RFC-0015: Hardware Attestation

Purpose

Specify how the enclosed enforcement locus is mechanically realized: what hardware root of trust is required, how measurements flow from boot to inference, how artifacts are hash-bound into the custody chain, and what constitutes a valid attestation for the Ontic Assurance Standard.

This RFC fulfills the obligation created by the BOM's full_custody security ingredient. Without this specification, enclosed is a label. With it, enclosed is an engineering contract.

RFC-0013 specifies how input enters the custody chain (client-side attestation). This RFC specifies the server-side enclosure where that input is processed under hardware-attested custody.

The Problem

The Assurance Standard defines three enforcement loci. The first two — post_hoc and pre_emission — can be realized in conventional cloud infrastructure. The third — enclosed — cannot.

enclosed requires:

Non-bypassable execution. The gate cannot be circumvented by any software path.
Attested artifacts. Model weights, prompt templates, and policy configurations are hash-bound and measured.
Full chain of custody. Every step from input to output is signed, logged, and independently verifiable.
Non-repudiable origin. The client that initiated the request is cryptographically identified (RFC-0013).

These properties cannot be asserted by software alone. They require a hardware root of trust.

Governing Syllogisms

Syllogism 5 — Why Enclosed Execution Enables Full Chain of Custody

Premise 1: Claims can bypass enforcement if execution paths are not fully controlled. Premise 2: Attested, enclosed execution prevents bypass and allows complete provenance tracking. Conclusion: Only enclosed execution enables a provable end-to-end chain of custody.

Syllogism 6 — Why Hosted Models Cannot Provide Strong Guarantees Without Attestation

Premise 1: A system cannot attest to the behavior of components it does not control. Premise 2: Hosted inference without attestation provides no guarantees about execution integrity. Conclusion: Hosted models can only be used for strong guarantees if execution is remotely attested and bound into custody.

Syllogism 8 — Why Life & Safety Domains Require Enclosed Enforcement

Premise 1: In life-safety domains, incorrect claims can cause irreversible harm. Premise 2: Post-hoc detection and labeling do not prevent irreversible harm. Conclusion: Life-safety domains require enclosed, pre-emission enforcement with authoritative sources of record.

Architecture: The Ontic Appliance

An Ontic Appliance is a compute boundary within which all BOM ingredients operate under hardware-attested custody. It is not a physical device — it is a logical enclosure backed by a hardware root of trust.

Reference Implementation: AWS Nitro

The reference implementation uses Amazon EC2 Nitro System instances with NitroTPM enabled.

┌─────────────────────────────────────────────────────────┐
│                    Ontic Appliance                       │
│                                                         │
│  ┌─────────────┐  ┌──────────┐  ┌───────────────────┐  │
│  │   Model      │  │  Oracle   │  │  Ontology          │  │
│  │  (governed   │  │ (curated  │  │  (formal,          │  │
│  │   finetune)  │  │ versioned)│  │   hash-bound)      │  │
│  └──────┬───────┘  └────┬─────┘  └────────┬──────────┘  │
│         │               │                 │              │
│  ┌──────▼───────────────▼─────────────────▼──────────┐  │
│  │              Mechanical Gate                        │  │
│  │   (non-bypassable authorize/refuse enforcement)    │  │
│  └──────────────────────┬────────────────────────────┘  │
│                         │                                │
│  ┌──────────────────────▼────────────────────────────┐  │
│  │           Custody Envelope Signer                   │  │
│  │   (signs input, output, log, attestation report)   │  │
│  └─────────────────────────────────────────────────────┘  │
│                                                         │
│  ┌─────────────────────────────────────────────────────┐  │
│  │           NitroTPM / Hardware Root of Trust          │  │
│  │   PCR[0–7]: firmware, bootloader, kernel, init      │  │
│  │   PCR[8–15]: application, model hash, policy hash   │  │
│  └─────────────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────────┘
         │                              ▲
         ▼                              │
    Signed Output                  Signed Input
  (envelope + attestation)     (RFC-0013 InputAttestation)

Why Nitro

The AWS Nitro System provides:

NitroTPM 2.0 — FIPS 140-2 Level 3 compliant TPM, hardware-isolated from the hypervisor.
Nitro Enclaves — Isolated compute with no persistent storage, no network access, no admin SSH. Code runs in a cryptographically attested environment.
Instance identity documents — Signed attestation of instance metadata, AMI ID, and launch configuration.
No operator access — Nitro's security model prevents even AWS operators from accessing customer data on the instance.

Other hardware roots of trust (Azure Confidential Computing, GCP Confidential VMs, on-premises HSMs) MAY be used if they satisfy the measurement and attestation requirements defined below.

Measurement Chain

The appliance maintains a measurement chain from boot to inference. Each layer measures the next before transferring control.

Boot Measurements (PCR 0–7)

PCR	Measures	Verification
0	Firmware (UEFI)	Expected hash from AMI manifest
1	Firmware configuration	Expected hash from launch template
2–3	Bootloader	Expected hash from signed boot image
4	Kernel + initramfs	Expected hash from signed OS image
5–7	Reserved / platform-specific	Vendor attestation

Boot measurements are taken by the NitroTPM before any application code executes. They establish that the execution environment has not been tampered with.

Application Measurements (PCR 8–15)

PCR	Measures	Verification
8	Ontic runtime binary	Hash of signed, versioned runtime release
9	Model artifact	`model_artifact_hash_bound` — hash of weights file
10	System prompt artifact	`prompt_artifact_hash_bound` — hash of compiled prompt
11	Policy artifact	`policy_artifact_hash_bound` — hash of ontology + gate rules
12	Oracle configuration	Hash of oracle binding configuration
13	Gate binary	Hash of mechanical gate implementation
14–15	Reserved	Future use

Application measurements are taken by the Ontic runtime at startup, before any inference begins. They establish that the artifacts loaded match the expected versions.

Runtime Measurements

During operation, the runtime continuously measures:

Input hash — SHA-256 of each incoming request payload, after RFC-0013 InputAttestation verification.
Inference context hash — Hash of the assembled context (prompt + state + evidence) before model invocation.
Output hash — SHA-256 of raw model output before gate evaluation.
Gate decision — The authorization/refusal decision, with the state that produced it.
Envelope hash — SHA-256 of the signed output envelope.

All runtime measurements are written to the immutable log and included in the attestation report.

Artifact Hash Binding

The BOM's full_custody security ingredient requires three artifact hashes:

requires:
  - model_artifact_hash_bound
  - prompt_artifact_hash_bound
  - policy_artifact_hash_bound

Binding Protocol

At build time: Each artifact (model weights, compiled prompt, policy configuration) is hashed with SHA-256 and the hash is recorded in a signed manifest.
At deploy time: The manifest is loaded into the appliance. The runtime hashes each artifact on disk and compares against the manifest. Mismatch → refuse to start.
At boot time: Verified hashes are extended into application PCRs (9, 10, 11).
At attestation time: The TPM produces a signed quote over all PCRs. A remote verifier can confirm that the running artifacts match the expected manifest.

Artifact Versioning

Artifacts are versioned using the drift detection protocol (RFC-0011). A hash change implies a version change. Version changes invalidate cached authorizations and require re-attestation of the appliance.

Attestation Protocol

Attestation is the mechanism by which a remote party verifies that an appliance is running the expected software on the expected hardware.

Attestation Flow

                  Verifier                          Appliance
                     │                                  │
                     │──── Nonce ───────────────────────▶│
                     │                                  │
                     │                    TPM Quote(PCRs, nonce)
                     │                    + Instance Identity Doc
                     │                    + Artifact Manifest
                     │◀── Attestation Report ───────────│
                     │                                  │
              Verify signature chain                    │
              Verify PCRs match policy                  │
              Verify nonce freshness                    │
              Verify artifact hashes                    │
                     │                                  │
                     │──── Attestation Result ──────────▶│
                     │     (valid_until, session_key)   │

Attestation Report Contents

interface AttestationReport {
  // Hardware identity
  instance_id: string;
  instance_type: string;
  ami_id: string;
  region: string;

  // TPM quote
  pcr_values: Record<number, string>; // PCR index → hex digest
  tpm_signature: string; // TPM2_Quote signature over PCRs + nonce
  tpm_certificate_chain: string[]; // EK → Intermediate → Root

  // Artifact manifest
  artifacts: {
    model: { version: string; sha256: string };
    prompt: { version: string; sha256: string };
    policy: { version: string; sha256: string };
    runtime: { version: string; sha256: string };
    gate: { version: string; sha256: string };
  };

  // Freshness
  nonce: string;
  timestamp: string;
  valid_until: string;

  // Signature
  report_signature: string; // Signed by instance identity key
}

Attestation Frequency

Trigger	Action
Appliance boot	Full attestation required before serving traffic
Artifact change	Re-attestation required (new PCR values)
Periodic interval	Re-attestation every 24 hours (configurable)
Verifier request	On-demand attestation with fresh nonce
Anomaly detection	Immediate re-attestation

Custody Envelope

Every output from an enclosed appliance is wrapped in a custody envelope that chains all measurements together. This extends the authorization envelope (RFC-0009) with hardware-attested provenance, and binds to the input attestation (RFC-0013).

interface CustodyEnvelope {
  // The authorization envelope (RFC-0009)
  authorization: AuthorizationEnvelope;

  // Chain of custody proof
  custody: {
    // Input provenance (from RFC-0013)
    request_hash: string;
    client_signature: string;
    client_certificate_fingerprint: string;
    input_attestation_hash: string; // Hash of RFC-0013 InputAttestation

    // Execution provenance
    appliance_attestation: AttestationReport;
    inference_context_hash: string;
    model_output_hash: string;
    gate_decision: GateDecision;

    // Artifact versions (from PCR-bound manifest)
    artifacts: {
      model: { version: string; sha256: string };
      prompt: { version: string; sha256: string };
      policy: { version: string; sha256: string };
    };

    // Timing
    request_received_at: string;
    inference_started_at: string;
    gate_evaluated_at: string;
    response_signed_at: string;

    // Immutable log reference
    log_sequence_number: number;
    log_hash: string; // Hash of this entry in the append-only log
  };

  // Appliance signature over the entire envelope
  envelope_signature: string;
  signing_key_attestation: string; // Proves key is bound to attested TPM
}

Immutable Log

The appliance maintains an append-only log of all operations. The log is:

Append-only — Entries cannot be modified or deleted. Enforced by hash chaining (each entry includes the hash of the previous entry).
Hash-chained — Tampering with any entry invalidates all subsequent hashes.
Externally anchored — Log head hash is periodically committed to an external witness (e.g., AWS CloudWatch Logs with integrity validation, or a transparency log).
Retained — Log retention meets the retention_policy_defined requirement from full_custody.

Log Entry Schema

interface CustodyLogEntry {
  sequence: number;
  previous_hash: string;
  timestamp: string;
  event_type:
    | "request"
    | "inference"
    | "gate_decision"
    | "response"
    | "attestation"
    | "error";
  payload_hash: string;
  pcr_snapshot?: Record<number, string>; // Included on attestation events
  entry_hash: string; // SHA-256(sequence + previous_hash + timestamp + event_type + payload_hash)
}

Key Rotation

The full_custody security ingredient requires key_rotation_policy. The appliance enforces:

Key Type	Rotation Period	Mechanism
Appliance signing key	90 days	New key generated in TPM; old key archived with overlap period
Client certificates	Per customer policy	Certificate expiry enforced at request validation
Log anchoring key	90 days	Rotated alongside appliance signing key
TLS termination	90 days	Automated via ACME or internal CA

Key rotation triggers re-attestation. The new signing key's attestation proves it was generated inside the same measured environment.

Failure Modes

The appliance has a strict failure hierarchy. When in doubt, refuse.

Failure	Behavior	Rationale
TPM attestation fails at boot	Appliance does not start	No root of trust → no custody
Artifact hash mismatch	Appliance does not start	Tampered artifacts → no integrity
Periodic re-attestation fails	Appliance stops serving	Custody continuity broken
Client signature invalid	Request rejected (401)	Non-repudiable origin required
Input attestation invalid	Request rejected (400)	RFC-0013 chain broken
Log write fails	Appliance stops serving	Broken log → broken custody chain
Gate unreachable	Request rejected (503)	No gate → no authorization
Oracle unreachable	Fallback per RFC-0010	Degraded mode, never silent bypass

Invariant: The appliance MUST NOT serve a response if any link in the custody chain is broken. A broken chain at the enclosed locus is not a degraded mode — it is a hard stop.

BOM Ingredient Realization

This RFC specifies the mechanical realization of every BOM ingredient required by the enclosed locus:

BOM Ingredient	Value	Realized By
`model`	`governed_finetune`	Self-hosted weights, hash-bound to PCR 9
`oracle`	`curated_versioned`	Versioned oracle data, hash-bound to PCR 12
`ontology`	`formal`	Machine-checkable ontology, hash-bound to PCR 11
`system_prompt`	`compiled_measured`	Ontology-derived prompt, hash-bound to PCR 10
`gate`	`mechanical`	Non-bypassable binary, hash-bound to PCR 13
`security`	`full_custody`	NitroTPM attestation, hash-chained log, signed I/O
`signed_client`	`required`	RFC-0013 InputAttestation, verified at appliance ingress
`training`	`cooperation` or `boundary`	Governed finetune with cooperation/boundary objectives

Standards Alignment

Standard	How This RFC Aligns
IETF RATS (Remote Attestation Procedures)	Attestation protocol follows the RATS architecture: Attester (appliance) → Verifier → Relying Party
Confidential Computing Consortium	NitroTPM / Nitro Enclaves provide measured, isolated execution
TPM 2.0 (ISO/IEC 11889)	PCR extension, TPM2_Quote, EK certificate chain
SLSA v1.0	Extended from build provenance to inference provenance — artifact hashes bound at build, verified at deploy, measured at runtime
NIST SP 800-155 (BIOS Integrity Measurement)	Boot measurement chain (PCR 0–7)
FIPS 140-2 Level 3	NitroTPM hardware isolation meets Level 3 requirements

Relationship to Other RFCs

RFC	Relationship
RFC-0002	Oracle verification — enclosed appliance binds oracle configuration into custody
RFC-0007	Opaque boundary — the appliance is the physical realization of opacity; the model process cannot access gate logic or PCR values
RFC-0009	Authorization envelope — the custody envelope wraps the authorization envelope with hardware-attested provenance
RFC-0010	Fallback modes — when custody breaks, fallback is a hard stop, not degraded service
RFC-0011	Drift detection — artifact hash changes trigger re-attestation and version invalidation
RFC-0012	Agentic governance — an agentic system at `enclosed` locus requires both RFC-0012 emission governance and RFC-0014 hardware custody
RFC-0013	Enclosed execution — RFC-0013 provides client-side input attestation; this RFC provides server-side execution attestation

Acceptance Criteria

A system is compliant with RFC-0014 if:

All inference executes within a hardware-attested boundary with a TPM 2.0 (or equivalent) root of trust.
Boot measurements (PCR 0–7) are verified against a signed expected-values policy before the appliance serves traffic.
Application artifacts (model, prompt, policy, gate, runtime) are hash-bound to PCRs 8–13 and verified at startup.
Runtime measurements (input, context, output, gate decision) are recorded for every inference.
An attestation report with fresh nonce can be produced on demand and verified by a remote party.
Every request carries a verified RFC-0013 InputAttestation (signed_client: required).
Every response is wrapped in a custody envelope that chains client identity → input attestation → appliance attestation → artifacts → gate decision → signed output.
The immutable log is append-only, hash-chained, and externally anchored.
The appliance hard-stops (refuses to serve) if any link in the custody chain breaks.
Key rotation occurs per policy and triggers re-attestation.