Attestation on IBM SEL

Reasons for IBM® Secure Execution for Linux® attestation include auditing, image personalization, and aligning with other confidential computing architectures.

With cybersecurity threats developing and calling for mitigation, attestation is being integrated into workflows for cloud-based workloads. IBM SEL as a superior security architecture provides an attestation function.

The following examples illustrate possible uses of attestation.

Auditing

Your organization might mandate that an attestation on cybersecurity be included in each department's annual report. That is, annually, a report must be created that shows that cybersecurity measures are in place. This report includes showing that all workloads that run at a cloud provider are safe.

Personalization

Assume that a KVM guest in secure execution mode runs a generic workload, for example Soda Company Recipe Store. This workload can be bought and used by different soda companies. These companies would want to personalize the KVM guest with individual secrets, such as replacing SSL or TLS keys. But before that they want to verify the integrity of the base image.

Unlocking data

A company provides data in the form of a file system encrypted with LUKS. A KVM guest running in secure execution mode is to process this data. An attester performs the attestation, and only sends the LUKS key to this guest after verifying its integrity. This procedure might be mandated by an external workflow.

For a description of how to attest a KVM guest, see Attesting a KVM guest.