The Problem
Your computer can tell whether it has been tampered with. That's a genuinely useful capability: detecting bootkits, verifying that the boot chain is intact, and proving to you that your own machine hasn't been modified without your knowledge.
The problem is that current implementations of this capability fuse two separable things into one mechanism controlled by someone other than you. The trust root belongs to the vendor. The attested property is vendor-approved software identity rather than bare integrity. And increasingly, the result is used to gate what you're allowed to do with your own hardware.
The Solution
This standard describes a method that keeps the useful capability, measured boot and integrity attestation, while fixing who controls it, what it says, and what it can do.
The Two Principles
Principle I — Integrity is reported to the owner; it is never a permission granted to a stranger.
The platform can learn, with cryptographic confidence, that its boot chain is intact or tampered. It can show that to you, log it, and surface it in diagnostics. No local code path that gates, disables, or conditions the device's function may consume that result. A platform whose measurement indicates tampering operates with the same full capability as one that does not. The only thing that varies is the label shown to the owner and the record written to an integrity log.
Principle II — Attest integrity, not identity. The root belongs to the owner.
The attestation asserts that the boot chain is integrity-intact and vouched by a root the owner controls. It does not assert which operating system, whose signature, or what vendor produced the booted software. The trust root is held by and re-provisionable by the owner, through a takeover path that the vendor cannot disable. There is no vendor registration of the platform and no requirement to contact a vendor server to boot or install an OS.
This second principle is the load-bearing one. By refusing to attest vendor identity and attesting only bare integrity, the method removes the discrimination lever: a relying party can verify a platform isn't rootkitted, but the attestation vocabulary contains no term by which to require a specific vendor's operating system. Lock-in is not merely discouraged. It is inexpressible in the protocol.
The Four Integrity States — All Fully Functional
Every boot resolves to one of four states. In all four, the platform receives full, unconditioned function.
| State | What it means | What you see |
|---|---|---|
| Intact — owner-vouched | Measurements match a reference the owner has accepted | "Boot integrity verified" |
| Intact — reference unknown | Measurements are self-consistent but match no accepted reference | "Boot measured — no reference to compare against" |
| Changed | Measurements differ from the owner's accepted reference | "Boot chain changed since last accepted state" |
| Unmeasured | No measured-boot facility present or owner disabled measurement | "Boot integrity not measured" |
The "Changed" row is the one that matters. On detecting a boot-chain change, which may be a legitimate update or may be tampering, the platform informs you and continues operating at full capability. It does not refuse to boot. It does not lock the disk. It does not phone a vendor. You see the change, compare it against what you expect, and decide.
How It Works
The platform contains a hardware root of trust with three mandatory properties:
- Owner takeover is mandatory and undisablable. You can clear the root and provision your own key. A vendor cannot disable, gate, or remotely veto this. A device whose root cannot be re-owned is non-conformant.
- Bare measurement is vendor-neutral. The measured-boot facility records hashes of each boot stage. The registers record what was measured; they do not encode, require, or privilege any vendor's signature.
- No vendor authorization in the boot path. Booting, installing an OS, and taking ownership require no network call to and no authorization from any vendor. The root operates fully offline.
A quote produced under this method asserts exactly two facts: the accumulated boot measurements, and that the quote is signed by an owner-provisioned key. A relying party learns that this platform's boot chain hashes to a particular value, attested by an owner-held key. It can compare that against a reference the owner or a community publishes. It cannot learn, and the protocol provides no field by which to require, that the platform runs any particular vendor's software.
Signature-checked boot, when the owner wants it, is preserved as an owner-set local policy rooted in keys the owner enrolled: never a vendor default, never rooted in a vendor key, and always resettable via the takeover ceremony.
Remote attestation is owner-mediated. Every request is surfaced to the owner and requires consent. Declining or being unable to satisfy a request never degrades any local function. The attestation declined path costs the owner nothing on their own device.
Who Can Use This
Anyone. Any device manufacturer, firmware author, operating system, security-coprocessor maker, institution, or owner can implement this method without permission, license, or attribution. It is published to establish public prior art, ensuring that non-gating, owner-sovereign attestation remains in the public domain and cannot be exclusively claimed by any entity.
An accompanying open specification and reference implementation defines the concrete quote wire format, measurement-register layout, and owner-takeover ceremony in normative detail, so a de-facto open standard can form around the method rather than around a single vendor's root.