From: Reiner S. <sa...@us...> - 2007-07-25 03:03:33
|
Hi Bhanu, yes, it is decided by the challenger when to request an attestation. The challenger sends a nonce to the TPM/IMA-system. This nonce is included in the signature of the TPM PCR. This way, the challenger (receiving the signed PCR) is sure that the TPM signature was done AFTER the challenge was sent (unless the nonce is predictable ... let's not go there). ---> the TPM PCR will be as fresh as the challenge and any measurement occurred since reboot must be included in the measurement list if the TPM PCR verifies the list correctly. Of course, it is up to the TPM/IMA system to respond to challenges. Access control should be applied to make sure that only authorized challengers obtain run-time information from the TPM/IMA system. Reiner __________________________________________________________ Reiner Sailer, Research Staff Member, Secure Systems Department IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532 Phone: 914 784 6280 (t/l 863) Fax: 914 784 6205, sa...@us... http://www.research.ibm.com/people/s/sailer/ Bhanu <bha...@gm...> Sent by: lin...@li... 07/23/2007 01:49 AM To lin...@li... cc Subject [Linux-ima-user] When should attestation be performed by the challenger? Hi, Spec. says by doing attestation challenger is able to attest a remote entity, but doesn't say any thing like when to do that. I hope it is completely dependent on the challenger, when and how many times it want to attest to perform a particular transaction. Thanks & Regards, -Bhanu. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Linux-ima-user mailing list Lin...@li... https://lists.sourceforge.net/lists/listinfo/linux-ima-user |