On Jul 18, 2016 17:46, "Stefan Berger" <stef...@us.ibm.com> wrote: > > > Matthew Garrett <mj...@coreos.com> wrote on 07/18/2016 08:39:07 PM: > > > > > > On Jul 18, 2016 17:08, "Stefan Berger" <stef...@us.ibm.com> wrote: > > > The point of the TPM is that the device that holds the state of > > the PCRs provides the signatures over their state rather than some > > other 'entity' whose trustworthiness wouldn't be clear. Admittedly > > the device comes with its own set of challenges. > > > The hypervisor holds the PCR state and also provides the signature. > > If the hypervisor is untrustworthy than the state of the virtualised > > system can never be verified, since it could simply have faked the > > measurements passed to whatever the root of trust is. > > So the hypervisor will have the key for signing and provide the quote ?
Either the hypervisor itself or part of the associated platform. This framework is typically inside the same trust boundary.
