Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem

From: Hector Martin <marcan@marcan.st>
To: Linus Walleij <linus.walleij@linaro.org>
Cc: "David Howells" <dhowells@redhat.com>,
	keyrings@vger.kernel.org, "Jarkko Sakkinen" <jarkko@kernel.org>,
	"Sumit Garg" <sumit.garg@linaro.org>,
	"Arnd Bergmann" <arnd@linaro.org>,
	"Joakim Bech" <joakim.bech@linaro.org>,
	"Alex Bennée" <alex.bennee@linaro.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"Maxim Uvarov" <maxim.uvarov@linaro.org>,
	"Ilias Apalodimas" <ilias.apalodimas@linaro.org>,
	"Ruchika Gupta" <ruchika.gupta@linaro.org>,
	"Winkler, Tomas" <tomas.winkler@intel.com>,
	yang.huang@intel.com, bing.zhu@intel.com,
	Matti.Moell@opensynergy.com, hmo@opensynergy.com,
	linux-mmc <linux-mmc@vger.kernel.org>,
	linux-scsi <linux-scsi@vger.kernel.org>,
	linux-nvme@vger.kernel.org,
	"Ulf Hansson" <ulf.hansson@linaro.org>,
	"Arnd Bergmann" <arnd.bergmann@linaro.org>
Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem
Date: Thu, 11 Mar 2021 18:22:41 +0900	[thread overview]
Message-ID: <32bdceb1-e70d-7481-96e3-a064a7108eb9@marcan.st> (raw)
In-Reply-To: <CACRpkda9f-BNmu-CaNsghnDoOcSXvvvji=tag2Xos+tg_nNZ0w@mail.gmail.com>

On 11/03/2021 09.36, Linus Walleij wrote:
>> It is not intended to store keys in a way that is somehow safer than
>> other mechanisms. After all, you need to securely store the RPMB key to
>> begin with; you might as well use that to encrypt a keystore on any
>> random block device.
> 
> The typical use-case mentioned in one reference is to restrict
> the number of password/pin attempts and  combine that with
> secure time to make sure that longer and longer intervals are
> required between password attempts.
> 
> This seems pretty neat to me.

Yes, but to implement that you don't need any secure storage *at all*. 
If all the RPMB did was authenticate an incrementing counter, you could 
just store the <last timestamp, attempts remaining> tuple inside a blob 
of secure (encrypted and MACed) storage on any random Flash device, 
along with the counter value, and thus prevent rollbacks that way (some 
finer design points are needed to deal with power loss protection and 
ordering, but the theory holds).

Basically what I'm saying is that for security *guarantee* purposes, 
AFAICT the storage part of RPMB makes no difference. It is useful in 
practical implementations for various reasons, but if you think you can 
use that secure storage to provide security properties which you 
couldn't do otherwise, you are probably being misled. If you're trying 
to understand what having RPMB gets you over not having it, it helps if 
you ignore all the storage stuff and just view it as a single secure, 
increment-only counter.

> 
>> But RPMB does not enforce any of this policy for you. RPMB only gives
>> you a primitive: the ability to have storage that cannot be externally
>> rolled back. So none of this works unless the entire system is set up to
>> securely boot all the way until the drive unlock happens, and there are
>> no other blatant code execution avenues.
> 
> This is true for firmware anti-rollback or say secure boot.
> 
> But RPMB can also be used for example for restricting the
> number of PIN attempts.
> 
> A typical attack vector on phones (I think candybar phones
> even) was a robot that was punching PIN codes to unlock
> the phone, combined with an electronic probe that would
> cut the WE (write enable) signal to the flash right after
> punching a code. The counter was stored in the flash.
> 
> (A bit silly example as this can be countered by reading back
> the counter from flash and checking etc, but you get the idea,
> various versions of this attack is possible,)
> 
> With RPMB this can be properly protected against because
> the next attempt can not be made until after the RPMB
> monotonic counter has been increased.

But this is only enforced by software. If you do not have secure boot, 
you can just patch software to allow infinite tries without touching the 
RPMB. The RPMB doesn't check PINs for you, it doesn't even gate read 
access to data in any way. All it does is promise you cannot make the 
counter count down, or make the data stored within go back in time.

> Of course the system can be compromised in other ways,
> (like, maybe it doesn't even have secure boot or even
> no encrypted drive) but this is one of the protection
> mechanisms that can plug one hole.

This is hot how security systems are designed though; you do not "plug 
holes", what you do is cover more attack scenarios, and you do that in 
the order from simplest to hardest.

If we are trying to crack the PIN on a device we have physical access 
to, the simplest and most effective attack is to just run your own 
software on the machine, extract whatever hash or material you need to 
validate PINs, and do it offline.

To protect against that, you first need to move the PIN checking into a 
trust domain where an attacker with physical access can't easily break 
in, which means secure boot.

*Then* the next simplest attack is a secure storage rollback attack, 
which is what I described in that blog post about iOS. And *now* it 
makes sense to start thinking about the RPMB.

But RPMB alone doesn't make any sense on a system without secure boot. 
It doesn't change anything; in both cases the simplest attack is to just 
run your own software.

> It is thus a countermeasure to keyboard emulators and other
> evil hardware trying to brute force their way past screen
> locks and passwords. Such devices exist, sadly.

If you're trying to protect against a "dumb" attack with a keyboard 
emulator that doesn't consider access to physical storage, then you 
don't need RPMB either; you can just put the PIN unlock counter in a 
random file.

-- 
Hector Martin (marcan@marcan.st)
Public Key: https://mrcn.st/pub