On 1/6/2021 5:47 AM, Chang, Clay (HPS OE-Linux TDC) wrote:
Hi, As I know, IMA appraisal with digital signature uses the public key on the .ima keyring for verification, and the public key needs to be signed by a certificate embedded into the kernel (CONFIG_SYSTEM_EXTRA_CERTIFICATE). While this approach looks fine, it requires kernel re-gen and re-sign in the context of secure boot. My question is that for IMA appraisal, is it possible to verify the signature with the TPMv2? My intention is leverage the TPMv2 device and to avoid the kernel re-gen/re-sign. For signing, I know I need a tool that uses TPMv2 to sign the executable and write the signature to the xattr of the file.
I don't understand the re-sign piece, so this may not make sense. The TPM can certainly do signature verification as long as you can load the public key. However - It will be very slow compared to software. - If you can load the public key, can't you do the verification in SW? The two main use cases for TPM signature verification are: - In environments where SW does not have crypto. - When the TPM is producing a ticket for a subsequent TPM operation.
