[RFC] IMA Log Snapshotting Design Proposal - unseal

Ken Goldman kgold at linux.ibm.com
Wed Aug 30 12:12:39 PDT 2023


On 8/1/2023 3:12 PM, Sush Shringarputale wrote:

> For remote attestation to work, the service will need to know how to
>  validate the snapshot_aggregate entry in the IMA log.  It will have
> to read the PCR values present in the template data of
> snapshot_aggregate event in the latest IMA log, and ensure that the
> PCR quotes align with the contents of the past UM_snapshot_file(s).
> This will re-establish the chain of trust needed for the device to
> pass remote attestation.  This will also maintain the ability of the
> remote-attestation-service to seal the secrets, if the client-server
>  use TPM unseal mechanism to attest the state of the device.

I think that seal/unseal to IMA PCRs is futile.  Since boot is
multi-threaded, the IMA PCR is unpredictable even when valid.




More information about the kexec mailing list