linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	monty.wiseman@ge.com, Monty Wiseman <montywiseman32@gmail.com>,
	Matthew Garrett <mjg59@google.com>
Subject: Re: Documenting the proposal for TPM 2.0 security in the face of bus interposer attacks
Date: Mon, 19 Nov 2018 16:54:32 -0800	[thread overview]
Message-ID: <1542675272.2910.63.camel@HansenPartnership.com> (raw)
In-Reply-To: <20181119230826.GN4890@ziepe.ca>

On Mon, 2018-11-19 at 16:08 -0700, Jason Gunthorpe wrote:
> On Mon, Nov 19, 2018 at 02:36:28PM -0800, James Bottomley wrote:
> > On Mon, 2018-11-19 at 14:44 -0700, Jason Gunthorpe wrote:
> > > On Mon, Nov 19, 2018 at 01:34:41PM -0800, James Bottomley wrote:
> > > > On Mon, 2018-11-19 at 14:19 -0700, Jason Gunthorpe wrote:
> > > > [...]
> > > > > Sure, for stuff working with shared secrets, etc, this make
> > > > > sense. But PCR extends are not secret, so there is no reason
> > > > > to
> > > > > encrypt them on the bus.
> > > > 
> > > > OK, there's a miscommunication here.  I believe the current
> > > > document states twice that there's no encryption for PCR
> > > > operations.  We merely use a salted HMAC session to ensure that
> > > > they're reliably received by the TPM and not altered in-flight.
> > > 
> > > Sure, but again, what is this preventing?
> > 
> > It prevents the interposer having free reign to set the PCR values
> > by substituting every measurement you send to the TPM.  
> 
> But the threat model for PCR excludes the possibility of an
> interposer. If you have an interposer the PCB is broken and all PCR
> security is already lost.

Yours might, mine doesn't and I think I can mitigate the we can give
you approved PCRs attack ... I can't prevent the we muck with your PCRs
attack.

> > some scope for detecting the presence of an interposer if it does
> > try to tamper with your measurements.
> 
> But I can still tamper with them.. I can have the interposer
> delete/fail the kernel PCR commands and issue un-hashed ones.

You can't because you don't have the HMAC key to fake the response, so
as long as I check the HMAC return I know you've tampered.

> The kernel would have to do something extreme like fault the TPM and
> totally disable the linux device if any PCR extend fails. That should
> probably be included in the plan?

If we detect an interposer (if one of the HMACs or encrypt/decrypt
fails) it depends on policy what you do.  We certainly log a message saying TPM integrity is compromised.  I think we should also disable the TPM, but I haven't done that yet because I thought it would bear more discussion.

> > tamper, like there is for confidentiality of sealed data and random
> > numbers, but it seems to be an improvement on what's currently
> > there given that we have to install the session machinery for
> > encryption/decryption anyway.
> 
> Sure, if you have the machinery and it can be used at PCR time, then
> why not use it.. But I think any description about why this is being
> done should be clear about what the threat model is for PCR. 

Right, the threat model for me is complete control of the PCRs.  I can
mitigate that by HMACing the request and response and checking the
response HMAC.

> I'm mostly concerned about how the document was written which makes
> it seems like security of extend beyond what is integral to the
> PCB/chipset is meaningful, considering the threat model PCR is based
> on.
> 
> We don't want people to become confused and think they are getting
> more security than there really is.

Agreed.

> > > If you accept that PCB trust is essential for PCR security, then
> > > I think trusting the PCB to deliver the PCR extends is perfectly
> > > fine.
> > 
> > The *current* interposer is a hardware device on the bus.  The next
> > gen is reported to be more software based.
> 
> Well, that is terrifying.
> 
> But a SW based attack that can toggle TPM reset or alter TPM commands
> in flight getting very much into the 'chips are broken' territory
> where the chain of trust required for PCR is broken. This is breaking
> fundamental assumptions of the threat model here :(
> 
> It is hard to know if more crypto could really prevent problems
> without knowing the details of how this is being done??

I think if I can mitigate some of the PCR problems and prevent snooping
for the hardware interposer, it will also go a long way to defeating
the more software one ... of course, not having seen it, this is just a
guess, but it's based on the idea that the software one probably has
the same or more limited access to the bus.

James


  reply	other threads:[~2018-11-20  0:54 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-19 17:34 Documenting the proposal for TPM 2.0 security in the face of bus interposer attacks James Bottomley
2018-11-19 20:05 ` Jason Gunthorpe
2018-11-19 20:20   ` James Bottomley
2018-11-19 21:19     ` Jason Gunthorpe
2018-11-19 21:34       ` James Bottomley
2018-11-19 21:44         ` Jason Gunthorpe
2018-11-19 22:36           ` James Bottomley
2018-11-19 23:08             ` Jason Gunthorpe
2018-11-20  0:54               ` James Bottomley [this message]
2018-11-20  3:05                 ` Jason Gunthorpe
2018-11-20 17:17                   ` James Bottomley
2018-11-20 21:33                     ` Jason Gunthorpe
2018-11-20 22:34                       ` James Bottomley
2018-11-20 23:39                         ` Jason Gunthorpe
2018-11-21  2:24                           ` EXTERNAL: " Jeremy Boone
2018-11-21  5:16                             ` Jason Gunthorpe
2018-11-20 23:52                       ` Jarkko Sakkinen
2018-11-20 23:41                     ` Jarkko Sakkinen
2018-11-20 11:10 ` Jarkko Sakkinen
2018-11-20 12:41   ` Jarkko Sakkinen
2018-11-20 17:25     ` James Bottomley
2018-11-20 23:13       ` Jarkko Sakkinen
2018-11-20 23:58         ` James Bottomley
2018-11-21  0:33           ` EXTERNAL: " Jeremy Boone
2018-11-21  6:37           ` Jarkko Sakkinen
2018-11-21  5:42         ` Jason Gunthorpe
2018-11-21  7:18           ` Jarkko Sakkinen
     [not found]             ` <F10185EF-C618-45DC-B1F3-0053B8FE417F@gmail.com>
2018-11-21  9:07               ` Jarkko Sakkinen
2018-11-21  9:14             ` Jarkko Sakkinen
2018-11-20 17:23   ` James Bottomley
2018-11-20 23:12     ` Jarkko Sakkinen
2018-12-10 16:33 ` Ken Goldman
2018-12-10 17:30   ` James Bottomley
2018-12-11 21:47     ` Ken Goldman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1542675272.2910.63.camel@HansenPartnership.com \
    --to=james.bottomley@hansenpartnership.com \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=jgg@ziepe.ca \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@google.com \
    --cc=monty.wiseman@ge.com \
    --cc=montywiseman32@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).