Comment Re:Visibility (Score 1) 94
You can validate the system is in a known, good state at boot-time, but that does not apply at run-time. You can use Intel Trusted Execution Technology (TXT) to measure the system is in a known, good state and store those measurements in the Trusted Platform Module (TPM). When you attest remotely, if the whitelist values do not match, you do not admit the system into your infrastructure. This approach can take measurements up to the VM-layer (hardware/firmware/BIOS/hypervisor). There are solutions to attest at boot-time (PrivateCore vCage), but run-time is another matter.