Why Nobody Can Verify What Booted Your Server

The other key bit here (lightly touched on in the vTPM section but not generalised) is that modern TCBs are too big to make any meaningful claims about. Until you address that problem, there’s little you can do about any of this. We designed Arm’s CCA to try to improve on this: the root of trust measures EL3, EL3 measures the RMM, both of which are on the order of single-digit thousands of lines of code and amenable to formal verification. You can the deploy arbitrarily small things in realms and have measurements of those from the RMM. But if you boot Linux or Windows in a Realm, your claim is basically meaningless a few seconds later because the number of possible states of these systems is huge and includes a lot of compromised ones.