Verification Methods

Detailed methodologies for verifying cloud hardware at different security levels.

Level 1: Human-Assisted Verification

Level 1 verification relies on human witnesses to validate that hardware is located at legitimate facilities. Multiple independent alliance members cross-verify evidence to prevent collusion.

Bare Metal Cloud Verification

Bare metal cloud providers (e.g., OVH, Hetzner) offer serial console access to servers. We can verify servers are managed by reputable providers through a witness ceremony.

Protocol:

  1. Alice (prover) and Bob (verifier) join a video conference
  2. Alice shares screen showing the serial console from cloud provider
  3. Bob sends a challenge (32-byte nonce) to Alice
  4. Alice runs a prebuilt Docker container to produce an attestation (e.g., DCAP quote) with the nonce in the reportData field
  5. Alice downloads the quote and sends it to Bob
  6. Bob verifies the attestation, checks the nonce matches, and extracts the hardware ID (PPID)

Trust Model

  • Assumption: Bare metal cloud provider is trusted
  • Protects against: Server owner attacks, outsider attacks
  • Does not protect: Malicious datacenter insiders

Colocation Server Verification

Colocation servers lack built-in cloud console access. We combine multiple evidence sources to achieve the desired security properties.

Evidence Methods:

1. Claim by Server Owner

Server owner (e.g., Phala Cloud) provides signed claim that hardware is hosted in a secure facility. Optional: compliance certifications (SOC2, ISO 27001).

2. Proof of Datacenter Hosting

Video witness of datacenter environment combined with email confirmation from datacenter operator.

3. Datacenter Pledge of Notification

Datacenter pledges to alert Proof of Cloud when server is removed or suspicious devices are introduced. Pledge form available here.

4. PSU Heartbeat Monitoring

Periodic heartbeat checks to IPMI/BMC prove server hasn't left the rack (physical attacks would disrupt network/power).

5. IP Address Ownership Proof

Verify inbound/outbound IP addresses are within datacenter's range via video witness of curl ipconfig.me and mtr.

Colocation Provider Pledge

A formal commitment by colocation providers to maintain physical security and report security-relevant events to the Proof of Cloud Alliance.

Download Official Pledge Document

ProofOfCloud_Colocation_Pledge.pdf

Level 2: Automated Verification

Level 2 eliminates human trust requirements through cryptographic proofs. Verification is fully automated and relies only on mathematical guarantees.

zk-TLS Verification

Extract hardware IDs from attestations performed through cloud control planes (e.g., OVH serial console) with zero-knowledge TLS proofs.

How it works: The verifier obtains a zk-TLS proof that demonstrates an attestation was generated through the cloud provider's authenticated console session, without revealing session credentials. This provides cryptographic evidence that the hardware is managed by the stated provider.

Security Properties

  • No human witnesses required
  • Cryptographic proof of cloud provider control
  • Tamper-evident: any modification breaks the proof

vTPM Cryptographic Claims

Hyperscalers can issue vTPM-based cryptographic claims binding virtual machine instances to physical hardware identities.

Reference: Based on methodology described in "Proof of Cloud: Data Center Execution Assurance for Confidential VMs" (arXiv:2510.12469, 2025)

How it works: The cloud provider's infrastructure generates a signed statement from the physical TPM that certifies which hardware hosts a given VM. The vTPM chain of trust links the VM's TEE attestation back to a physical PPID or Chip ID.

Security Properties

  • Fully automated verification
  • Cryptographic binding from VM to physical hardware
  • Requires cloud provider TPM infrastructure support

Tamper-Evident RFID Beacons

Physical RFID tags generate cryptographic proofs that servers remain in verified locations without physical tampering.

Security Properties

  • Detects physical tampering (case opening or server removal)
  • Cryptographically signed heartbeats published to transparency log
  • No ongoing human intervention required
  • Resilient to all but the most sophisticated physical attacks

Level 3: Continuous Monitoring

Level 3 combines Level 2 automated verification with ongoing monitoring to detect integrity violations in near real-time.

Continuous Re-Verification

Any Level 2 method can be elevated to Level 3 by implementing periodic automated re-verification:

  • Periodic zk-TLS proof generation and verification
  • Regular vTPM claim refreshes from cloud infrastructure
  • Continuous RFID heartbeat monitoring (e.g., 10-second intervals)

Additional Security Properties

  • Sustained integrity monitoring over time
  • Near real-time detection of physical compromise
  • Public audit trail of continuous verification
  • Attacker requires sustained undetected compromise
← Back to Home