Hi, As I know, IMA appraisal with digital signature uses the public key on the .ima keyring for verification, and the public key needs to be signed by a certificate embedded into the kernel (CONFIG_SYSTEM_EXTRA_CERTIFICATE). While this approach looks fine, it requires kernel re-gen and re-sign in the context of secure boot. My question is that for IMA appraisal, is it possible to verify the signature with the TPMv2? My intention is leverage the TPMv2 device and to avoid the kernel re-gen/re-sign. For signing, I know I need a tool that uses TPMv2 to sign the executable and write the signature to the xattr of the file. Thanks, Clay
