Remote ATtestation

Platform integrity
you can
prove.

Automated remote attestation for Linux machines with TPM 2.0.

or just get started…

$ brew install ratatouille

One CLI for your whole fleet. Manage from your laptop or enroll a Linux machine directly.

— TRUSTED · — VERIFYING · polling every ~10s

Attesting your machines shouldn't require a PhD.

Keylime, Linux IMA, and TPM 2.0 already solve hardware-rooted integrity verification for Linux. But deploying them means managing a registrar, a verifier, mTLS certificates, TPM quote schemas, IMA allowlists, and policy fan-out, none of which is operationally documented anywhere useful.

Ratatouille handles all of it. Generate a policy from a known-good machine, push it to Git, and every enrolled machine is continuously attested against it.

The cryptographic evidence is yours: exportable, independently verifiable, and not locked in our dashboard.

Open Standards

Adopt remote attestation. Don't rebuild it.

Ratatouille operationalizes proven open-source components. Your policies, your evidence, your cryptographic chain are all verifiable with standard tooling whether or not Ratatouille exists.

Keylime

TPM-based remote attestation and IMA log verification engine. Open source, CNCF-hosted.

Sigstore / Cosign

Keyless policy signing with no long-lived keys to manage. Every policy approval is attributable to a specific authenticated identity and permanently auditable.

Linux IMA

Kernel-level measurement of modules and executables as they load. The OS cannot alter what IMA recorded.

IETF RATS (RFC 9334)

The IETF standard defining remote attestation best practices. Ratatouille is architecturally aligned with IETF RATS RFC 9334.

How It Works

From silicon to continuous trust

Enroll

Install the Ratatouille agent on a device in a known-good state.

ansible / cloud-init / apt / manual

Baseline

Policy is built from IMA logs of modules and executables loaded since boot.

IMA log → runtime policy

Sign & Push

Sign the policy and push to Git. Ratatouille reads and verifies the policy signature and fans it out to your devices.

git push → webhook → fan-out

Verify

At a chosen interval, Ratatouille evaluates a TPM quote over IMA log entries against your policy.

TPM quote → IMA verify → PCR

Export

Pull a signed evidence package at any time in a format any auditor can verify independently.

ratatouille evidence export --machine <id>

Cryptographic Trust Chain

Every link is independently verifiable.

From the chip the manufacturer burned a key into, through to the relying party's access decision. You don't have to trust Ratatouille. You can verify each link yourself.

TPM Manufacturer

Silicon root

→

Endorsement Key
burned in silicon

→

AIK

Attestation Identity
Key, registered

→

TPM Quote

Signed PCR
snapshot + nonce

→

PCR 10

Extends on every
IMA measurement

→

IMA Log

Every ELF & module
executed since boot

→

Runtime Policy

Approved baseline
(GitOps, versioned)

→

Sigstore Sig

Authorized identity
signed the policy

→

Rekor Log

Public, immutable
transparency log

→

Attest. Token

Issued only when
all above pass

→

Relying Party

Auditor, API gateway,
secrets vault

Hardware-enforced

Cryptographically chained

Publicly auditable

Get Access

Try the Demo Read the Docs

logan@ratatouille.dev

Platform integrity you canprove.