linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jason Gunthorpe <jgg@ziepe.ca>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	monty.wiseman@ge.com, Monty Wiseman <montywiseman32@gmail.com>,
	Matthew Garrett <mjg59@google.com>
Subject: Re: Documenting the proposal for TPM 2.0 security in the face of bus interposer attacks
Date: Tue, 20 Nov 2018 16:39:04 -0700	[thread overview]
Message-ID: <20181120233904.GF22023@ziepe.ca> (raw)
In-Reply-To: <1542753292.2814.45.camel@HansenPartnership.com>

On Tue, Nov 20, 2018 at 02:34:52PM -0800, James Bottomley wrote:

> https://trustedcomputinggroup.org/resource/implementing-hardware-roots-of-trust/

Notice none of their examples include 'prevent tampering with the
hardware' all are focused on pure software attacks, which the TPM is
excellent at preventing. The TPM was never supposed to prevent
physical attacks against the HW for the PCR feature.

The only HW guarentee it ever provided is to prevent theft of the
private secrets, even with physical access.

> > It doesn't need contact with the CPU. The basic flow would be to use
> > the interposer on SPI or LPC to block the Nth PCR update, having
> > determined that Nth comes from the BIOS and covers the
> > bootloader.. The BIOS ignores the error, or can't tell the PCR update
> > was corrupted. From there it is easy to see how to get into a hostile
> > kernel and extend the PCRs to match a trusted kernel.
> 
> Right, but that's why I want to detect the error and shut down the TPM.

Well, I think this is a lot of industry effort and still leaves open
other fairly simple physical attacks, like wire-to-the-reset.

I can always make an interposer that did wire-to-the-reset, I don't
need to do complicated dynamic things with PCR extend commands.

And the null key doesn't really protect against wire-to-the-reset, as
the null key doesn't participate in the PCR extend. So
unseal/seal/attest commands don't know if the TPM was booted
authentically or via a wire-to-the-reset and a hostile kernel.

Yes, it lets a trusted kernel detect a problem, but a threat model
that includes an interposer and excludes a hostile kernel doesn't
sound so interesting to me???

Like I said at the start, the way the spec is written, PCR requires
trusted HW. Without a TPM spec change we can't fix this basic
assumption.

A better mitigation to the interposer threat is for PCB manufactures
to use BGA packages, blind vias and internal traces to physically deny
easy access to the TPM bus and reset signal.

The last TPM project I worked on took physical security into account
when designing the PCB and TPM chip placement, others should do the
same :)

Jason

  reply	other threads:[~2018-11-20 23:39 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-19 17:34 Documenting the proposal for TPM 2.0 security in the face of bus interposer attacks James Bottomley
2018-11-19 20:05 ` Jason Gunthorpe
2018-11-19 20:20   ` James Bottomley
2018-11-19 21:19     ` Jason Gunthorpe
2018-11-19 21:34       ` James Bottomley
2018-11-19 21:44         ` Jason Gunthorpe
2018-11-19 22:36           ` James Bottomley
2018-11-19 23:08             ` Jason Gunthorpe
2018-11-20  0:54               ` James Bottomley
2018-11-20  3:05                 ` Jason Gunthorpe
2018-11-20 17:17                   ` James Bottomley
2018-11-20 21:33                     ` Jason Gunthorpe
2018-11-20 22:34                       ` James Bottomley
2018-11-20 23:39                         ` Jason Gunthorpe [this message]
2018-11-21  2:24                           ` EXTERNAL: " Jeremy Boone
2018-11-21  5:16                             ` Jason Gunthorpe
2018-11-20 23:52                       ` Jarkko Sakkinen
2018-11-20 23:41                     ` Jarkko Sakkinen
2018-11-20 11:10 ` Jarkko Sakkinen
2018-11-20 12:41   ` Jarkko Sakkinen
2018-11-20 17:25     ` James Bottomley
2018-11-20 23:13       ` Jarkko Sakkinen
2018-11-20 23:58         ` James Bottomley
2018-11-21  0:33           ` EXTERNAL: " Jeremy Boone
2018-11-21  6:37           ` Jarkko Sakkinen
2018-11-21  5:42         ` Jason Gunthorpe
2018-11-21  7:18           ` Jarkko Sakkinen
     [not found]             ` <F10185EF-C618-45DC-B1F3-0053B8FE417F@gmail.com>
2018-11-21  9:07               ` Jarkko Sakkinen
2018-11-21  9:14             ` Jarkko Sakkinen
2018-11-20 17:23   ` James Bottomley
2018-11-20 23:12     ` Jarkko Sakkinen
2018-12-10 16:33 ` Ken Goldman
2018-12-10 17:30   ` James Bottomley
2018-12-11 21:47     ` Ken Goldman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181120233904.GF22023@ziepe.ca \
    --to=jgg@ziepe.ca \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@google.com \
    --cc=monty.wiseman@ge.com \
    --cc=montywiseman32@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).