tpm-security.rst 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216
  1. .. SPDX-License-Identifier: GPL-2.0-only
  2. TPM Security
  3. ============
  4. The object of this document is to describe how we make the kernel's
  5. use of the TPM reasonably robust in the face of external snooping and
  6. packet alteration attacks (called passive and active interposer attack
  7. in the literature). The current security document is for TPM 2.0.
  8. Introduction
  9. ------------
  10. The TPM is usually a discrete chip attached to a PC via some type of
  11. low bandwidth bus. There are exceptions to this such as the Intel
  12. PTT, which is a software TPM running inside a software environment
  13. close to the CPU, which are subject to different attacks, but right at
  14. the moment, most hardened security environments require a discrete
  15. hardware TPM, which is the use case discussed here.
  16. Snooping and Alteration Attacks against the bus
  17. -----------------------------------------------
  18. The current state of the art for snooping the `TPM Genie`_ hardware
  19. interposer which is a simple external device that can be installed in
  20. a couple of seconds on any system or laptop. Recently attacks were
  21. successfully demonstrated against the `Windows Bitlocker TPM`_ system.
  22. Most recently the same `attack against TPM based Linux disk
  23. encryption`_ schemes. The next phase of research seems to be hacking
  24. existing devices on the bus to act as interposers, so the fact that
  25. the attacker requires physical access for a few seconds might
  26. evaporate. However, the goal of this document is to protect TPM
  27. secrets and integrity as far as we are able in this environment and to
  28. try to insure that if we can't prevent the attack then at least we can
  29. detect it.
  30. Unfortunately, most of the TPM functionality, including the hardware
  31. reset capability can be controlled by an attacker who has access to
  32. the bus, so we'll discuss some of the disruption possibilities below.
  33. Measurement (PCR) Integrity
  34. ---------------------------
  35. Since the attacker can send their own commands to the TPM, they can
  36. send arbitrary PCR extends and thus disrupt the measurement system,
  37. which would be an annoying denial of service attack. However, there
  38. are two, more serious, classes of attack aimed at entities sealed to
  39. trust measurements.
  40. 1. The attacker could intercept all PCR extends coming from the system
  41. and completely substitute their own values, producing a replay of
  42. an untampered state that would cause PCR measurements to attest to
  43. a trusted state and release secrets
  44. 2. At some point in time the attacker could reset the TPM, clearing
  45. the PCRs and then send down their own measurements which would
  46. effectively overwrite the boot time measurements the TPM has
  47. already done.
  48. The first can be thwarted by always doing HMAC protection of the PCR
  49. extend and read command meaning measurement values cannot be
  50. substituted without producing a detectable HMAC failure in the
  51. response. However, the second can only really be detected by relying
  52. on some sort of mechanism for protection which would change over TPM
  53. reset.
  54. Secrets Guarding
  55. ----------------
  56. Certain information passing in and out of the TPM, such as key sealing
  57. and private key import and random number generation, is vulnerable to
  58. interception which HMAC protection alone cannot protect against, so
  59. for these types of command we must also employ request and response
  60. encryption to prevent the loss of secret information.
  61. Establishing Initial Trust with the TPM
  62. ---------------------------------------
  63. In order to provide security from the beginning, an initial shared or
  64. asymmetric secret must be established which must also be unknown to
  65. the attacker. The most obvious avenues for this are the endorsement
  66. and storage seeds, which can be used to derive asymmetric keys.
  67. However, using these keys is difficult because the only way to pass
  68. them into the kernel would be on the command line, which requires
  69. extensive support in the boot system, and there's no guarantee that
  70. either hierarchy would not have some type of authorization.
  71. The mechanism chosen for the Linux Kernel is to derive the primary
  72. elliptic curve key from the null seed using the standard storage seed
  73. parameters. The null seed has two advantages: firstly the hierarchy
  74. physically cannot have an authorization, so we are always able to use
  75. it and secondly, the null seed changes across TPM resets, meaning if
  76. we establish trust on the null seed at start of day, all sessions
  77. salted with the derived key will fail if the TPM is reset and the seed
  78. changes.
  79. Obviously using the null seed without any other prior shared secrets,
  80. we have to create and read the initial public key which could, of
  81. course, be intercepted and substituted by the bus interposer.
  82. However, the TPM has a key certification mechanism (using the EK
  83. endorsement certificate, creating an attestation identity key and
  84. certifying the null seed primary with that key) which is too complex
  85. to run within the kernel, so we keep a copy of the null primary key
  86. name, which is what is exported via sysfs so user-space can run the
  87. full certification when it boots. The definitive guarantee here is
  88. that if the null primary key certifies correctly, you know all your
  89. TPM transactions since start of day were secure and if it doesn't, you
  90. know there's an interposer on your system (and that any secret used
  91. during boot may have been leaked).
  92. Stacking Trust
  93. --------------
  94. In the current null primary scenario, the TPM must be completely
  95. cleared before handing it on to the next consumer. However the kernel
  96. hands to user-space the name of the derived null seed key which can
  97. then be verified by certification in user-space. Therefore, this chain
  98. of name handoff can be used between the various boot components as
  99. well (via an unspecified mechanism). For instance, grub could use the
  100. null seed scheme for security and hand the name off to the kernel in
  101. the boot area. The kernel could make its own derivation of the key
  102. and the name and know definitively that if they differ from the handed
  103. off version that tampering has occurred. Thus it becomes possible to
  104. chain arbitrary boot components together (UEFI to grub to kernel) via
  105. the name handoff provided each successive component knows how to
  106. collect the name and verifies it against its derived key.
  107. Session Properties
  108. ------------------
  109. All TPM commands the kernel uses allow sessions. HMAC sessions may be
  110. used to check the integrity of requests and responses and decrypt and
  111. encrypt flags may be used to shield parameters and responses. The
  112. HMAC and encryption keys are usually derived from the shared
  113. authorization secret, but for a lot of kernel operations that is well
  114. known (and usually empty). Thus, every HMAC session used by the
  115. kernel must be created using the null primary key as the salt key
  116. which thus provides a cryptographic input into the session key
  117. derivation. Thus, the kernel creates the null primary key once (as a
  118. volatile TPM handle) and keeps it around in a saved context stored in
  119. tpm_chip for every in-kernel use of the TPM. Currently, because of a
  120. lack of de-gapping in the in-kernel resource manager, the session must
  121. be created and destroyed for each operation, but, in future, a single
  122. session may also be reused for the in-kernel HMAC, encryption and
  123. decryption sessions.
  124. Protection Types
  125. ----------------
  126. For every in-kernel operation we use null primary salted HMAC to
  127. protect the integrity. Additionally, we use parameter encryption to
  128. protect key sealing and parameter decryption to protect key unsealing
  129. and random number generation.
  130. Null Primary Key Certification in Userspace
  131. ===========================================
  132. Every TPM comes shipped with a couple of X.509 certificates for the
  133. primary endorsement key. This document assumes that the Elliptic
  134. Curve version of the certificate exists at 01C00002, but will work
  135. equally well with the RSA certificate (at 01C00001).
  136. The first step in the certification is primary creation using the
  137. template from the `TCG EK Credential Profile`_ which allows comparison
  138. of the generated primary key against the one in the certificate (the
  139. public key must match). Note that generation of the EK primary
  140. requires the EK hierarchy password, but a pre-generated version of the
  141. EC primary should exist at 81010002 and a TPM2_ReadPublic() may be
  142. performed on this without needing the key authority. Next, the
  143. certificate itself must be verified to chain back to the manufacturer
  144. root (which should be published on the manufacturer website). Once
  145. this is done, an attestation key (AK) is generated within the TPM and
  146. it's name and the EK public key can be used to encrypt a secret using
  147. TPM2_MakeCredential. The TPM then runs TPM2_ActivateCredential which
  148. will only recover the secret if the binding between the TPM, the EK
  149. and the AK is true. the generated AK may now be used to run a
  150. certification of the null primary key whose name the kernel has
  151. exported. Since TPM2_MakeCredential/ActivateCredential are somewhat
  152. complicated, a more simplified process involving an externally
  153. generated private key is described below.
  154. This process is a simplified abbreviation of the usual privacy CA
  155. based attestation process. The assumption here is that the
  156. attestation is done by the TPM owner who thus has access to only the
  157. owner hierarchy. The owner creates an external public/private key
  158. pair (assume elliptic curve in this case) and wraps the private key
  159. for import using an inner wrapping process and parented to the EC
  160. derived storage primary. The TPM2_Import() is done using a parameter
  161. decryption HMAC session salted to the EK primary (which also does not
  162. require the EK key authority) meaning that the inner wrapping key is
  163. the encrypted parameter and thus the TPM will not be able to perform
  164. the import unless is possesses the certified EK so if the command
  165. succeeds and the HMAC verifies on return we know we have a loadable
  166. copy of the private key only for the certified TPM. This key is now
  167. loaded into the TPM and the Storage primary flushed (to free up space
  168. for the null key generation).
  169. The null EC primary is now generated using the Storage profile
  170. outlined in the `TCG TPM v2.0 Provisioning Guidance`_; the name of
  171. this key (the hash of the public area) is computed and compared to the
  172. null seed name presented by the kernel in
  173. /sys/class/tpm/tpm0/null_name. If the names do not match, the TPM is
  174. compromised. If the names match, the user performs a TPM2_Certify()
  175. using the null primary as the object handle and the loaded private key
  176. as the sign handle and providing randomized qualifying data. The
  177. signature of the returned certifyInfo is verified against the public
  178. part of the loaded private key and the qualifying data checked to
  179. prevent replay. If all of these tests pass, the user is now assured
  180. that TPM integrity and privacy was preserved across the entire boot
  181. sequence of this kernel.
  182. .. _TPM Genie: https://www.nccgroup.trust/globalassets/about-us/us/documents/tpm-genie.pdf
  183. .. _Windows Bitlocker TPM: https://dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network
  184. .. _attack against TPM based Linux disk encryption: https://www.secura.com/blog/tpm-sniffing-attacks-against-non-bitlocker-targets
  185. .. _TCG EK Credential Profile: https://trustedcomputinggroup.org/resource/tcg-ek-credential-profile-for-tpm-family-2-0/
  186. .. _TCG TPM v2.0 Provisioning Guidance: https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/