into a verification service.

To reduce complexity and fragmentation, Veraison embraces standard interfaces as much as possible while at the same time providing enough flexibility to adapt to technology- and deployment-specific needs.

Veraison has been adopted by the Confidential Computing Consortium in the Linux Foundation.


Thomas Fossati