All of lore.kernel.org
 help / color / mirror / Atom feed
* [tpm2] TPM2.0 chip access restriction
@ 2018-07-11 12:24 John Brown
  0 siblings, 0 replies; 3+ messages in thread
From: John Brown @ 2018-07-11 12:24 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 1589 bytes --]

Hello all,


I do not know how to approach the issue of access restriction to the tpm2.0
chip.


I would like to use tpm chip to store private keys and would like to be
sure that the key can be only used by apps that I allow to do it and I
think that this would increase the security level of the whole system. In
TPM2.0 chip the private key is hidden, but if every application is allowed
to perform operations on this key and (for example) the attacker would be
able to run some malicious application as normal user, he can use it to
receive from remote device some data, perform operations on the private
key, and send the result back. In the result the remote device would behave
as it would have the private key. And many other scenarios are possible. So
what is the correct way to restrict the access to the TPM chip?


- I know that every key can have a password to protect it but in that case
there is a problem where to store this password in a secure way that only
allowed apps can read it.


- if an app use tss it talks to abrmd via d-bus and some pipes (am i
right?). Can the d-bus be used somehow to restrict access to tpm2.0 chip?
Can this pipes be used in a malicious way?


- I also know that PCRs can be used during boot to allow private key access
when the system is not corrupted. But this does not prevent the malicous
private key usage when the attacker put the application to already booted
device with key unlocked.


I am already lost in the dark with this. Can somebody put some light on
this issue?


Best regards,

John

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 5715 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [tpm2] TPM2.0 chip access restriction
@ 2018-07-18  6:12 John Brown
  0 siblings, 0 replies; 3+ messages in thread
From: John Brown @ 2018-07-18  6:12 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 2753 bytes --]

2018-07-13 15:12 GMT+02:00 Roberts, William C <william.c.roberts(a)intel.com>:

>
>
> > -----Original Message-----
> > From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of John Brown
> > Sent: Wednesday, July 11, 2018 5:25 AM
> > To: tpm2(a)lists.01.org
> > Subject: [tpm2] TPM2.0 chip access restriction
> >
> > Hello all,
> >
> >
> >
> >
> > I do not know how to approach the issue of access restriction to the
> tpm2.0 chip.
> >
> >
> >
> >
> > I would like to use tpm chip to store private keys and would like to be
> sure that
> > the key can be only used by apps that I allow to do it and I think that
> this would
> > increase the security level of the whole system. In TPM2.0 chip the
> private key is
> > hidden, but if every application is allowed to perform operations on
> this key and
> > (for example) the attacker would be able to run some malicious
> application as
> > normal user, he can use it to receive from remote device some data,
> perform
> > operations on the private key, and send the result back. In the result
> the remote
> > device would behave as it would have the private key. And many other
> scenarios
> > are possible. So what is the correct way to restrict the access to the
> TPM chip?
> >
> >
> >
> >
> > - I know that every key can have a password to protect it but in that
> case there is
> > a problem where to store this password in a secure way that only allowed
> apps
> > can read it.
>
> Why would you store the password? You could also derive it from some
> secret. The pub
> And priv files used for access, if you don't use a password, access to
> those files means
> Access to the key itself.
>

Thank you for the answer.
But... Sorry, I do not understand what you mean. Can you explain this in
some more clear way?

>
> >
> >
> >
> >
> > - if an app use tss it talks to abrmd via d-bus and some pipes (am i
> right?). Can the
> > d-bus be used somehow to restrict access to tpm2.0 chip? Can this pipes
> be used
> > in a malicious way?
>
> I think SE Linux has dbus integration. Additionally, the dbus interface
> has access controls,
> but I am not fluent in them.
>
> >
> >
> >
> >
> > - I also know that PCRs can be used during boot to allow private key
> access when
> > the system is not corrupted. But this does not prevent the malicous
> private key
> > usage when the attacker put the application to already booted device
> with key
> > unlocked.
>
> Parsing error.
>

Parsing error?


> >
> >
> >
> >
> > I am already lost in the dark with this. Can somebody put some light on
> this issue?
> >
> >
> >
> >
> > Best regards,
> >
> > John
> >
> >
> >
> >
> >
> >
> >
>
>

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 3823 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [tpm2] TPM2.0 chip access restriction
@ 2018-07-13 13:12 Roberts, William C
  0 siblings, 0 replies; 3+ messages in thread
From: Roberts, William C @ 2018-07-13 13:12 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 2337 bytes --]



> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of John Brown
> Sent: Wednesday, July 11, 2018 5:25 AM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] TPM2.0 chip access restriction
> 
> Hello all,
> 
> 
> 
> 
> I do not know how to approach the issue of access restriction to the tpm2.0 chip.
> 
> 
> 
> 
> I would like to use tpm chip to store private keys and would like to be sure that
> the key can be only used by apps that I allow to do it and I think that this would
> increase the security level of the whole system. In TPM2.0 chip the private key is
> hidden, but if every application is allowed to perform operations on this key and
> (for example) the attacker would be able to run some malicious application as
> normal user, he can use it to receive from remote device some data, perform
> operations on the private key, and send the result back. In the result the remote
> device would behave as it would have the private key. And many other scenarios
> are possible. So what is the correct way to restrict the access to the TPM chip?
> 
> 
> 
> 
> - I know that every key can have a password to protect it but in that case there is
> a problem where to store this password in a secure way that only allowed apps
> can read it.

Why would you store the password? You could also derive it from some secret. The pub
And priv files used for access, if you don't use a password, access to those files means
Access to the key itself.

> 
> 
> 
> 
> - if an app use tss it talks to abrmd via d-bus and some pipes (am i right?). Can the
> d-bus be used somehow to restrict access to tpm2.0 chip? Can this pipes be used
> in a malicious way?

I think SE Linux has dbus integration. Additionally, the dbus interface has access controls,
but I am not fluent in them.

> 
> 
> 
> 
> - I also know that PCRs can be used during boot to allow private key access when
> the system is not corrupted. But this does not prevent the malicous private key
> usage when the attacker put the application to already booted device with key
> unlocked.

Parsing error.

> 
> 
> 
> 
> I am already lost in the dark with this. Can somebody put some light on this issue?
> 
> 
> 
> 
> Best regards,
> 
> John
> 
> 
> 
> 
> 
> 
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-07-18  6:12 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-11 12:24 [tpm2] TPM2.0 chip access restriction John Brown
2018-07-13 13:12 Roberts, William C
2018-07-18  6:12 John Brown

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.