On Tue, 2016-02-23 at 10:16 +0000, David Howells wrote: > Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > > > To measure and appraise just the kexec initramfs, define a policy > > containing: > > Doesn't this require a TPM?
For appraising file signatures, a TPM is definitely not required! Even in the case of making sure that the file measurements are being taken, a TPM is not required. For purposes of testing changes to the asymmetric keys or the key subsystem in general, a TPM is not required. The TPM is needed for quoting PCRs. When a TPM is available, IMA, in addition to adding the file measurements to the run time measurement list, extends a TPM PCR with the file measurements. A trusted third party, can then validate the measurement list against the PCR quote. The real question is which files need to be measured and appraised in order to either prevent or, at least, to be able to detect a system compromise. But for your use case scenario, of making sure that changes to the asymmetric keys or the key subsystem in general has not broken IMA, measuring and appraising a single file should be enough. Mimi