IMA appraisal with TPMv2?

IMA appraisal with TPMv2?

[Chang, Clay (HPS OE-Linux TDC)]

Hi,

As I know, IMA appraisal with digital signature uses the public key on the .ima 
keyring for verification, and the public key needs to be signed by a certificate 
embedded into the kernel (CONFIG_SYSTEM_EXTRA_CERTIFICATE). While this approach 
looks fine, it requires kernel re-gen and re-sign in the context of secure boot.

My question is that for IMA appraisal, is it possible to verify the signature 
with the TPMv2? My intention is leverage the TPMv2 device and to avoid the 
kernel re-gen/re-sign.

For signing, I know I need a tool that uses TPMv2 to sign the executable and 
write the signature to the xattr of the file.

Thanks,
Clay

Re: IMA appraisal with TPMv2?

[Ken Goldman]

On 1/6/2021 5:47 AM, Chang, Clay (HPS OE-Linux TDC) wrote:
> Hi,
> 
> As I know, IMA appraisal with digital signature uses the public key on the .ima
> keyring for verification, and the public key needs to be signed by a certificate
> embedded into the kernel (CONFIG_SYSTEM_EXTRA_CERTIFICATE). While this approach
> looks fine, it requires kernel re-gen and re-sign in the context of secure boot.
> 
> My question is that for IMA appraisal, is it possible to verify the signature
> with the TPMv2? My intention is leverage the TPMv2 device and to avoid the
> kernel re-gen/re-sign.
> 
> For signing, I know I need a tool that uses TPMv2 to sign the executable and
> write the signature to the xattr of the file.

I don't understand the re-sign piece, so this may not make sense.

The TPM can certainly do signature verification as long as you can load the
public key.  However

- It will be very slow compared to software.
- If you can load the public key, can't you do the verification in SW?

The two main use cases for TPM signature verification are:

- In environments where SW does not have crypto.
- When the TPM is producing a ticket for a subsequent TPM operation.