| Internet-Draft | HAT | May 2026 |
| Condrey | Expires 2 December 2026 | [Page] |
This document specifies Hardware Attestation of Time (HAT), a mechanism for binding computation duration to TPM 2.0 hardware- attested time. HAT obtains TPM2_GetTime() readings before and after a computation, both signed by an Attestation Identity Key (AIK), producing a "temporal sandwich" that proves minimum elapsed time even when the platform operator is adversarial. This document defines the proof construction, wire format, and verification procedure, and maps HAT to the RATS architecture (RFC 9334).¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 2 November 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
Remote attestation protocols verify temporal claims: that a computation took at least a certain duration, that events occurred in order, or that a process was active during a claimed interval. Software timestamps are trivially forgeable. [RFC3161] Timestamp Authorities provide trusted timestamps but require network connectivity and attest only to signing time, not computation duration.¶
TPM 2.0 devices contain a monotonic hardware clock that cannot be rolled back without triggering detectable state changes. The TPM2_GetTime command [TPM2-Commands] returns the current clock value in a signed attestation structure. No existing specification standardizes paired TPM2_GetTime readings for computation duration proof.¶
HAT defines a "temporal sandwich": the Attester calls TPM2_GetTime before a computation, executes it, then calls TPM2_GetTime after. Both attestations are signed by the same AIK. The Verifier validates signatures, clock continuity, and elapsed time.¶
HAT proofs can optionally bind the computation's input to T_before, preventing pre-computation attacks.¶
HAT is designed for sequential computation verification systems and other scenarios where the platform operator is adversarial.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Attestation Identity Key. A restricted signing key in the TPM's Endorsement hierarchy, used to sign attestation structures.¶
TPM 2.0 attestation structure returned by TPM2_GetTime, containing clock value, reset count, and clock-safe flag, per [TPM2-Structures].¶
Paired TPM time readings bounding a computation's duration.¶
HAT maps to RATS entity roles [RFC9334] as follows:¶
The platform performing the attested computation. Generates HAT proofs by calling TPM2_GetTime before and after each computation.¶
TPM manufacturers issuing EK certificates and platform attestation credentials. The certificate chain establishes AIK binding to genuine TPM hardware.¶
Receives HAT proofs, validates AIK signatures against the Endorser's certificate chain, and checks temporal consistency.¶
Supplies the expected computation duration and clock tolerance parameters that the Verifier uses to evaluate HAT time deltas. The Reference Value Provider conveys these values via one of: (a) the consuming protocol's Evidence structure (e.g., declared parameters from which duration is derived), (b) an out-of-band policy configuration on the Verifier, or (c) a CoRIM reference values manifest per draft-ietf-rats-corim. The specific conveyance mechanism is defined by the consuming protocol.¶
HAT operates within the RATS passport model ([RFC9334], Section 8.1):¶
+----------+ +-----------+
| Attester | | Verifier |
| | | |
| 1. TPM2_GetTime (T_before) | |
| 2. Execute computation | |
| 3. TPM2_GetTime (T_after) | |
| 4. Package HAT proof | |
| | | |
| |--- Evidence -------->| |
| | (includes HAT) | |
| | | 5. Verify |
| | | sigs |
| | | 6. Check |
| | | clock |
| | | 7. Verify |
| | | delta |
| | | |
+----------+ +-----+-----+
|
v
Attestation
Result
¶
HAT implements a trust inversion: the Attester operator is the primary adversary, analogous to anti-cheat attestation. The trust anchors are:¶
The TPM hardware, providing a monotonic clock resistant to rollback.¶
The AIK, a restricted signing key bound to the TPM.¶
The Endorser's certificate chain, binding the AIK to genuine hardware.¶
The Attester operator controls the software stack and can choose when to call TPM2_GetTime, but cannot forge clock readings or AIK signatures.¶
The Attester MUST obtain TPM-attested time readings before and after each computation:¶
T_before = TPM2_GetTime(aikHandle, qualifyingData_before) ... execute computation ... T_after = TPM2_GetTime(aikHandle, qualifyingData_after)¶
The aikHandle MUST refer to the same AIK for both calls.¶
Each TPM2_GetTime call returns a TPMS_ATTEST structure [TPM2-Structures] containing:¶
clockInfo.clock: Monotonic millisecond counter. Does not reset
on reboot; only on owner-clear (which increments resetCount).¶
clockInfo.resetCount: Increments on TPM2_Startup(CLEAR).¶
clockInfo.restartCount: Increments on TPM2_Startup(STATE)
(hibernation/resume).¶
clockInfo.safe: Indicates clock reliability. Set to NO on
clock discontinuity.¶
firmwareVersion: TPM firmware version.¶
Applications SHOULD include qualifying data binding the HAT proof to the computation. Use cases where replay is not a threat (e.g., public timestamping) may omit qualifying data.¶
T_before qualifyingData: computation input seed or hash thereof.¶
T_after qualifyingData: computation output or commitment (e.g., Merkle root).¶
If the TPM is unavailable, the Attester MUST NOT generate a HAT proof.¶
The Attester SHOULD minimize delay between T_before and computation start, and between computation end and T_after.¶
The AIK MUST be a restricted signing key with
TPMA_OBJECT.restricted and TPMA_OBJECT.sign set per
[TPM2-Structures].¶
The AIK SHOULD reside in the Endorsement hierarchy. AIKs in the Platform or Storage hierarchies MAY be used but offer weaker provenance.¶
The AIK certificate chain MUST root to a known TPM manufacturer's EK certificate. The Verifier MUST validate the full chain before accepting HAT proofs.¶
The AIK MUST use one of:¶
The Verifier MUST support at least RSASSA-PKCS1-v1_5 with SHA-256 and ECDSA with P-256.¶
The AIK public key and certificate chain MUST be conveyed to the Verifier, either out-of-band or inline per the consuming protocol.¶
For high-assurance scenarios, Verifiers SHOULD require attestation that the TPM is a discrete hardware module, not a vTPM.¶
The clockInfo.safe field indicates clock reliability. The TPM
sets safe to NO on clock discontinuity:¶
Platform power loss with disturbed or absent battery-backed RTC.¶
Hardware anomaly affecting clock integrity.¶
Explicit TPM2_ClockSet (typically restricted to platform hierarchy).¶
A resetCount mismatch between T_before and T_after indicates a platform reboot during computation. A reboot resets volatile TPM state and allows the operator to manipulate the computation environment. A restartCount mismatch indicates hibernation/resume, which preserves the clock but allows state inspection.¶
For multi-invocation chains, a resetCount change between T_after of invocation n-1 and T_before of invocation n breaks temporal chain continuity.¶
The HAT proof is encoded in CBOR [RFC8949] per [RFC8610]:¶
hat-proof = {
1 => bstr, ; time-before (TPMS_TIME_ATTEST_INFO)
2 => bstr, ; time-after (TPMS_TIME_ATTEST_INFO)
3 => bstr, ; sig-before (AIK signature)
4 => bstr, ; sig-after (AIK signature)
}
¶
{
1: h'ff20...0140', / time-before: TPMS_ATTEST /
2: h'ff20...0280', / time-after: TPMS_ATTEST /
3: h'3045...9a7b', / sig-before: ECDSA-P256 /
4: h'3045...c4e2' / sig-after: ECDSA-P256 /
}
¶
HAT proofs MUST use deterministic CBOR encoding per Section 4.2.1 of [RFC8949].¶
The raw TPMS_ATTEST structure from TPM2_GetTime before the
computation, marshaled as TPM2B_ATTEST per [TPM2-Structures].
MUST have magic = TPM_GENERATED_VALUE (0xff544347) and
type = TPM_ST_ATTEST_TIME (0x8019).¶
Same format as time-before, from the post-computation TPM2_GetTime call.¶
The TPMT_SIGNATURE over the time-before TPMS_ATTEST structure. For ECDSA: concatenation of r and s values per TPM2 Part 2. For RSA: the raw signature value.¶
Same format as sig-before, covering the time-after attestation.¶
The consuming protocol defines:¶
The position within its Evidence structure for the HAT proof.¶
AIK conveyance mechanism.¶
Computation binding (e.g., incorporating T_before into seed derivation).¶
For standalone use, a HAT proof MAY be wrapped in a COSE_Sign1 envelope [RFC9052] with the AIK certificate chain in the unprotected header.¶
The Verifier MUST perform the following checks:¶
Signature verification: Verify sig-before and sig-after against the AIK public key. Validate the AIK certificate chain to a known TPM manufacturer root. Reject on failure.¶
Attestation type check: Verify both TPMS_ATTEST structures
have type = TPM_ST_ATTEST_TIME and magic =
TPM_GENERATED_VALUE.¶
resetCount consistency: Verify resetCount is identical in T_before and T_after. Reject on mismatch.¶
Clock-safe validation: Verify T_before.clockInfo.safe is true; MUST reject if false. If T_after.clockInfo.safe is false, SHOULD reject.¶
Time delta check: delta = T_after.clock - T_before.clock MUST be >= the expected computation duration obtained from the Reference Value Provider (Section 3.1). SHOULD flag deltas exceeding a configurable upper threshold (default: 10x expected duration).¶
Temporal chain continuity (multi-invocation): T_before.clock of invocation n MUST be strictly greater than T_after.clock of invocation n-1.¶
Computation binding (application-specific): If the consuming protocol binds the computation seed to T_before, verify this binding.¶
NOTE: HAT proves a lower bound on computation duration (the TPM clock interval). It does not prove a tight bound; the Attester may introduce delays between T_before/T_after and the actual computation.¶
| Error Condition | Verifier Behavior |
|---|---|
| sig-before or sig-after fails verification | MUST reject |
| AIK certificate chain invalid or untrusted | MUST reject |
| TPMS_ATTEST type is not TPM_ST_ATTEST_TIME | MUST reject |
| resetCount mismatch between T_before and T_after | MUST reject |
| T_before.clockInfo.safe is false | MUST reject |
| T_after.clockInfo.safe is false | SHOULD reject |
| restartCount mismatch | SHOULD reject |
| Time delta less than expected duration | MUST reject |
| Time delta implausibly large (>threshold) | SHOULD flag as warning |
| Temporal chain continuity violation | MUST reject |
| firmwareVersion mismatch between readings | SHOULD reject |
Warnings SHOULD be included in the Attestation Result.¶
Voltage glitching: Targeted voltage manipulation may cause clock skips. Requires physical access and specialized equipment.¶
TPM reset attacks: Power-cycling resets volatile state, detectable via resetCount.¶
VM-based attacks: vTPMs do not provide discrete TPM hardware guarantees. See Section 4.2 for discrete TPM requirements.¶
AIK extraction (via side-channel or fault injection) enables forging HAT proofs with arbitrary timestamps. Verifiers SHOULD support AIK revocation.¶
Without qualifying data binding, HAT proofs can be replayed for different computations. Applications SHOULD include computation-specific qualifying data. For multi-invocation chains, temporal chain continuity prevents insertion of old proofs.¶
TPM clocks lack mandated accuracy; typical drift is seconds per day. Verifiers SHOULD use a tolerance factor (5-10%) when comparing deltas to expected durations.¶
The TPM 2.0 specification defines clockInfo.clock as a
millisecond counter, but actual update granularity is
implementation-dependent. Some TPMs update the clock at intervals
of 10ms or coarser. For computations shorter than approximately
100ms, clock resolution may dominate the measurement error. HAT
is best suited for computations lasting at least one second.¶
This specification covers TPM 2.0 only. Other hardware platforms (ARM TrustZone, Intel SGX, Apple Secure Enclave) are out of scope.¶
AIKs are device-specific and potentially identifying. To mitigate correlation:¶
TPM clock readings reveal platform uptime, a fingerprinting vector. When uptime exposure is unacceptable, the consuming protocol MAY strip absolute clock values, retaining only the time delta.¶
The TPMS_ATTEST structure contains fields beyond what HAT verification requires (firmwareVersion, qualifiedSigner). The consuming protocol MAY define a reduced format including only clock values, resetCount, safe flag, and the AIK signature.¶
This document has no IANA actions.¶
The author thanks the Trusted Computing Group for the TPM 2.0 specification and the IETF RATS working group for the remote attestation architecture that informed this design.¶