Cohort prevalence: how common is this device's boot config, among devices like it
Every attestation already carries the explicit checks: Secure Boot state, dbx revocation floor, real-hardware TPM class, EAR status. Cohort prevalence adds one more, optional signal: how common this device's boot configuration is within its cohort(same make / model / firmware), counted by distinct real TPMs. It catches "unusual for its kind," not tampering. The explicit checks catch tampering.
Prevalence is layered on top of the explicit attestation checks as an AND-constraint, evaluated after they all pass. It can never let a device bypass an explicit requirement: a device that fails Secure Boot, fails dbx, presents an emulated TPM, or fails EAR is rejected regardless of how common its profile is. Prevalence only ever addsa reason to reject; it never removes one. This is not a rolled-up "trust score"; it is one named, individually-controlled claim alongside the others.
What it answers (and what it doesn't)
A modern fleet of legitimate devices does notshare one canonical set of PCR values: firmware, bootloader, and Secure Boot policy measurements legitimately differ by vendor, model, and firmware revision. So "rare PCR value" on its own means "uncommon hardware/firmware combination," not "untrustworthy." That is exactly why prevalence is not the trust gate.
What it does answer, scoped within a cohort of genuinely-comparable devices:how common is this device's least-common tracked boot measurement among real, distinct devices of the same make/model/firmware? That is a useful anomaly signal (a device whose Secure Boot policy is shared by 0.01% of its cohort is worth a second look), but it is advisory by default, never a silent reject.
- Catches: a boot configuration that is unusual relative to other devices of the same kind.
- Does not catch: tampering, downgrade, or a bad boot state. The explicit Secure Boot / dbx / TPM-class / EAR checks do that, and they remain the gate.
The claims (always on)
Every attestation token and verify response carries the cohort claims, whether or not you act on them in policy. Read them, log them, alert on them; gating is opt-in.
| Claim | Type | Meaning |
|---|---|---|
| cohortPrevalence | number | null | 0–1. The fraction of distinct real devices in this device's cohort that share its least-common tracked boot measurement (weakest-link across PCR[0], PCR[4], PCR[7]). null when the cohort has too few observed devices to estimate (cold start). |
| novelProfile | boolean | true when the cohort has insufficient data (cold start) OR the device's tracked measurements fall below the cohort-sample floor. A new firmware build is legitimately novel until adoption grows; see the cold-start section. |
| cohortPrevalencePerPcr | { "0": number, "4": number, "7": number } | Per-index breakdown of prevalence for the tracked low-variance PCRs: PCR[0] (firmware), PCR[4] (bootloader), PCR[7] (Secure Boot policy). cohortPrevalence is the minimum across these. |
| cohortKey | string (opaque hex) | Stable identifier for the device's cohort, derived only from quote-bound, measured fields (TPM-class family + firmware-version measurement + Secure Boot PK issuer). Reference it in your tenant allowlist. |
| cohortScope | "global" | "tenant-fleet" | Which population the prevalence was computed against: the global model-cohort (advisory default) or your own tenant fleet (empirical golden-image). |
| cohortSampleSize | number | Estimated count of distinct real devices in the cohort (the denominator). Lets you judge how much weight the prevalence number deserves. |
{
"ueid": "2f9c4a1c8b…",
"verdict": "pass",
"earStatus": "affirming",
"attestationType": "tpm20",
"cohortKey": "c0a7f31e9b4d…",
"cohortScope": "global",
"cohortSampleSize": 48211,
"cohortPrevalence": 0.034,
"cohortPrevalencePerPcr": { "0": 0.91, "4": 0.88, "7": 0.034 },
"novelProfile": false
}Here the device passes every explicit check (earStatus: affirming). Its firmware and bootloader measurements are common in its cohort, but its Secure Boot policy measurement (PCR[7]) is shared by only 3.4% of distinct devices of the same kind, so cohortPrevalenceis the weakest-link 0.034. Whether that matters is your policy's call.
The cohort key: what makes two devices 'alike'
A device's cohort is its cohortKey: an opaque hash derived only from fields bound to the verified quote and validated EK chain, never from unauthenticated SMBIOS or self-reported device claims:
- TPM-class family: the coarse family from the validated EK certificate chain (e.g.
firmware-tpm-intel-ptt). - Firmware-version measurement: the PCR[0]
EV_S_CRTM_VERSIONevent digest (the firmware build's own identity). - Secure Boot PK issuer: the platform-key issuer from the PCR[7] Secure Boot variables (the OEM platform-key identity).
The key is deliberately coarse-but-sound in v1 and versioned (cohortKeyVersion) so the field set can be refined without invalidating stored statistics. You receive the key so you can reference exact configurations in your tenant allowlist.
How prevalence is computed
Within a cohort, only three low-variance PCRs are scored: PCR[0] (firmware / CRTM), PCR[4] (boot manager / OS loader), PCR[7](Secure Boot policy). High-variance PCRs (e.g. PCR[1] config) are excluded; they'd make every device a singleton and prevalence meaningless.
For each tracked PCR, we keep two distinct-device counters (HyperLogLog), per scope:
- value counter: distinct devices in the cohort whose measurement for that PCR is exactly this device's hash.
- total counter: distinct devices in the cohort that reported that PCR at all (any hash). This is the denominator.
prevalencePerPcr[i] = distinct devices in cohort with THIS hash for PCR i
─────────────────────────────────────────────────── ∈ [0, 1]
distinct devices in cohort reporting PCR i (any hash)
cohortPrevalence = min over tracked PCRs of prevalencePerPcr[i] // weakest link
cohortSampleSize = min over tracked PCRs of the total (denominator)So cohortPrevalencePerPcr is a set of fractions, not counts: “what share of devices like me share my exact PCR[i] measurement.” And cohortPrevalence collapses them to the rarest one: your least-common measurement is the one that matters for anomaly, so the weakest link drives the single number. A device whose firmware and bootloader are ubiquitous (0.91, 0.88) but whose Secure Boot policy is shared by 3.4% of its cohort has a cohortPrevalence of 0.034.
When the smallest denominator is below the sample floor, cohortPrevalence is null and novelProfile is true, but cohortPrevalencePerPcr is still reported. If you see per-PCR values of 1.0 across the board with novelProfile: true and a small cohortSampleSize, that means you're essentially the whole cohort so far: a brand-new or rarely-seen config, not a strong “everyone has this” signal. The aggregate is withheld precisely so you don't act on a ratio with no population behind it.
Counters are distinct-device cardinality estimates (HyperLogLog), so one device re-attesting a million times moves nothing (anti-gaming), and they store no device or tenant identifiers, only registers (see Privacy by construction).
The policy fields (additive; default off)
Three policy fields control whether prevalence tightens a verdict. All default to the no-op / advisory setting, so adding cohort prevalence to your account changes nothing until you opt in.
| Field | Type | Default | Behavior |
|---|---|---|---|
| minCohortPrevalence | number | null | null (off) | When set, a device whose cohortPrevalence falls below this floor is treated per onNovelProfile. null disables the constraint: claims are still emitted, nothing is gated. |
| cohortScope | "global" | "tenant-fleet" | "global" | global compares against every device of the same make/model/firmware across the network (advisory). tenant-fleet compares only against your own managed devices, an empirical golden image you can safely hard-gate. |
| onNovelProfile | "warn" | "step-up" | "reject" | "warn" | What to do when a device is below the prevalence floor or novel. warn annotates the verdict and degrades the configuration trustworthiness vector. step-up requires a fresh re-attestation / MFA. reject contraindicates. Default is warn because a new-but-legitimate config is novel by definition. |
{
"name": "cohort-advisory",
"acceptedClassGroups": ["hardware", "firmware-tpm"],
"minCohortPrevalence": 0.001,
"cohortScope": "global",
"onNovelProfile": "warn"
}The class-acceptance fields (acceptedClassGroups) are the explicit gate; they run first and unchanged. The cohort fields (minCohortPrevalence, cohortScope, onNovelProfile) are evaluated only on devices that already passed them, and here they only annotate: a below-floor or novel device still passes, but the verdict carries the flag and a degraded configuration trustworthiness vector so you can route it to review without blocking a legitimate new device.
{
"name": "cohort-golden-image",
"acceptedClassGroups": ["hardware", "firmware-tpm"],
"minCohortPrevalence": 0.05,
"cohortScope": "tenant-fleet",
"onNovelProfile": "reject"
}Against your own fleet (cohortScope: tenant-fleet), the cohort statistics are an empirical golden image of the configurations your managed devices actually run, so reject is a defensible choice there. Pair it with an allowlist so you can pre-approve a new corporate image the day you roll it out.
The honest cold-start tradeoff
This is the one place prevalence has a real, unavoidable limitation, and we will not paper over it: a brand-new firmware build is legitimately novel until adoption grows. When a fresh OS update or new hardware SKU ships, the first devices to attest with its measurements have low prevalence by definition; there is no population yet. Hard-gating on prevalence at that moment would reject perfectly legitimate new hardware. This is the same failure mode reputation systems like SmartScreen hit with new-but-signed binaries.
That is precisely why the design is shaped the way it is:
- Default is advisory (warn).
onNovelProfiledefaults towarn, never reject. A novel config is flagged, not denied. - Cold start is explicit, not a silent reject. When a cohort has fewer than the configured sample floor,
cohortPrevalenceisnullandnovelProfileistrue. Your policy decides what that means viaonNovelProfile; it is never silently rejected. - It self-heals. Every cryptographically authentic attestation updates the cohort statistics, including ones that fail policy enforcement. (Authentic means: quote signature verified, event log replays to the quote, EK chain valid; counted once per distinct EK-derived device.) So as real devices adopt a new config, it naturally crosses the prevalence threshold on its own, without you doing anything.
Prevalence is counted only after the evidence is proven cryptographically authentic, and it counts distinct real devices(estimated by a distinct-device cardinality estimator over EK-derived ids), not requests. Forging evidence fails the authenticity gate before it is ever counted; replaying one device's evidence is counted once. So an attacker cannot inflate a configuration's prevalence without a warehouse of genuine TPMs, which still each have to pass the explicit checks. That guardrail is what makes the self-healing property safe rather than a manipulation vector.
Two scopes: tenant-fleet vs global model-cohort
Prevalence computed against only your own managed devices. This is an empirical golden image of what your fleet actually boots, so it is safe to hard-gate (onNovelProfile: reject) once your fleet's configs are established. Best for managed-fleet / golden-image enforcement.
Prevalence computed against every device of the same make/model/firmware across the network. Broader signal, but subject to the cold-start tradeoff for new firmware, so it is advisory by default. Best for BYOD posture-drift observability where you don't control the hardware.
Self-service tenant allowlist
When you want to hard-gate but also roll out a new approved configuration, allowlist it. An allowlist entry is a (cohortKey, pcrIndex, pcrValueHash) tuple scoped to your tenant only. A device config is allowlisted for your tenant when every tracked measurement is present in your entries, and that satisfies the prevalence / novelty constraint for your policies regardless of its global or fleet prevalence.
- Your dashboard shows a review queue of novel / low-prevalence configs from your own attestations only, never any other tenant's devices.
- One-click approve adds the allowlist entry; the config then passes immediately.
- Hard isolation: every query is tenant-filtered. No endpoint returns another tenant's allowlist entries or device configurations.
Privacy by construction
The prevalence layer stores no identifiers. Distinct-device counts are maintained with cardinality estimators (HyperLogLog registers) that hold only probabilistic count state, mathematically incapable of revealing which device or which tenant was counted. The global pool is aggregate-only; tenant-fleet statistics are partitioned per tenant. There is no cross-customer data exposure, and no way to recover a device or tenant from the stored counters.
Cohort prevalence is an additive, opt-inanomaly signal: "how common is this device's boot config among devices like it, counted by distinct real TPMs." It ships as claims you can always read and a policy constraint that can only ever tighten: never a single rolled-up trust number, never a way to bypass the explicit checks, and honest about the cold-start tradeoff that makes warn the default.