From: William Roberts <bill.c.roberts@gmail.com>
To: Jarkko Sakkinen <jarkko@kernel.org>
Cc: James Bottomley <jejb@linux.ibm.com>,
Matthew Garrett <mgarrett@aurora.tech>,
Evan Green <evgreen@chromium.org>,
linux-kernel@vger.kernel.org, corbet@lwn.net,
linux-integrity@vger.kernel.org,
Eric Biggers <ebiggers@kernel.org>,
gwendal@chromium.org, dianders@chromium.org,
apronin@chromium.org, Pavel Machek <pavel@ucw.cz>,
Ben Boeckel <me@benboeckel.net>,
rjw@rjwysocki.net, Kees Cook <keescook@chromium.org>,
dlunev@google.com, zohar@linux.ibm.com, linux-pm@vger.kernel.org,
Matthew Garrett <mjg59@google.com>,
Jason Gunthorpe <jgg@ziepe.ca>, Peter Huewe <peterhuewe@gmx.de>
Subject: Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use
Date: Thu, 26 Jan 2023 11:32:22 -0600 [thread overview]
Message-ID: <CAFftDdqq-eeryycv_11m=-1+aR=cgCUU7C_BFDrmYRwFF13i5w@mail.gmail.com> (raw)
In-Reply-To: <Y9K2mOsmB1+CFk9l@kernel.org>
On Thu, Jan 26, 2023 at 11:21 AM Jarkko Sakkinen <jarkko@kernel.org> wrote:
>
> On Tue, Jan 24, 2023 at 07:38:04AM -0500, James Bottomley wrote:
> > On Mon, 2023-01-23 at 11:48 -0600, William Roberts wrote:
> > > On Fri, Jan 20, 2023 at 9:29 PM Jarkko Sakkinen <jarkko@kernel.org>
> > > wrote:
> > > >
> > > > On Sat, Jan 14, 2023 at 09:55:37AM -0500, James Bottomley wrote:
> > > > > On Tue, 2023-01-03 at 13:10 -0800, Matthew Garrett wrote:
> > > > > > On Tue, Jan 3, 2023 at 1:05 PM William Roberts
> > > > > > <bill.c.roberts@gmail.com> wrote:
> > > > > >
> > > > > > > What's the use case of using the creation data and ticket in
> > > > > > > this context? Who gets the creationData and the ticket?
> > > > > > > Could a user supplied outsideInfo work? IIRC I saw some
> > > > > > > patches flying around where the sessions will get encrypted
> > > > > > > and presumably correctly as well. This would allow the
> > > > > > > transfer of that outsideInfo, like the NV Index PCR value to
> > > > > > > be included and integrity protected by the session HMAC.
> > > > > >
> > > > > > The goal is to ensure that the key was generated by the kernel.
> > > > > > In the absence of the creation data, an attacker could generate
> > > > > > a hibernation image using their own key and trick the kernel
> > > > > > into resuming arbitrary code. We don't have any way to pass
> > > > > > secret data from the hibernate kernel to the resume kernel, so
> > > > > > I don't think there's any easy way to do it with outsideinfo.
> > > > >
> > > > > Can we go back again to why you can't use locality? It's exactly
> > > > > designed for this since locality is part of creation data.
> > > > > Currently everything only uses locality 0, so it's impossible for
> > > > > anyone on Linux to produce a key with anything other than 0 in
> > > > > the creation data for locality. However, the dynamic launch
> > > > > people are proposing that the Kernel should use Locality 2 for
> > > > > all its operations, which would allow you to distinguish a key
> > > > > created by the kernel from one created by a user by locality.
> > > > >
> > > > > I think the previous objection was that not all TPMs implement
> > > > > locality, but then not all laptops have TPMs either, so if you
> > > > > ever come across one which has a TPM but no locality, it's in a
> > > > > very similar security boat to one which has no TPM.
> > > >
> > > > Kernel could try to use locality 2 and use locality 0 as fallback.
> > >
> > > I don't think that would work for Matthew, they need something
> > > reliable to indicate key provenance.
> >
> > No, I think it would be good enough: locality 0 means anyone (including
> > the kernel on a machine which doesn't function correctly) could have
> > created this key. Locality 2 would mean only the kernel could have
> > created this key.
> >
> > By the time the kernel boots and before it loads the hibernation image
> > it will know the answer to the question "does my TPM support locality
> > 2", so it can use that in its security assessment: if the kernel
> > supports locality 2 and the key wasn't created in locality 2 then
> > assume an attack. Obviously, if the kernel doesn't support locality 2
> > then the hibernation resume has to accept any old key, but that's the
> > same as the situation today.
>
> This sounds otherwise great to me but why bother even allowing a
> machine with no-locality TPM to be involved with hibernate? Simply
> detect locality support during driver initialization and disallow
> sealed hibernation (or whatever the feature was called) if localities
> were not detected.
>
> I get supporting old hardware with old features but it does not make
> sense to maintain new features with hardware, which clearly does not
> scale, right?
>
> BR, Jarkko
Here's a thought, what if we had a static/cmd line configurable
no-auth NV Index and writelocked it with the expected key information,
name or something. I guess the problem is atomicity with write/lock,
but can't the kernel lock out all other users?
An attacker would need to issue tpm2_startup, which in this case would DOS
the kernel in both scenarios. If an attacker already wrote and locked the NV
index, that would also be a DOS. If they already wrote it, the kernel simply
writes whatever they want. Is there an attack I am missing?
I guess the issue here would be setup, since creating the NV index requires
hierarchy auth, does the kernel have platform auth or is that already shut down
by firmware (I can't recall)? A null hierarchy volatile lockable index would be
nice for this, too bad that doesn't exist.
next prev parent reply other threads:[~2023-01-26 17:32 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-11 23:16 [PATCH v5 00/11] Encrypted Hibernation Evan Green
2022-11-11 23:16 ` [PATCH v5 01/11] tpm: Add support for in-kernel resetting of PCRs Evan Green
2022-11-13 20:31 ` Eric Biggers
2022-11-27 16:06 ` Jarkko Sakkinen
2022-11-27 16:07 ` Jarkko Sakkinen
2022-11-11 23:16 ` [PATCH v5 02/11] tpm: Export and rename tpm2_find_and_validate_cc() Evan Green
2022-11-11 23:16 ` [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use Evan Green
2022-11-13 20:46 ` Eric Biggers
2022-11-14 17:11 ` James Bottomley
2022-11-27 16:33 ` Jarkko Sakkinen
2022-11-27 16:41 ` James Bottomley
2022-11-30 20:22 ` Dr. Greg
2022-11-30 21:34 ` Casey Schaufler
2022-12-02 1:10 ` Dr. Greg
2023-01-03 20:42 ` Matthew Garrett
2023-01-03 21:04 ` William Roberts
2023-01-03 21:10 ` Matthew Garrett
2023-01-14 14:55 ` James Bottomley
2023-01-14 15:11 ` William Roberts
2023-01-15 3:05 ` Matthew Garrett
2023-01-15 14:41 ` William Roberts
2023-01-17 21:26 ` James Bottomley
2023-01-21 3:29 ` Jarkko Sakkinen
2023-01-23 17:48 ` William Roberts
2023-01-24 11:51 ` Dr. Greg
2023-01-24 12:38 ` James Bottomley
2023-01-24 15:05 ` William Roberts
2023-01-26 17:21 ` Jarkko Sakkinen
2023-01-26 17:32 ` William Roberts [this message]
2023-01-26 21:30 ` Jarkko Sakkinen
2023-01-26 22:01 ` William Roberts
2023-02-07 23:20 ` Jarkko Sakkinen
2023-01-26 17:07 ` Jarkko Sakkinen
2023-01-26 17:12 ` Jarkko Sakkinen
2023-01-26 17:20 ` William Roberts
2023-01-10 16:07 ` William Roberts
2022-11-27 16:29 ` Jarkko Sakkinen
2022-11-11 23:16 ` [PATCH v5 04/11] security: keys: trusted: Include TPM2 creation data Evan Green
2022-11-13 21:20 ` Eric Biggers
2022-11-14 3:32 ` James Bottomley
2022-11-14 16:32 ` Evan Green
2022-11-14 16:56 ` James Bottomley
2022-11-14 17:43 ` Evan Green
2022-11-14 18:00 ` James Bottomley
2022-12-02 21:03 ` James Bottomley
2022-12-05 18:43 ` Evan Green
2022-11-11 23:16 ` [PATCH v5 05/11] security: keys: trusted: Allow storage of PCR values in " Evan Green
2022-11-13 22:01 ` Eric Biggers
2022-11-11 23:16 ` [PATCH v5 06/11] security: keys: trusted: Verify " Evan Green
2022-11-13 22:13 ` Eric Biggers
2022-11-11 23:16 ` [PATCH v5 07/11] PM: hibernate: Add kernel-based encryption Evan Green
2022-11-13 22:55 ` Eric Biggers
2022-11-11 23:16 ` [PATCH v5 08/11] PM: hibernate: Use TPM-backed keys to encrypt image Evan Green
2022-11-13 23:33 ` Eric Biggers
2022-11-11 23:16 ` [PATCH v5 09/11] PM: hibernate: Mix user key in encrypted hibernate Evan Green
2022-11-13 23:44 ` Eric Biggers
2022-11-11 23:16 ` [PATCH v5 10/11] PM: hibernate: Verify the digest encryption key Evan Green
2022-11-13 23:47 ` Eric Biggers
2022-11-11 23:16 ` [PATCH v5 11/11] PM: hibernate: seal the encryption key with a PCR policy Evan Green
2022-11-13 23:51 ` Eric Biggers
2022-12-07 23:54 ` [PATCH v5 00/11] Encrypted Hibernation Evan Green
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFftDdqq-eeryycv_11m=-1+aR=cgCUU7C_BFDrmYRwFF13i5w@mail.gmail.com' \
--to=bill.c.roberts@gmail.com \
--cc=apronin@chromium.org \
--cc=corbet@lwn.net \
--cc=dianders@chromium.org \
--cc=dlunev@google.com \
--cc=ebiggers@kernel.org \
--cc=evgreen@chromium.org \
--cc=gwendal@chromium.org \
--cc=jarkko@kernel.org \
--cc=jejb@linux.ibm.com \
--cc=jgg@ziepe.ca \
--cc=keescook@chromium.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=me@benboeckel.net \
--cc=mgarrett@aurora.tech \
--cc=mjg59@google.com \
--cc=pavel@ucw.cz \
--cc=peterhuewe@gmx.de \
--cc=rjw@rjwysocki.net \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.