Verify IMR

Verify Integrity Measurement Report (IMR)

This module is responsible for verifying an IMR. The IMR, which reports the current state of a client system, consists of a quote from the TPM containing the current state of select Platform Configuration Registers (PCRs), and well as the current Integrity Measurement List (IML), which is a snapshot list of all of the files the client kernel has measured since bootloading. Because the results of these measuremetns are accumulated in PCR10, it is possible to validate that the IML has not been tampered with prior to sending the report. It is therefore possible to verify that the actual measurements of the files correspond to the "golden" values generated at the time the system was generated. See the [RIMM tools] page for further information.

Additionally there are a number of IMR auxiliary programs that support the process of verifying an IMR. These are:
buildcrlfile, which is responsible for creating a current Certificate Revocation List (CRL) based on the current CRL held by the Certificate Authority (CA).
buildlists, which is responsible for processing the must_be_present and dont_care lists

This module is delivered as a source RPM which produces a single binary RPM which is installed on the Policy Decision Point (PDP) system. This binary RPM will create a library for the Verify IMR functions, which are invoked by freeradius-server upon receipt of an IMR for a client system. Among the other files created by this RPM will be several configuration files.

This module depends on the RIMM file created by the [RIMM tools]. In additon, it is primarily a subroutine library that is invoked by [freeradius-server] when an IMR is invoked. The current implementation assumes that the programs are running on a 32bit CentOS 5.4 system, although if the file pcrs.c is recompiled with LDAP_REQUIRED=1 set, then Integrity Measurement Verification (IMV) can take place on a virtual machine running on CentOS 5.4 running on a Windows server. It this case it assumes that the PDP Certificate Authority resides on the Windows server, and that the AIK certificates and golden PCRs are stored in Active Directory on the Windows server.