My goal is to use TPM to perform system boot integrity checks. My server's
UEFI
firmware can extend PCRs with hash values on the firmware modules along the
boot chain.
So this is what I have to base upon.
As I am researching how to do this securely, I came upon some questions:
1. I understand that I will need to create an AIK (a RSA pair) to sign the
PCRs. Can I create an Privacy CA to issue certificate on the AIK I created?
Do I also need the TPM manufacturer's EK certificate in this process?
Another question is how this signing process accomplished? Is it
automatically done by the TPM or an external piece software does it upon
bootup is done?
2. In order to compare the real-time measured PCR values to "known good
ones", where do I store the "known good values" to start with? I can think
of two places: one is inside the TPM somewhere and the other is outside the
TPM in a remote secure location. What's the recommendation?
3. Can this check be accomplished by using commands in tpm_tools? Or will I
have to use Trousers C APIs to program?
Thanks.
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
