On 10/19/2023 2:49 PM, Tushar Sugandhi wrote:
f. A new event, "snapshot_aggregate", will be computed and measured
in the IMA log as part of this feature. It should help the
remote-attestation client/service to benefit from the IMA log
snapshot feature.
The "snapshot_aggregate" event is described in more details in
section "D.1 Snapshot Aggregate Event" below.
What is the use case for the snapshot aggregate? My thinking is:
1. The platform must retain the entire measurement list. Early
measurements can never be discarded because a new quote verifier
must receive the entire log starting at the first measurement.
In this case, isn't the snapshot aggregate redundant?
2. There is a disadvantage to redundant data. The verifier must support
this new event type. It receives this event and must validate the
aggregate against the snapshot-ed events. This is an attack surface.
The attacker can send an aggregate and snapshot-ed measurements that do
not match to exploit a flaw in the verifier.
