From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [v3,2/2] usb: misc: xapea00x: perform platform initialization of TPM From: "David R. Bild" Message-Id: Date: Thu, 10 May 2018 10:17:54 -0500 To: James Bottomley Cc: Jarkko Sakkinen , philip.b.tricca@intel.com, Jason Gunthorpe , Greg Kroah-Hartman , Peter Huewe , linux-usb@vger.kernel.org, linux-integrity@vger.kernel.org List-ID: T24gVGh1LCBNYXkgMTAsIDIwMTggYXQgOTo0NyBBTSwgSmFtZXMgQm90dG9tbGV5CjxKYW1lcy5C b3R0b21sZXlAaGFuc2VucGFydG5lcnNoaXAuY29tPiB3cm90ZToKPiBPbiBUaHUsIDIwMTgtMDUt MTAgYXQgMDk6MjUgLTA1MDAsIERhdmlkIFIuIEJpbGQgd3JvdGU6Cj4+IFRoZSBUUE0gaG9sZHMg YWNjZXNzIGNyZWRlbnRpYWxzIGZvciBjb25uZWN0aW5nIHRvIHRoZSBYYXB0dW0KPj4gbmV0d29y ay4KPgo+IE9LLCBzbyB0aGVzZSBhcmUgZWZmZWN0aXZlbHkgRGV2SWQga2V5cy4gIEhvd2V2ZXIs IHdoYXQgbWFrZXMgeW91IHRoaW5rCj4ga25vd2luZyB0aGUgcGxhdGZvcm0gYXV0aCBhbGxvd3Mg eW91IHRvIGR1cGxpY2F0ZSB0aGUga2V5cz8KCkl0IGRvZXNuJ3QgYW5kIHdlIGRvbid0IHRoaW5r IHRoYXQuCgo+IEFzIGxvbmcgYXMKPiB5b3UgY3JlYXRlZCB0aGVtIGNvcnJlY3RseSAoYXMgaW4g d2l0aG91dCBkdXBsaWNhdGlvbiBhdXRob3JpdHkpIHRoZW4KPiBldmVuIGtub3dpbmcgdGhlIHBs YXRmb3JtIGF1dGhvcml6YXRpb24gSSBjYW4ndCBnZXQgdGhlbSBvdXQgb2YgeW91cgo+IFRQTS4K CkNvcnJlY3QuICBObyBvbmUgY2FuIGNvcHkvZHVwbGljYXRlL3JlYWQgdGhlbS4KCkJ1dCB0aGV5 IGNhbiBkZWxldGUgdGhlbSwgd2hpY2ggaXMgZWZmZWN0aXZlbHkgYSBkZW5pYWwgb2Ygc2Vydmlj ZQphdHRhY2sgYWdhaW5zdCB0aGUgZGV2aWNlLgoKPj4gV2UgcHJvdmlzaW9uIHRoZSBjcmVkZW50 aWFscyAodGhlIERBQSBzZWNyZXQga2V5LCBzcGVjaWZpY2FsbHkpIHVuZGVyCj4+IHRoZSBwbGF0 Zm9ybSBoaWVyYXJjaHkuIFRoZSBrZXkgY2FuIGJlIHVzZWQgd2l0aG91dCBwbGF0Zm9ybQo+PiBh dXRob3JpemF0aW9uLCBidXQgbm90IHJlbW92ZWQuICBJZiB3ZSBkaXNhYmxlIHRoZSBwbGF0Zm9y bSBoaWVyYXJjaHkKPj4gZW50aXJlbHksIEkgdGhpbmsgdGhlIGNyZWRlbnRpYWxzIHdpbGwgbm8g bG9uZ2VyIGJlIGF2YWlsYWJsZSBmb3IKPj4gdXNlLgo+Cj4gVGhhdCdzIGNlcnRhaW5seSB0cnVl IGlmIHlvdSBhY3R1YWxseSBuZWVkIHRvIHVzZSB0aGUgcGxhdGZvcm0KPiBoaWVyYXJjaHkuICBZ b3VyIGluaXRpYWwgZW1haWxzIG9uIHRoZSBzdWJqZWN0IGRpZCBzYXkgeW91IHdlcmUKPiBkaXNh YmxpbmcgaXQgdGhvdWdoIC4uLgoKTWVhIGN1bHBhLiAgTGF6eSB3b3JkaW5nIG9uIG15IHBhcnQu Cgo+PiA+IEVhcmx5IGJvb3QgbWVhbnMgdXNlcnNwYWNlLiBmb3IgYSBob3QgcGx1Z2dhYmxlIGRl dmljZSwgdGhpcyB3b3VsZAo+PiA+IHByb2JhYmx5IGJlIHNvbWV0aGluZyBpbiB1ZGV2IGlmIHlv dSBmb2xsb3cgdGhlIG5vLWRhZW1vbiBtb2RlbCBhbmQKPj4gPiB0aGUgZGFlbW9uIGNvdWxkIGRv IGl0IGlmIHlvdSBkbyBmb2xsb3cgdGhlIGRhZW1vbiBtb2RlbC4KPj4KPj4gQ291bGQgeW91IGV4 cGFuZCBvbiB0aGUgdWRldiBhcHByb2FjaD8gIEkgbWlnaHQgbm90IHVuZGVyc3RhbmQgZW5vdWdo Cj4+IGFib3V0IHVkZXYgKG9yIHRoZSBjb21pbmcgVFBNIHJlc291cmNlIG1hbmFnZXIgY2hhbmdl cykgdG8gZm9sbG93IHRoZQo+PiBzdWdnZXN0aW9uLgoKPj4gVGhpcyBzZWVtcyB1bnNhZmUgdG8g bWUuICBUaGVyZSdzIGEgcmFjZSBiZXR3ZWVuIGEgbWFsaWNpb3VzCj4+IHVzZXJzcGFjZSBwcm9n cmFtIGFuZCB0aGUgZGFlbW9uIHRvIHNldCB0aGUgcGxhdGZvcm0KPj4gYXV0aG9yaXphdGlvbi4g IElmIHRoZSBtYWxpY2lvdXMgcHJvZ3JhbSB3aW5zLCBpdCBjYW4gcmVzZXQgdGhlIFRQTSwKPj4g cmVtb3ZpbmcgdGhlIGNyZWRlbnRpYWxzLCBhbmQgdGhlIGRldmljZSB3b24ndCBiZSBhYmxlIHRv IGNvbm5lY3QgdG8KPj4gdGhlIFhhcHR1bSBuZXR3b3JrLiAoVGhpcyBpcyBhIGxpdmVuZXNzIGNv bmNlcm4sIG5vdCBzYWZldHkuICBBCj4+IGRlbmlhbC1vZi1zZXJ2aWNlIGF0dGFjaywgZXNzZW50 aWFsbHkuKQo+Cj4gT0ssIEknbSBnZXR0aW5nIGNvbmZ1c2VkIGJ5IHlvdXIgdGhyZWF0IG1vZGVs LiAgSSBkb24ndCB0aGluayBrbm93aW5nCj4gdGhlIHBsYXRmb3JtIGF1dGggSSBjYW4gb2J0YWlu IHlvdXIga2V5cy4gIEhvd2V2ZXIsIEkgYWdyZWUsIEkgY2FuCj4gZGVmaW5pdGVseSByZW1vdmUg dGhlbS4KCkNvcnJlY3QuIFJlbW92YWwgKG5vdCBjb3B5aW5nKSBpcyBvdXIgY29uY2Vybi4KCj4g IEhvd2V2ZXIsIHNldHRpbmcgcGxhdGZvcm0gYXV0aCBkb2Vzbid0IHNvbHZlCj4gdGhpczogSSBj YW4gZXhlY3V0ZSBhIFRQTTJfQ2xlYXIgdG8gcmVnYWluIHRoZSBwbGF0Zm9ybSBhdXRoIGFuZCBp ZiB5b3UKPiBkaXNhYmxlIHRoaXMKCkFjY29yZGluZyB0byB0aGUgc3BlYyAodjEuMzgpIFRQTTJf Q2xlYXIKCi0gZmx1c2hlcyB0aGUgU3RvcmFnZSBhbmQgRW5kb3JzZW1lbnQgaGllcmFyY2hpZXMs IG5vdCB0aGUgUGxhdGZvcm0gaGllcmFyY2h5LgoKLSByZXNldHMgdGhlIFN0b3JhZ2UsIEVuZG9y c2VtZW50LCBhbmQgTG9ja291dCBhdXRoLCBidXQgbm90IHRoZSBQbGF0Zm9ybSBhdXRoLgoKPiBJ IGNhbid0IHJlLW93biB0aGUgVFBNIGF0IGFsbC4KCllvdSBjYW4gZXhlY3V0ZSBUUE0yX0NsZWFy ICAoaWYgeW91IGhhdmUgbG9ja291dCBhdXRoLiBXZSBkb24ndCBzZXQKbG9ja291dCBhdXRoLCBz byB5b3Ugd2lsbC4pIHRvIHJlZ2FpbiBjb250cm9sIG9mIHRoZSBTdG9yYWdlIGFuZApFbmRvcnNl bWVudCBoaWVyYXJjaGllcy4gIFdlIG9ubHkgY29udHJvbCB0aGUgcGxhdGZvcm0gaGllcmFyY2h5 LgoKQmVzdCwKRGF2aWQKLS0tClRvIHVuc3Vic2NyaWJlIGZyb20gdGhpcyBsaXN0OiBzZW5kIHRo ZSBsaW5lICJ1bnN1YnNjcmliZSBsaW51eC11c2IiIGluCnRoZSBib2R5IG9mIGEgbWVzc2FnZSB0 byBtYWpvcmRvbW9Admdlci5rZXJuZWwub3JnCk1vcmUgbWFqb3Jkb21vIGluZm8gYXQgIGh0dHA6 Ly92Z2VyLmtlcm5lbC5vcmcvbWFqb3Jkb21vLWluZm8uaHRtbAo= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f169.google.com ([209.85.128.169]:47078 "EHLO mail-wr0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965013AbeEJPR4 (ORCPT ); Thu, 10 May 2018 11:17:56 -0400 Received: by mail-wr0-f169.google.com with SMTP id a12-v6so2375634wrn.13 for ; Thu, 10 May 2018 08:17:55 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <1525963652.3258.4.camel@HansenPartnership.com> References: <20180430125418.31344-1-david.bild@xaptum.com> <20180504130022.5231-3-david.bild@xaptum.com> <20180504190638.ikqhdvcqccakzdjd@ziepe.ca> <20180508105515.GB6132@linux.intel.com> <1525793148.3672.8.camel@HansenPartnership.com> <1525793785.3672.12.camel@HansenPartnership.com> <1525963652.3258.4.camel@HansenPartnership.com> From: "David R. Bild" Date: Thu, 10 May 2018 10:17:54 -0500 Message-ID: Subject: Re: [PATCH v3 2/2] usb: misc: xapea00x: perform platform initialization of TPM To: James Bottomley Cc: Jarkko Sakkinen , philip.b.tricca@intel.com, Jason Gunthorpe , Greg Kroah-Hartman , Peter Huewe , linux-usb@vger.kernel.org, linux-integrity@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-integrity-owner@vger.kernel.org List-ID: On Thu, May 10, 2018 at 9:47 AM, James Bottomley wrote: > On Thu, 2018-05-10 at 09:25 -0500, David R. Bild wrote: >> The TPM holds access credentials for connecting to the Xaptum >> network. > > OK, so these are effectively DevId keys. However, what makes you think > knowing the platform auth allows you to duplicate the keys? It doesn't and we don't think that. > As long as > you created them correctly (as in without duplication authority) then > even knowing the platform authorization I can't get them out of your > TPM. Correct. No one can copy/duplicate/read them. But they can delete them, which is effectively a denial of service attack against the device. >> We provision the credentials (the DAA secret key, specifically) under >> the platform hierarchy. The key can be used without platform >> authorization, but not removed. If we disable the platform hierarchy >> entirely, I think the credentials will no longer be available for >> use. > > That's certainly true if you actually need to use the platform > hierarchy. Your initial emails on the subject did say you were > disabling it though ... Mea culpa. Lazy wording on my part. >> > Early boot means userspace. for a hot pluggable device, this would >> > probably be something in udev if you follow the no-daemon model and >> > the daemon could do it if you do follow the daemon model. >> >> Could you expand on the udev approach? I might not understand enough >> about udev (or the coming TPM resource manager changes) to follow the >> suggestion. >> This seems unsafe to me. There's a race between a malicious >> userspace program and the daemon to set the platform >> authorization. If the malicious program wins, it can reset the TPM, >> removing the credentials, and the device won't be able to connect to >> the Xaptum network. (This is a liveness concern, not safety. A >> denial-of-service attack, essentially.) > > OK, I'm getting confused by your threat model. I don't think knowing > the platform auth I can obtain your keys. However, I agree, I can > definitely remove them. Correct. Removal (not copying) is our concern. > However, setting platform auth doesn't solve > this: I can execute a TPM2_Clear to regain the platform auth and if you > disable this According to the spec (v1.38) TPM2_Clear - flushes the Storage and Endorsement hierarchies, not the Platform hierarchy. - resets the Storage, Endorsement, and Lockout auth, but not the Platform auth. > I can't re-own the TPM at all. You can execute TPM2_Clear (if you have lockout auth. We don't set lockout auth, so you will.) to regain control of the Storage and Endorsement hierarchies. We only control the platform hierarchy. Best, David