Re: Documenting the proposal for TPM 2.0 security in the face of bus interposer attacks

From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org, monty.wiseman@ge.com,
	Monty Wiseman <montywiseman32@gmail.com>,
	Matthew Garrett <mjg59@google.com>
Subject: Re: Documenting the proposal for TPM 2.0 security in the face of bus interposer attacks
Date: Tue, 20 Nov 2018 09:23:01 -0800	[thread overview]
Message-ID: <1542734581.2814.28.camel@HansenPartnership.com> (raw)
In-Reply-To: <20181120111049.GC14594@linux.intel.com>

On Tue, 2018-11-20 at 13:10 +0200, Jarkko Sakkinen wrote:
[...]
> This is basically rewrite of TPM genie paper with extras. just
> shorten it to include the proposed architecture and point to the TPM
> Genie paper (which is not in the references at all ATM).

I really don't think so.  The paper only gives details of bound
authorization sessions for TPM 2.0 which suffer from no to weak entropy
problems.  The reason for using salted ones in the document, which
aren't mentioned at all in the genie paper, is so we have a high
entropy cryptographically unguessable HMAC and encryption key.

> The way I see it the data validation is way more important than
> protecting against physical interposer to be frank.
> 
> The attack scenario would require to open the damn device.

Yes (well, currently).

>  For laptop that would leave physical marks (i.e. evil maid).

Only if you have some type of security seal, which most laptops don't
have.

James

>  In a data center with armed guards I would wish you good luck
> accomplishing it. It is not anything like sticking a USB stick and
> run.
> 
> We can take a fix into Linux with a clean implementation but it needs
> to be an opt-in feature because not all users will want to use it.
> 
> /Jarkko
> 