91 comments

[ 2.7 ms ] story [ 21.3 ms ] thread
It would be a nice addition if big tech didn't abuse this to shove user-hostile software into devices which the user has paid for (like smartphones).. thanks to this attitude, whenever I see "remote attestation" I associate this with "hostile"..

> Using a TPM, we can remotely, cryptographically prove a couple of things:

Unless there are exploits..

I mean, all tech can be used in different ways. My experience has been much more on the preventing root kits side, rather then vendor lock in.

Yes, there can be exploits, but hardware exploits over a restricted interface (TPM2) are significantly rarer then normal software vulns. Everything is about risk mitigation, there is no perfect security.

Make no mistake. Shoving user-hostile malware down people's throats is the primary use case for this in the consumer space. Bootloader malware is very esoteric right now. Enterprise might have valid use cases beyond screwing people but none of them make sense for a consumer device.
I think consumer devices should have opt-outs for sure. But personally I am much more comfortable with myself and my family having fully locked down apple phones then anything else on the market right now, precisely because of how difficult it is to get persistent malware into that ecosystem.
I get this argument and tell my parents (who know nothing about tech) to get iPhones for this reason but as an economist it is obvious to me the political economy equilibrium implications of this technology are an extreme centralization of power. We are one Covid-like crisis/moral panic away from a regime of only government licensed devices with identity and software integrity attestation can use the internet, and the masses will cheer on the prosecution of the tech nerds who try to circumvent it.
Out of curiosity, do you like ads? I assume you don't.. so how would you react if Apple followed Google and prohibited ad blocking apps + removed that capability from web browsers?

I'd not be able to put up with that, but more importantly, I'd not want to be in the position where I can't even protest anything because there's no alternative to switch to..

You say that, and also remote attestation is how Signal knows it's talking to a legitimate SGX enclave running the expected payload
> running the expected payload

SGX does not cryptographically guarantee this. It cryptographically guarantees that the processor contains a legitimate provisioning key signed by Intel. Intel pinky promises that its processor will then only use this provisioning key in certain ways. This promise is essentially unauditable, and previous SGX bugs have shown that Intel isn't really in a position to make it anyway.

You are 100% correct, but this is still mostly fine: without SGX, you need to completely trust Signal, since it could trivially modify the server-side code. But with SGX, you only need to trust that Signal and Intel won't both collude.

The most likely attacks on Signal involve trusted insiders or configuration errors, and SGX mostly prevents these, since to exploit it, you'd need to bribe insiders in both Signal and Intel, or find configuration errors in both of their software stacks.

Collusion is certainly still possible, but it's much harder to pull off, since it typically requires nation-state-level resources to exploit. Signal does actually have nation-state adversaries, but the vast majority of other software projects don't.

(I personally think that remote attestation is the single biggest risk to the free software movement, but I begrudgingly accept that Signal is a very good use case for it.)

The path to compromise that you describe exists, of course. But it's not the only way. For example, a zero-day in SGX combined with privileged access to AWS infrastructure could compromise Signal's SGX setup without any knowledge or collusion by Signal or Intel. As you note, it is not unreasonable for a project of Signal's stature to expect to face adversaries with such capabilities.
> The most likely attacks on Signal involve trusted insiders or configuration errors, and SGX mostly prevents these, since to exploit it, you'd need to bribe insiders in both Signal and Intel, or find configuration errors in both of their software stacks.

Since there have been multiple SGX key extraction vulnerabilities already, all you would have to do is compromise Signal and then use the key extracted from any of those devices, and "compromise Signal" is the same thing you would have to do if they weren't using SGX at all.

Since there have been multiple 0-day in kernels, we should drop all security boundaries in them because you'd only need execution on the machine and a known vulnerability.

Since there have been with bypass on service X, we should remove auth because all you need is the vulnerability.

Address space layout randomization wouldn't exist with this mindset, and yet it does and helps for many exploits.

SGX is not fully secure. But neither are the other part of the stack. Security (or trust in this case) is done through layers because it's a question of when you'll be vulnerable, not ifs.

When there is a 0-day in the kernel, you patch it. When there is a vulnerability in SGX, the attacker extracts the key from their own hardware from as many devices as they want and can permanently make whatever attestations they want with those keys.
Which makes you update hardware and have a window where you are vulnerable. It's terrible but not a blocker and as long as Intel releases new architectures it isn't much different from software issues. As far as I know, Granite Rapids SGX fused keys (FK0, FK1, GWK, FEK) were not yet extracted. Granite Rapids was released around ~2024 meaning an attacker need to hack the provider and perform a new extraction on SGX.
Being able to come up with compelling use cases for a technology does not redeem that technology from creating a terrible power imbalance that incentives will assure is inevitably abused. Whenever anyone hears "remote attestation", they should think of the already-pervasive Cloudflare CAPTCHA nagwalls, and then think of those becoming something you can only get past by buying a new computer running a proprietary locked-down OS and browser.

The only way to make remote attestation into a neutral technology is to prohibit privileged keys being baked in by device manufacturers. This would make it impossible for arbitrary protocol counterparties to know if their attestation requests are being answered by hardware, or merely emulated in software. This approach is the only way to preserve computing freedom (ie the very concept of protocols that mediate between mutually-untrusting parties) in the presence of this technology.

There's some value in that, but Signal's main security proposition is that you don't have to trust the infrastructure. E2EE means even compromised server software can't read message contents.
He's talking about contact discovery, which can't be solved by just slapping e2ee on it
> none of them make sense for a consumer device.

One of the valid use cases on consumer devices is video game anti-cheat software. Theoretically remote attestation can enable them to be less invasive.

That's the use case it can't really work for.

With enterprise devices you can enroll a specific device and only allow its key. Someone who finds a vulnerability in a different device model, or even the same device model when they don't have one of your actual devices, can't use it because it's not enrolled. (That doesn't actually require remote attestation, the same works without any kind of TPM, but it mitigates a gaping hole that remote attestation has otherwise.)

Because in the video game case the cheater can choose whatever device they want, so they choose one with a vulnerability, which the developers can't prevent without blocking the millions of innocent people who have the same hardware. It's also the solution to yesterday's problem because cheaters are now using cheat hardware that acts as a user input device, and then attesting to what software is running buys you nothing because the cheating is happening in hardware.

Riot Games relaxed the requirements of their Vanguard anticheat by requiring TPM attestation among other things [1].

> It's also the solution to yesterday's problem because cheaters are now using cheat hardware that acts as a user input device

Cheats like these are not as devastating to the game as the ones that read or manipulate memory in the game process itself. You can't see people through walls with cheat hardware acting as a user input device (IOMMU should prevent DMA cheats but those aren't user input devices).

[1] https://xcancel.com/riotgames/status/2069829543276216564

> Riot Games relaxed the requirements of their Vanguard anticheat by requiring TPM attestation among other things

Only on Windows, and then we're back to the thing being a net negative for the consumer again.

> Cheats like these are not as devastating to the game as the ones that read or manipulate memory in the game process itself.

It allows aimbots and the like which are the most common form of cheating and more than enough to destroy the game for other players.

> You can't see people through walls with cheat hardware acting as a user input device (IOMMU should prevent DMA cheats but those aren't user input devices).

For which they can use different cheat hardware.

It's unclear how IOMMU is supposed to prevent this since many hardware devices actually need to access the relevant memory locations, e.g. your drive is going to write directly to the game's memory because that's how the game's code/data gets into memory to begin with or gets reloaded after being evicted when the user doesn't have unlimited RAM.

On top of that, the cheat hardware could attach to the memory slots. Consumer PCs often don't support memory encryption and it wouldn't work for this anyway, since memory encryption is meant for cold boot attacks or similar rather than live analysis/modification. The performance requirements of RAM require block modes like XTS which allow replay attacks (undo cheats) and data flow analysis. Or worse, they just use a replay attack to get ACE on the device that passes attestation.

Attempting to secure a device in the physical possession of the attacker is very challenging and in general should not be the basis of anything you intend to actually be secure.

> whenever I see "remote attestation" I associate this with "hostile"

HN is bizarre. This is just standard infrastructure security practice at any tech company of meaningful size. You are misunderstanding the target use case and audience of this article.

It is true that it is pretty common in large companies. It is also true that it feels very hostile to some people (myself included).
It's absolutely useful for corporate owned infrastructure.

But it's also useful for DRM stuff like authorized 4k blu-ray playback on PCs... which is only allowed on systems with Intel SGX.

Thats not true. Almost no consumer systems ship with SGX.
> This is just standard infrastructure security practice at any tech company of meaningful size.

The problem is, the same features we want for infrastructure are automatically being abused to restrain our consumer hardware - and to make it worse, for barely a good reason at all.

Exactly. Remote attestation is nothing more than an elaborate hashing and signing scheme using trusted hardware and is VERY useful.
The user is choosing to use apps that do remote attestation against the user's will. You can live a perfectly normal life without apps. It's quite annoying that I can't watch full-quality Netflix or use Google Pay on my rooted smartphone, but I'll survive.

TPM's, just like Secure Boot for that matter, can be an amazing security boon if used right. The APIs have been there for ages but only companies like Apple, Google, and Microsoft have started using them because every time someone from the open source community suggests using these technologies you get flooded with people raging on forums about how big tech is coming to subdue us and eat our babies.

You can use this technology to verify that nobody has inserted a Microsoft bootloader into your boot process, or to ensure that only your GrapheneOS smartphone is able to connect to your WiFi. You can make it so border control guards/airport security cannot dump your hard drive and connect to your VPN. The same technology that allows Microsoft to lock down employee laptops can be used to lock out the people that want to threaten your freedom.

> Unless there are exploits..

Everything with a computer in it is unusable if you accept "there may be exploits" as a counterargument. You cannot trust Signal's encryption because there may be exploits. You cannot trust your doctor's heart rate monitor because there may be exploits. You cannot trust your car's speedometer because there may be exploits. You cannot trust your browser to read HN, because there may be exploits.

> The APIs have been there for ages

True. But my impression is that the whole TPM ecosystem is poorly documented. Maybe I just don't know where to look. But to me TPMs are still mostly a black box that prevents me from installing Linux unless I disable secure boot.

To benefit the most from security, you need to understand what the security mechanisms can and cannot do. And I feel that there is no good explanation out there to get starting with playing around with TPMs. If you already work at a big tech company, then you can probably find a mentor who might even have helped write the TPM standards. But if you don't, then it seems to be really hard to learn properly how TPMs can be used.

> But to me TPMs are still mostly a black boxes that prevent me from installing Linux unless I disable secure boot.

Then I think you misunderstand what TPMs are. Secure boot works without TPMs and TPMs are usuable without secure boot. I have secure boot disabled on my laptop (until I have time to figure out how to generate my own keys reliably) but store my SSH keys on the TPM. You can also set up secure boot without ever initializing the TPM.

As for the documentation, the entire interface and the operations it can perform are well-documented: https://trustedcomputinggroup.org/resource/tpm-library-speci... Every command, response, and the logic behind the operation are written out. There's no need to write your own TPM driver, of course; software like https://tpm2-software.github.io/ makes the entire process quite easy. The project even has bash scripts explaining how to do things like storing secrets in the TPM using.

The TPM itself can do multiple things (storing secrets with or without a password ("PIN"), applying brute-force protection, using "measurements" submitted by the OS and firmware as a requirement for unlocking secrets, doing cryptographic operations, random number generation) but most often it's just used to store a key and then keep it locked away from the rest of the computer until you've proven that you're the user/OS that has put the key in there. Combine that with something like disk encryption, or managing a certificate, and you've got a way to protect against even some kernel-level malware.

> You can live a perfectly normal life without apps.

This is getting outdated extremely fast.. Have you heard about at least:

- banking apps being required to do transfers (web login is "insecure")

- government apps in Italy/Brazil enforcing Play Integrity?

- EUDI/age verification, where even EU apps are enforcing Play Integrity?

>But what about attacks after boot? That’s your EDR’s problem. Trusted boot provides the bedrock to build a bunch of other primitives on top of. Including cryptographic proof your EDR is installed and running (at boot), immutable filesystems (verified at boot), signed upgrades, confidential computing, etc. Without it you can’t trust your hosts themselves and can’t make further security guarantees. Houses built on sand and all that.

Good take - remote attestation doesn't solve all problems on its own but it is a very powerful tool in the platform security toolbox (and very cool "to boot" :P)

We use SPIFFE/SPIRE at work. It works well for our use case, remote embedded workflows that need to phone home. It's very exacting: everything must be exactly right for the attestation to succeed. So it takes extra effort when you commit to that path.
It's a nice idea, but I wouldn't design any system on the assumption that a TPM needs to stay secure for the system to be safe. There's been so many exploits. We can consider the iphone as an R & D platform for doing blackbox computations. In that nothing is allowed to run that Apple doesn't want. Protecting that is apples bread and butter and they care about it enough to value critical exploits in the millions. Yet people still find them all the time. I feel like if a company that invests millions in the concept can't make it secure then the concept probably isn't that great.
By that metric we should just pack it all up and call it a day on computing in general; because even despite literal trillions of dollars being spent on it, we still haven't found a way to make it secure.
You can make software secure though since it can be patched. How do you patch hardware if it has design flaws? The whole claim behind these hardware cages is they can't be accessed from outside the cage, period. So IMO, seeing multiple failings of this sort kind of makes me not want to trust it.
Not all computing that is useful must also be absolutely secure. Maybe we just have overextended the use of computers into areas where using them generates too much risk? If so, where is the boundary?
The iPhone is actually working really well. There has never been a widespread malware attack on the iphone. Only highly targeted attacks on individuals. And Apple even has an answer for this as well with Lockdown mode which renders all of those previous exploits impossible.

There's also Memory Integrity Enforcement on the iPhone 17 chips which makes all memory exploits detectable by the OS so it can trigger a reboot and report the bug to Apple.

And even when exploits are found, the boot chain attestation means rebooting your iphone always clears out any malware that made it past normal sandboxing. Particularly at risk individuals should enable lockdown mode and periodically reboot.

there are private exploits built into devices like Cellebrite that the police have access to. The system isn't as infallible as you think. Would not be surprised if the NSA and various hacking groups have stockpiles, too.
The iPhone has two main security systems to counter this, one being lockdown mode which disables USB data while the device is locked, and the other is the iPhone will reboot itself if it hasn't been unlocked for long enough. This puts the device in Before First Unlock state where the encryption keys are wiped from memory. This means no software bug can unlock the device because the encryption keys are derived from the users password.

The main attack left is brute forcing the lock screen password and bypassing the cooldown timer. This seems to be the method most used for getting access to phones. This is defeated by having an actual text password rather than the 6 digit password.

So yes they have advanced hacking tech, but the iphone security is remarkably effective and as a user there are a couple of simple measures that make it pretty much unbreakable.

If you believe you are at risk of having your phone taken and plugged in to a Cellebrite like device, enable Lockdown Mode, set a good password and if possible hit the power button 5 times to disable face id.

Now explain how any of that requires remote attestation.
(I’ll bite and try to steelman) How does a typical user verify that they are running the intended secure software?
The best way to do it would make all persistent storage in the device modular so that the storage device can be attached to a device that isn't booting from it which can thereby verify its contents.

Notice also that remote attestation doesn't enable that. The device can never do that itself since if it was compromised it would just display "attestation passed" on the screen without actually doing it.

The parent comment isn’t about remote attestation. It was a claim that since the iPhone isn’t bulletproof then all security must be pointless.

When the reality is the iPhone is actually quite a good example that great security is possible with enough investment.

> It was a claim that since the iPhone isn’t bulletproof then all security must be pointless.

Nobody was ever making claiming that. The claim is that because it isn't bulletproof, remote attestation is pointless, since it has a different failure mode where once keys can be extracted the attacker can't be deprived of them, so there is no way to return the installed base of existing devices to a state of being able to trust their attestations.

> There has never been a widespread malware attack on the iphone

I had a calendar malware that I had to remove from my sister's iphone just last year.

There's been also (and still has) fake apps with appstore ads, not sure if you count this or not.

your sister’s calendar does not really qualify as “widespread malware attack” :)

and neither do thousands of “fake apps” that no one installs

By malware I meant something that broke the sandbox and gained deep access to the system. Ad ware and slop is a problem and I guess could count under the malware umbrella but it’s much less worrying than an exploit being able to read data from other apps.
Waiting for when one can't boot Windows without running snitch software which analyzes everything you do first to ensure you aren't a pedophile then that you aren't a terrorist then that aren't disloyal or un-American.

You won't be able to send email or bank if you aren't running the snitch or any configuration where you could defeat it.

Hell in a boring dystopia run by adults this could theoretically be a good thing! Never miss the next obvious school shooter!

Then look at who actually runs our country.

This is the dream of corporate authoritarians everywhere. The dystopian nightmare we all warned about because we saw it coming. "Security" is the "think of the children" fearmongering of the current environment.

As one of our Founding Fathers put it: "Those who give up freedom for security deserve neither."

Remote Attestation: Just Say No.

And those who give up security for freedom soon have neither. You need a balance.

Ben Franklin understood that and so included qualifiers in the quote, which was "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety".

Please stop bashing on things you don't understand. This is standard practice for workload authentication in corporate fleets. The article makes the target audience clear:

> If your infra consistently enforces mTLS

Why make the assumption they don't understand? I understand how this tech works and I'm very wary about it being rolled out widely, even if I see the legitimate uses, so I can understand their point. It might not have to do with 'bashing things one doesn't understand'

For example mutual TLS enforcement is something that can happen on my phone to prevent me reading what an app is uploading. It prevents me from auditing things, at least as easily as it used to be: add your key to the trusted keys list and see if e.g. a claim about on-device processing is true. It isn't only the corporate world that uses it, or at least, not only on their own devices

Remote Attestation has valid use cases. I assume that you see problems with e.g. RA backed DRM or tamper protection on consumer devices like smartphones. In an ideal world, a political decision would have to be made about allowed use cases for RA that sets up limits where it conflicts with consumer protections. This isn't a technical problem.
Attestation of any type: A double edged sword, where you are guaranteed to lose freedom. Attestation entrenches, empowers, and enriches other entities that aren't you.

Ironic how this post got upvoted in parallel to polar opposite in the #1 slot: "John Deere owners will get the right to repair equipment under FTC settlement" https://news.ycombinator.com/item?id=48838876

Engineers may debate about what-about-isms of vulnerabilities and counterexamples of TPM failures, but that misses the point: We should be debating about where society will be when devices you paid for serve other masters.

Probably we should just write/vibe/demand better software. Otherwise we're going to end up with a law demanding TPMs that watch more than just your firmware...

I don't think you understand the use case. This is for authentication in corporate networks and environments. Or particularly ambitious homelabs. Attestation is a critical security property for these environments.
> Attestation is a critical security property for these environments.

No it's not. Every corporate network to which I've connected worked just fine without it.

> Every corporate network to which I've connected worked just fine without it.

Just because it appears to be working fine doesn't mean you are in control of it. Without hardware attestation, how do you know the machines are running the software you think they are?

My spouse's local Linux account on my laptop works fine with their password set as their username as well. Is it technically secure, though?
(comment deleted)
The German Healthcare System is moving to the TelematikInfrastruktur 2.0, which has foundations in Zero Trust security, which includes also remote attestation and proof with TPM.

I had made a dummy client as example and I must say that on development perspectives, it is wild.

There are some Go libraries, which support only RSA instead of EC for TPM Keys, on the C++ side you get most of results in Windows through the CryptoProvider, on Linux and Mac exists own OS solutions/access.

Implementing it isn't trivial at all, otherwise you would already seen (not vibe-coded) open source implementions spawning on GitHub.

> you get most of results in Windows through the CryptoProvider

Isn't that what you want on that platform? ADCS even supports issuing remote-attested TPM certs via EK, no need to reinvent the wheel.

> on Linux and Mac exists own OS solutions/access.

I'm not sure what the story is on MacOS, but on Linux the options are definitely lacking. From what I can tell, tpm2-openssl is the most mature solution, but that doesn't support binding to PCRs at all, and validating EK signatures on the server side is left as an exercise to the reader.

> Implementing it isn't trivial at all, otherwise you would already seen (not vibe-coded) open source implementions spawning on GitHub.

If I had to guess, I'd say another issue is that TPM remote attestation is seen as an "enterprise" feature. Open source projects like smallstep support it, but only via their paid enterprise offerings.

Exactly, how Windows exposes the TPM functionalities is a far better experience than in other platforms
Something worth calling out is that, as far as I've seen, most server TPM implementations are not great against physical access attacks. If servers might be physically compromised (eg. you are leaving a server unsupervised in a colo) shenanigans are still possible.

The TPMs are on separate chips from the main processor. If something were to man-in-the-middle the communications with the TPM, the hash digests can be "corrected" so the TPM thinks the boot artifacts were in the intended state. At least the ones I've worked with were SPI, but I've seen I2C ones as well. Either way, these are low speed, easy to mess with buses.

Also you want to pay real close attention to how you onboard new devices. The article states

> The EK comes with a x509 cert signed by the manufacture’s PKI. So the EK proves the TPM is legit.

This lets you know the TPM you are performing remote attestation of is made by a particular manufacturer, but an attacker can go buy a TPM chip from the right manufacturer off digikey, and feed it the intended hashes in pcr extend commands. For the attacks the TPM is supposed to prevent, you have to assume they could re-direct the tpm requests your remote validation service is trying to run to their own device by compromising the boot artifacts. You still have to figure out how to make sure your workflows are onboarding the TPM from _your_ hardware, not just a TPM from the same manufacturer.

I recall an event some years ago around Supermicro that was along these lines. Chips added during manufacturing by nation state that interfered with the operation of the BMC and TPM. Wasn't it the catalyst that pushed hardware supply chain concerns in to mainstream media?
Don't most (all?) modern CPUs have an embedded TPM? Plug-in TPMs were indeed a thing early on, but I thought that was a thing of the past by now. You can't exactly get in between the CPU and another part of the same CPU.

Also, isn't the EK (and therefore its cert) unique per-device, allowing you to tell it apart? The fact that the manufacturer used the same upstream key to sign both certs doesn't matter, just like a CA can sign multiple TLS certs with one root key.

Yeah, if the CPU has a an embedded TPM that would be way better than the external ones. I'll admit that my experience comes from somewhat dated hardware.

The point I was making about registering new EKs/certs into your set of trusted servers. While you can tell the TPMs apart from each other, knowing the EK/cert belongs to your hardware's TPM vs someone else's is the tricky part.

(comment deleted)
TPMs were moved into the Northbridge (I think) many years ago, at least on Intel systems.

PC hardware still isn't tamper resistant though. Memory may be encrypted but its contents can be tampered with in other ways. Only SGX made a serious attempt to be tamper resistant, although Intel eventually sacrificed that to boost performance.

Newer AMD CPUs have TPMs in them.
There's support for encrypted communication with TPMs, but if I remember correctly this is almost never enabled by default.
Have the CPU and the security chip derive their private keys from physical unclonable functions (to prevent extraction), let them exchange public keys once during manufacture, and from that point onward encrypt the SPI bus.

This is what some smartphones seem to do. I don't know if server motherboards do it but it would help a lot against this kind of attack.

GrapheneOS has an implementation of this with their Auditor app. You can use their service or you can use another Android. No freedom lost, just security gained.

https://attestation.app/about

There's also Android's hardware attestation API which apps can use to verify integrity in a more secure and privacy-respecting way than Google Play Integrity.

https://grapheneos.org/articles/attestation-compatibility-gu...

> No freedom lost, just security gained

As far as I can tell, it flags unlocked bootloaders? So this is already huge freedom lost.

With grapheneOS you can lock the bootloader with your own keys. Huge difference. (That said, I don't know if the apps which demand the attestation trust anything but the official grapheneOS keys)
Auditor doesn't cause any issues with your system if there's a problem besides letting you know. It's just for informative purposes so you can determine your system is secure.
The auditor app itself does not result in any loss of freedom, but the widespread availability of remote attestation mechanisms on end-user devices incentivizes others to use it in a manner that does.

A purely local mechanism that lets the user check the integrity of their system is great. Making it easy for third parties to inspect it is a severe violation of user freedom and privacy.

This is an incredibly nice technology that absolutely will be used to prevent you from using your computer as you wish.
This is also the technology that big and small OTT stream provider that they wish they can deploy on us.
It's all about who owns the keys to the machine. Attestation with our own keys is good for us. It becomes a problem when it's the manufacturer's key, the digital fiefdom owner's key or the government's key.
this stuff should only be used for military and other high risk environments. it's an anti-consumer, anti-reuse, e-waste generating nightmare.
> open explainer article

> Uses a lot of acronyms without even saying what they stand for let alone an explanation

> Article entirely unhelpful

Many such cases

I didn't even finish the article because this sort of thing pisses me off too much.
I don't understand how this stuff prevents me from MITM:ing the attestation and routing requests to another device that is clean and attested? I.e. how do you know that the remote TPM belongs to the device you're talking to?
Same way drm works, it’s going to be in layer of hw/sw that you don’t have control over. We don’t have commonly have control on the cpu, chipset, uefi. And on the top side things like widevine on the application layer