On 8/1/2023 3:12 PM, Sush Shringarputale wrote:

For remote attestation to work, the service will need to know how to
 validate the snapshot_aggregate entry in the IMA log.  It will have
to read the PCR values present in the template data of
snapshot_aggregate event in the latest IMA log, and ensure that the
PCR quotes align with the contents of the past UM_snapshot_file(s).
This will re-establish the chain of trust needed for the device to
pass remote attestation.  This will also maintain the ability of the
remote-attestation-service to seal the secrets, if the client-server
 use TPM unseal mechanism to attest the state of the device.

I think that seal/unseal to IMA PCRs is futile.  Since boot is
multi-threaded, the IMA PCR is unpredictable even when valid.