| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216 |
- .. SPDX-License-Identifier: GPL-2.0-only
- TPM Security
- ============
- The object of this document is to describe how we make the kernel's
- use of the TPM reasonably robust in the face of external snooping and
- packet alteration attacks (called passive and active interposer attack
- in the literature). The current security document is for TPM 2.0.
- Introduction
- ------------
- The TPM is usually a discrete chip attached to a PC via some type of
- low bandwidth bus. There are exceptions to this such as the Intel
- PTT, which is a software TPM running inside a software environment
- close to the CPU, which are subject to different attacks, but right at
- the moment, most hardened security environments require a discrete
- hardware TPM, which is the use case discussed here.
- Snooping and Alteration Attacks against the bus
- -----------------------------------------------
- The current state of the art for snooping the `TPM Genie`_ hardware
- interposer which is a simple external device that can be installed in
- a couple of seconds on any system or laptop. Recently attacks were
- successfully demonstrated against the `Windows Bitlocker TPM`_ system.
- Most recently the same `attack against TPM based Linux disk
- encryption`_ schemes. The next phase of research seems to be hacking
- existing devices on the bus to act as interposers, so the fact that
- the attacker requires physical access for a few seconds might
- evaporate. However, the goal of this document is to protect TPM
- secrets and integrity as far as we are able in this environment and to
- try to insure that if we can't prevent the attack then at least we can
- detect it.
- Unfortunately, most of the TPM functionality, including the hardware
- reset capability can be controlled by an attacker who has access to
- the bus, so we'll discuss some of the disruption possibilities below.
- Measurement (PCR) Integrity
- ---------------------------
- Since the attacker can send their own commands to the TPM, they can
- send arbitrary PCR extends and thus disrupt the measurement system,
- which would be an annoying denial of service attack. However, there
- are two, more serious, classes of attack aimed at entities sealed to
- trust measurements.
- 1. The attacker could intercept all PCR extends coming from the system
- and completely substitute their own values, producing a replay of
- an untampered state that would cause PCR measurements to attest to
- a trusted state and release secrets
- 2. At some point in time the attacker could reset the TPM, clearing
- the PCRs and then send down their own measurements which would
- effectively overwrite the boot time measurements the TPM has
- already done.
- The first can be thwarted by always doing HMAC protection of the PCR
- extend and read command meaning measurement values cannot be
- substituted without producing a detectable HMAC failure in the
- response. However, the second can only really be detected by relying
- on some sort of mechanism for protection which would change over TPM
- reset.
- Secrets Guarding
- ----------------
- Certain information passing in and out of the TPM, such as key sealing
- and private key import and random number generation, is vulnerable to
- interception which HMAC protection alone cannot protect against, so
- for these types of command we must also employ request and response
- encryption to prevent the loss of secret information.
- Establishing Initial Trust with the TPM
- ---------------------------------------
- In order to provide security from the beginning, an initial shared or
- asymmetric secret must be established which must also be unknown to
- the attacker. The most obvious avenues for this are the endorsement
- and storage seeds, which can be used to derive asymmetric keys.
- However, using these keys is difficult because the only way to pass
- them into the kernel would be on the command line, which requires
- extensive support in the boot system, and there's no guarantee that
- either hierarchy would not have some type of authorization.
- The mechanism chosen for the Linux Kernel is to derive the primary
- elliptic curve key from the null seed using the standard storage seed
- parameters. The null seed has two advantages: firstly the hierarchy
- physically cannot have an authorization, so we are always able to use
- it and secondly, the null seed changes across TPM resets, meaning if
- we establish trust on the null seed at start of day, all sessions
- salted with the derived key will fail if the TPM is reset and the seed
- changes.
- Obviously using the null seed without any other prior shared secrets,
- we have to create and read the initial public key which could, of
- course, be intercepted and substituted by the bus interposer.
- However, the TPM has a key certification mechanism (using the EK
- endorsement certificate, creating an attestation identity key and
- certifying the null seed primary with that key) which is too complex
- to run within the kernel, so we keep a copy of the null primary key
- name, which is what is exported via sysfs so user-space can run the
- full certification when it boots. The definitive guarantee here is
- that if the null primary key certifies correctly, you know all your
- TPM transactions since start of day were secure and if it doesn't, you
- know there's an interposer on your system (and that any secret used
- during boot may have been leaked).
- Stacking Trust
- --------------
- In the current null primary scenario, the TPM must be completely
- cleared before handing it on to the next consumer. However the kernel
- hands to user-space the name of the derived null seed key which can
- then be verified by certification in user-space. Therefore, this chain
- of name handoff can be used between the various boot components as
- well (via an unspecified mechanism). For instance, grub could use the
- null seed scheme for security and hand the name off to the kernel in
- the boot area. The kernel could make its own derivation of the key
- and the name and know definitively that if they differ from the handed
- off version that tampering has occurred. Thus it becomes possible to
- chain arbitrary boot components together (UEFI to grub to kernel) via
- the name handoff provided each successive component knows how to
- collect the name and verifies it against its derived key.
- Session Properties
- ------------------
- All TPM commands the kernel uses allow sessions. HMAC sessions may be
- used to check the integrity of requests and responses and decrypt and
- encrypt flags may be used to shield parameters and responses. The
- HMAC and encryption keys are usually derived from the shared
- authorization secret, but for a lot of kernel operations that is well
- known (and usually empty). Thus, every HMAC session used by the
- kernel must be created using the null primary key as the salt key
- which thus provides a cryptographic input into the session key
- derivation. Thus, the kernel creates the null primary key once (as a
- volatile TPM handle) and keeps it around in a saved context stored in
- tpm_chip for every in-kernel use of the TPM. Currently, because of a
- lack of de-gapping in the in-kernel resource manager, the session must
- be created and destroyed for each operation, but, in future, a single
- session may also be reused for the in-kernel HMAC, encryption and
- decryption sessions.
- Protection Types
- ----------------
- For every in-kernel operation we use null primary salted HMAC to
- protect the integrity. Additionally, we use parameter encryption to
- protect key sealing and parameter decryption to protect key unsealing
- and random number generation.
- Null Primary Key Certification in Userspace
- ===========================================
- Every TPM comes shipped with a couple of X.509 certificates for the
- primary endorsement key. This document assumes that the Elliptic
- Curve version of the certificate exists at 01C00002, but will work
- equally well with the RSA certificate (at 01C00001).
- The first step in the certification is primary creation using the
- template from the `TCG EK Credential Profile`_ which allows comparison
- of the generated primary key against the one in the certificate (the
- public key must match). Note that generation of the EK primary
- requires the EK hierarchy password, but a pre-generated version of the
- EC primary should exist at 81010002 and a TPM2_ReadPublic() may be
- performed on this without needing the key authority. Next, the
- certificate itself must be verified to chain back to the manufacturer
- root (which should be published on the manufacturer website). Once
- this is done, an attestation key (AK) is generated within the TPM and
- it's name and the EK public key can be used to encrypt a secret using
- TPM2_MakeCredential. The TPM then runs TPM2_ActivateCredential which
- will only recover the secret if the binding between the TPM, the EK
- and the AK is true. the generated AK may now be used to run a
- certification of the null primary key whose name the kernel has
- exported. Since TPM2_MakeCredential/ActivateCredential are somewhat
- complicated, a more simplified process involving an externally
- generated private key is described below.
- This process is a simplified abbreviation of the usual privacy CA
- based attestation process. The assumption here is that the
- attestation is done by the TPM owner who thus has access to only the
- owner hierarchy. The owner creates an external public/private key
- pair (assume elliptic curve in this case) and wraps the private key
- for import using an inner wrapping process and parented to the EC
- derived storage primary. The TPM2_Import() is done using a parameter
- decryption HMAC session salted to the EK primary (which also does not
- require the EK key authority) meaning that the inner wrapping key is
- the encrypted parameter and thus the TPM will not be able to perform
- the import unless is possesses the certified EK so if the command
- succeeds and the HMAC verifies on return we know we have a loadable
- copy of the private key only for the certified TPM. This key is now
- loaded into the TPM and the Storage primary flushed (to free up space
- for the null key generation).
- The null EC primary is now generated using the Storage profile
- outlined in the `TCG TPM v2.0 Provisioning Guidance`_; the name of
- this key (the hash of the public area) is computed and compared to the
- null seed name presented by the kernel in
- /sys/class/tpm/tpm0/null_name. If the names do not match, the TPM is
- compromised. If the names match, the user performs a TPM2_Certify()
- using the null primary as the object handle and the loaded private key
- as the sign handle and providing randomized qualifying data. The
- signature of the returned certifyInfo is verified against the public
- part of the loaded private key and the qualifying data checked to
- prevent replay. If all of these tests pass, the user is now assured
- that TPM integrity and privacy was preserved across the entire boot
- sequence of this kernel.
- .. _TPM Genie: https://www.nccgroup.trust/globalassets/about-us/us/documents/tpm-genie.pdf
- .. _Windows Bitlocker TPM: https://dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network
- .. _attack against TPM based Linux disk encryption: https://www.secura.com/blog/tpm-sniffing-attacks-against-non-bitlocker-targets
- .. _TCG EK Credential Profile: https://trustedcomputinggroup.org/resource/tcg-ek-credential-profile-for-tpm-family-2-0/
- .. _TCG TPM v2.0 Provisioning Guidance: https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
|