On Jul 18, 2016 17:08, "Stefan Berger" <stef...@us.ibm.com> wrote:
> The point of the TPM is that the device that holds the state of the PCRs provides the signatures over their state rather than some other 'entity' whose trustworthiness wouldn't be clear. Admittedly the device comes with its own set of challenges. The hypervisor holds the PCR state and also provides the signature. If the hypervisor is untrustworthy than the state of the virtualised system can never be verified, since it could simply have faked the measurements passed to whatever the root of trust is.
