Hi!
> > > Perhaps I don't understand things fully, but what is the purpose of
> > > providing measurement values locally via proc?
> > >
> > > How can they be trusted without the TPM signing an externally generated
> > > nonce?
> >
> > If you can't trust what the kernel is outputting in /proc, you're screwed.
>
> No, this is not the case. You can establish trust into the measurements
> read through /proc by validating the TPM signature over the measurement
> aggregate on a separate, trusted system. IMA measurements are not intended
> to be used on the local system but on a separate system that is trusted not
> to be compromised. The system validating the measurements does not
> trust
Actually, you "could" also cat /proc files, then verify the signature
by hand (using pen and paper :-).
It seems to me that the mechanism is sound... it does what the docs
says. Another questions is "is it usefull"?
Pavel
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]