Remote Attestation

The Remote Attestation feature enables each embedded network device (client) to authenticate its hardware and software components to a remote server (attestation server). The hardware and software components that can be attested are:

the PCR register contents of the client device's TPM chip.
hashes of chosen files/binaries/libraries from the client device.

This feature is supported on the Extreme 8720 and Extreme 8520 devices.

The primary function of remote attestation is to prevent offline tampering of the underlying firmware of the various hardware in the network. Since these measurements are done periodically and then updated to the Remote Attestation server, any offline changes are caught and flagged immediately.

This feature uses Keylime, an Open Source project for Remote Attestation as the remote attestation server. For more information see https://keylime.dev.

Note

Configuration of the Keylime Remote Attestation server is outside the scope of this document. Refer to its documentation.

Note

For the supported version of the Keylime Remote Attestation server, see the release notes for this SLX-OS software release.

Remote Attestation works by comparing the hashes generated by various network devices with a known hash. This known hash is generated at the time of building the SLX-OS and is published by Extreme Networks along with the SLX-OS software.

Allowlist is a file that contains a list of hash values of various components of the SLX-OS. This list is published as a MS-Excel workbook and a plain text file. Each release of SLX-OS will have its own Allowlist file that is released along with the SLX-OS software. If you want to implement Remote Attestation, you must download the copy of the Allowlist appropriate for your SLX-OS release and upload it to your Keylime server. This file will then be used to compare the values sent by your network devices for Remote Attestation purposes.

Along with the Allowedlist, the hash of each boot component is published to the Keylime server, so that it can be compared against the PCR register content. This value is used to verify the integrity of the boot file by comparing with the value sent by the client device.

Remote Attestation uses Linux® Integrity Measurement Architecture (IMA). IMA maintains a runtime measurement(SHA256 hash) list for all or some selected files/binaries/ libraries on the SLX-OS. These measurements are compared against the allowlist to verify their integrity.

Keylime Components

The complete Remote Attestation infrastructure consists of the following components:

Keylime Agent: This component measures the various hashes used for Remote Attestation. This component is installed on each SLX-OS device that needs Remote Attestation.
Keylime Verifier: This component periodically verifies the integrity state of the SLX-OS device on which the Keylime Agent is running on. This component is installed on each SLX-OS device that needs Remote Attestation.
Keylime Tenant: This component inputs the Allowlist file data to the Keylime Agent. This component is installed on each SLX-OS device on which the Keylime Agent is running on.
Keylime Registrar: This component maintains a database of all the Keylime Agents registered with the Keylime Server.

Note

Refer to the Release Notes for the supported Keylime version.