From: Ken Goldman <kgold@linux.ibm.com>
To: "Chang, Clay (HPS OE-Linux TDC)" <clayc@hpe.com>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>
Subject: Re: IMA appraisal with TPMv2?
Date: Tue, 12 Jan 2021 17:28:33 -0500 [thread overview]
Message-ID: <c94e3587-ca85-21ec-bafb-5bf1a9fc954e@linux.ibm.com> (raw)
In-Reply-To: <CS1PR8401MB036099EF243892F90D07D56CBCD00@CS1PR8401MB0360.NAMPRD84.PROD.OUTLOOK.COM>
On 1/6/2021 5:47 AM, Chang, Clay (HPS OE-Linux TDC) wrote:
> Hi,
>
> As I know, IMA appraisal with digital signature uses the public key on the .ima
> keyring for verification, and the public key needs to be signed by a certificate
> embedded into the kernel (CONFIG_SYSTEM_EXTRA_CERTIFICATE). While this approach
> looks fine, it requires kernel re-gen and re-sign in the context of secure boot.
>
> My question is that for IMA appraisal, is it possible to verify the signature
> with the TPMv2? My intention is leverage the TPMv2 device and to avoid the
> kernel re-gen/re-sign.
>
> For signing, I know I need a tool that uses TPMv2 to sign the executable and
> write the signature to the xattr of the file.
I don't understand the re-sign piece, so this may not make sense.
The TPM can certainly do signature verification as long as you can load the
public key. However
- It will be very slow compared to software.
- If you can load the public key, can't you do the verification in SW?
The two main use cases for TPM signature verification are:
- In environments where SW does not have crypto.
- When the TPM is producing a ticket for a subsequent TPM operation.
prev parent reply other threads:[~2021-01-12 22:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-06 10:47 IMA appraisal with TPMv2? Chang, Clay (HPS OE-Linux TDC)
2021-01-12 22:28 ` Ken Goldman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c94e3587-ca85-21ec-bafb-5bf1a9fc954e@linux.ibm.com \
--to=kgold@linux.ibm.com \
--cc=clayc@hpe.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.