https://crocs.fi.muni.cz @CRoCS_MUNI PV204 Security technologies Trusted Boot, TPM Petr Švenda svenda@fi.muni.cz @rngsec Centre for Research on Cryptography and Security, Masaryk University https://crocs.fi.muni.cz @CRoCS_MUNI Masterplan for this seminar 1. Find the type of TPM you have in your laptop 2. Draw mindmap of the lecture 3. Understanding basics of TPM using simulated TPM (tpm-js) (https://google.github.io/tpm-js) 4. (If on Windows) Use of tpmtool 5. Use TPM via tpm2-tools (Linux/Docker) 2 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI FIDDLING WITH TPM: WHAT YOUR MACHINE HAS? 5 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI Try to figure out your situation • Not every computer have TPM chip (Apple) – dTPM vs. fTPM vs. None (e.g., Apple) • TPM specification version mostly 2.0 – Some old computers may still have TPM 1.2 (BIOS possibility dTPM 1.2 => fTPM 2.0) • Windows vs Linux difference • IF Windows – Run in cmdline ‘tpm.msc’, ‘tpmtool getdeviceinformation’ • IF Linux & ‘/dev/tpm0’ exists & TPM 2.0: – ‘sudo apt-get update -y’ , ‘sudo apt-get install -y tpm2-tools’ – ‘tpm2_getcap properties-fixed’ (or ‘tpm2_getcapabilities’ if on older version) • IF Linux & TPM 1.2 || Windows || anything doesn’t work: – Use https://labs.play-with-docker.com and TPM simulator | PV204: Trusted Boot6 tpm.msc https://crocs.fi.muni.cz @CRoCS_MUNI Task 1: Draw Mindmap about this lecture • Form groups of 3 (not project team) • Draw visual mindmap (use handouts, colours…) – https://miro.com/app/board/uXjVMTyZFhU=/ – Password is ‘fimunicz’ 1. Addressed problems (goals, root cause of problems) 2. Solution concepts 3. Practical techniques & tools 7 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI8 | PV204: Trusted Boot Example mindmap https://crocs.fi.muni.cz @CRoCS_MUNI FIDDLING WITH TPM: TPM-JS Try to answer questions using TPM tutorial with virtualized TPM 9 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI Google tpm-js • JavaScript-based introduction, explanation and tutorial – https://google.github.io/tpm-js • Hit ‘Run’ button – Inspect ‘In:’, ‘Out:’, Console window • Task: Understand all basic steps • Task: Answer questions on next slides • Different level of API access – TPM2_CC_GetRandom vs. tpm2_getrandom 16 vs. app.GetRandom(16) 10 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI Questions • How can you generate random numbers by TPM’s TRNG? • Who is manufacturer of the TPM in tpm-js? • Why we have key hierarchy instead of a single key? • Can you create also symmetric keys on TPM? What is the command? • Who is creating EK certificate? What is its usage? • Which command is used to measure additional item (driver, app, cfg…) • Can you extend only one of the PCR registers? • Is it enough to prove state of your machine to remote party by reading out PCR registers and send them as file? Why? 11 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI Questions • What key is used by TPM during Remote Attestation? • Can you perform Remote Attestation against device you never contacted before? Why? • Why is there random nonce send by server during the Remote Attestation protocol? • What is Event Log? Is it stored inside TPM? How you can verify its validity? 12 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI OPTION 1: FIDDLING WITH TPM: MS WINDOWS 13 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI Windows: tpmtool • Basic information about your TPM device – tpmtool getdeviceinformation • Collect extended information – tpmtool gatherlogs C:\Users\Public\tpm – Investigate file TpmInformation.txt • Device info, Capabilities, Supported Algorithms, Supported Commands, PCRs… • Additional info about measured drivers etc. – tpmtool parsetcglogs > tpm_logs.txt • Now continue with tpm2-tools steps (for Linux) 16 | PV204: Trusted Boot Due to ROCA vulnerability! https://crocs.fi.muni.cz/public/ papers/rsa_ccs17 https://crocs.fi.muni.cz @CRoCS_MUNI Questions • What is your TPM version? Who is the vendor of your TPM? • What symmetric and asymmetric crypto algorithms are supported? • Can you locate Event Log? What is inside? • Is command TPM2_PCR_Reset supported by your TPM? What is it behavior (use man page)? Is it breaking security assumptions for PCR values? 17 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI FIDDLING WITH TPM: TPM2-TOOLS 18 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI tpm2-tools • Actively developed, open-source project for TPM 2.0 control and use – https://github.com/tpm2-software/tpm2-tools • Due to active development, packages in distros may be outdated • Documentation – https://github.com/tpm2-software/tpm2-tools/tree/master/man • Option 1: Linux & tpm2-tools works on your machine • Option 2: Use docker pull strongx509/tpm 19 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI Tasks to achieve 1. Make real TPM accessible or run Docker with TPM simulator 2. Generate Random data from TPM chip (tpm2_getrandom) 3. Generate Random data using raw command (tpm2_send) 4. Figure out manufacturer ID of your TPM chip (raw cmd) 5. Obtain list of PCR registers (tpm2_pcrread) 6. Extend PCR_01 with specific hash (raw TPM2_CC_PCR_Extend) 7. Generate new primary RSA keypair (raw TPM2_CC_CreatePrimary) 8. Create Remote Attestation report (raw TPM2_CC_Quote) | PV204: Trusted Boot20 https://crocs.fi.muni.cz @CRoCS_MUNI Fill a table into Miro • Name of your computer (e.g., HP ProBook 6470b) • Supported version of TPM specification • TPM manufacturer (and manuf. Version) • Generate random data (tick OK when done) • Generate random data using raw cmd (tick OK when done) • Obtain list of PCR registers (tick OK when done) • Extend PCR_01 with specific hash (tick OK when done) • Generate new primary RSA keypair (tick OK when done) • Create Remote Attestation report (tick OK when done) | PV204: Trusted Boot21 https://miro.com/app/board/o9J_lLRWXoI=/ https://crocs.fi.muni.cz @CRoCS_MUNI DOCKER PULL STRONGX509/TPM 22 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI All commands are in tpm2_commands.txt file !!! 23 | PV204: Trusted Boot Tutorial for TPM 2.0 (IS->09_TrustedBoot->tpm2_commands.txt) (Use ‘Ctrl’ + ‘Shift’ + ‘v’ to paste text copied) https://crocs.fi.muni.cz @CRoCS_MUNI Running in Docker (with TPM simulator) 24 | PV204: Trusted Boot // Create account on docker.com // Visit https://labs.play-with-docker.com // Download and run docker image with TPM2 simulator docker pull strongx509/tpm docker run -it strongx509/tpm // Try to generate 16 random bytes tpm2_getrandom 16 // possible error: Failed to initialize tcti context: 0x1 // Problem: no TPM available, solution: run simulator // Run simulator tpm_server -rm & // Try to generate random data again tpm2_getrandom 16 // ERROR: TPM2_GetRandom Error. TPM Error:0x100 // Problem: TPM is not yet initialized (shall happen during boot, but not the case for simulator) // Startup TPM (with real TPM, it is already send by BIOS) tpm2_startup --clear After executing these steps, your simulated TPM is prepared for use Install xxd tool for hex to binary conversion ‘apt-get update -y’ ‘apt-get install xxd’ https://crocs.fi.muni.cz @CRoCS_MUNI The remaining commands are same for simulator as well as for real TPM 25 | PV204: Trusted Boot (Use ‘Ctrl’ + ‘Shift’ + ‘v’ to paste text copied) All commands are in tpm2_commands.txt file !!! https://crocs.fi.muni.cz @CRoCS_MUNI Generate random data (TPM2_CC_GetRandom) 26 | PV204: Trusted Boot // Try to generate random data tpm2_getrandom 16 // Expected response if OK Client accepted Client accepted 0x12 0x5C 0xDA 0x46 0x40 0xBF 0x65 0x98 0x93 0xB2 0x12 0x0A 0x82 0xCE 0x64 0xC1 // our random data TPM command server listening on port 2321 // // We will now use raw commands for TPM extracted from https://google.github.io/tpm-js // // Any raw command in raw (get raw commands from https://google.github.io/tpm-js) // Prepare raw command TPM2_CC_GetRandom echo '80 01 00 00 00 0c 00 00 01 7b 00 0a' | xxd -r -p > getrandom.bin // Send it to simulator (use -T device:/dev/tpm0 for physical TPM) tpm2_send < getrandom.bin > resp.bin // Display response in hexa cat resp.bin | xxd // Get Manufacturer string (TPM2_CC_GetCapability) echo '80 01 00 00 00 16 00 00 01 7a 00 00 00 06 00 00 01 05 00 00 00 01' | xxd -r -p > getmanuf.bin tpm2_send < getmanuf.bin > resp.bin cat resp.bin | xxd https://crocs.fi.muni.cz @CRoCS_MUNI List and extend PCRs (TPM2_CC_PCR_Extend) 27 | PV204: Trusted Boot // Try to obtain PCRs tpm2_pcrread // Will be mostly zero for simulator, but non-zero for real TPM // TPM2_CC_PCR_Extend command (small enough to paste directly into echo) echo '80 02 00 00 00 41 00 00 01 82 00 00 00 01 00 00 00 09 40 00 00 09 00 00 00 00 00 00 00 00 01 00 0b 18 5f 8d b3 22 71 fe 25 f5 61 a6 fc 93 8b 2e 26 43 06 c 30 4e da 51 80 07 d1 76 48 26 38 19 69' | xxd -r -p > extend.bin // Send raw command tpm2_send < extend.bin > resp.bin // Display response in hexa cat resp.bin | xxd // Display PCRs again and observe that PCR_01 has changed 'PCR_01: 7a fe da f7 f1 b9 a5 e7...' tpm2_listpcrs https://crocs.fi.muni.cz @CRoCS_MUNI Remote attestation (TPM2_CC_Quote) 28 | PV204: Trusted Boot // Remote attestation (https://google.github.io/tpm-js/#pg_attestation) // Locate, extract and convert to binary TPM2_CC_CreatePrimary command // from https://google.github.io/tpm-js/#pg_attestation vim createprimary.bin, insert mode, paste from tpm-js, :%!xxd -r, :wq 0000 80 02 00 00 00 61 00 00 01 31 40 00 00 01 00 00 .....a...1@..... 0010 00 09 40 00 00 09 00 00 00 00 00 00 04 00 00 00 ..@............. 0020 00 00 38 00 01 00 0b 00 05 00 72 00 00 00 10 00 ..8.......r..... 0030 14 00 0b 08 00 00 00 00 00 00 20 e3 b0 c4 42 98 .......... ...B. 0040 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 ........o.$'.A.d 0050 9b 93 4c a4 95 99 1b 78 52 b8 55 00 00 00 00 00 ..L....xR.U..... 0060 00 // IMPORTANT: after xxd-r inside VIM, there might be additional 0x0a character - must be removed // Send to TPM tpm2_send < createprimary.bin > resp.bin // Display response in hexa cat resp.bin | xxd // Locate, extract and covert to binary TPM2_CC_Quote command from https://google.github.io/tpm-js/#pg_attestation // Freshness challenge is '0.ncmv81u451' // IMPORTANT: after xxd-r inside VIM, there might be additional 0x0a character - must be removed vim quote.bin, insert mode, paste from tpm-js, :%!xxd -r, :w, :q 0000 80 02 00 00 00 35 00 00 01 58 80 00 00 00 00 00 .....5...X...... 0010 00 09 40 00 00 09 00 00 00 00 00 00 0c 30 2e 6e ..@..........0.n 0020 63 6d 76 38 31 75 34 35 31 00 10 00 00 00 01 00 cmv81u451....... 0030 0b 03 0f 00 00 tpm2_send < quote.bin > resp.bin // Display response in hexa, shall be ~408B long and contains 'TCG' string cat resp.bin | xxd https://crocs.fi.muni.cz @CRoCS_MUNI HOMEWORK ASSIGNMENT 29 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI Bonus assignment: TPM analysis 1. Find TPM settings in BIOS, picture it (photo…) and annotate with explanation of the options listed 2. Collect data about your TPM and analyze the results – Make Fedora-based bootable USB disk based on instructions provided at https://crocs.fi.muni.cz/tpm – Run the data collection on your machine (runs for several hours, e.g., overnight) – Analyze the results obtained (algtest_result_*.zip file, stored on USB drive) • In case your machine does not have TPM, submit the resulting file demonstrating this case (it will have only several kBs instead of several megabytes) and use file https://www.fi.muni.cz/~xsvenda/tpm_nymfe.zip instead 3. Answer the following questions: – What type (dTPM, fTPM…), vendor and firmware version of TPM you have – What elliptic curves are supported by your TPM? – What is the performance of RSA 2048b keygen, ECC 256b keygen, RSA/ECC signature (ms/operation) 4. Draw a histogram of the most significant byte of RSA modulus from Keygen_RSA_1024.csv – Compare it with at least one other student and try to explain the possible differences observed 30 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI Bonus assignment: TPM analysis • Produce short (2xA4) text description of your solution – Provide answers to questions asked, description your setup precisely, include pics/graphs • Submit before 27.4.2023 23:59 into IS HW vault (2 weeks) – Soft deadline: -1.5 points for every started 24 hours • Consider helping our research by uploading your algtest_result_*.zip at https://is.muni.cz/dok/depository_in?lang=en;vybos_vzorek=4085 – Only public, non-sensitive and pseudonymized results are collected | PV204: Trusted Boot31 https://crocs.fi.muni.cz @CRoCS_MUNI32 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI OLDER TUTORIALS If something doesn’t work or you like to play more ☺ 33 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI DOCKER PULL STARLABIO/TPM2-EMULATOR Note: This tutorial uses bit outdated version of tpm2-tools. Also, sending binary version of commands gives you more control, but also increases initial learning curve. 34 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI All commands are in tpm2_commands_starlabio.txt file !!! 35 | PV204: Trusted Boot Tutorial for TPM 2.0 (IS->09_TrustedBoot->tpm2_commands_starlabio.txt https://crocs.fi.muni.cz @CRoCS_MUNI Running in Docker (with TPM simulator) 36 | PV204: Trusted Boot // Create account on docker.com // Visit https://labs.play-with-docker.com // Download and run docker image with TPM2 simulator docker pull starlabio/tpm2-emulator docker run -it starlabio/tpm2-emulator // Try to generate 16 random bytes tpm2_getrandom 16 // possible error: Failed to initialize tcti context: 0x1 // Problem: no TPM available, solution: run simulator // Run simulator tpm_server -rm & // Try to generate random data again tpm2_getrandom 16 // ERROR: TPM2_GetRandom Error. TPM Error:0x100 // Problem: TPM is not yet initialized (shall happen during boot, but not the case for simulator) // Startup TPM (with real TPM, it is already send by BIOS) tpm2_startup --clear Try to run ‘xxd’ command. If not found, then: 1. cd /usr/bin 2. wget https://www.fi.muni.cz/~xsvenda/xxd 3. chmod +x xxd 4. cd ~ https://crocs.fi.muni.cz @CRoCS_MUNI The remaining commands are same for simulator as well as real TPM 37 | PV204: Trusted Boot Use ‘Ctrl’ + ‘Shift’ + ‘v’ to paste text copied from slides https://crocs.fi.muni.cz @CRoCS_MUNI Generate random data (TPM2_CC_GetRandom) 38 | PV204: Trusted Boot // Try to generate random data tpm2_getrandom 16 // Expected response if OK Client accepted Client accepted 0x12 0x5C 0xDA 0x46 0x40 0xBF 0x65 0x98 0x93 0xB2 0x12 0x0A 0x82 0xCE 0x64 0xC1 // our random data TPM command server listening on port 2321 // // We will now use raw commands for TPM extracted from https://google.github.io/tpm-js // // Any raw command in raw (get raw commands from https://google.github.io/tpm-js) // Prepare raw command TPM2_CC_GetRandom echo '80 01 00 00 00 0c 00 00 01 7b 00 0a' | xxd -r -p > getrandom.bin // Send it to simulator (use -T device:/dev/tpm0 for physical TPM) tpm2_send_command -tcti socket:127.0.0.1:2321 < getrandom.bin > resp.bin // Display response in hexa cat resp.bin | xxd // Get Manufacturer string (TPM2_CC_GetCapability) echo '80 01 00 00 00 16 00 00 01 7a 00 00 00 06 00 00 01 05 00 00 00 01' | xxd -r -p > getmanuf.bin tpm2_send_command -tcti socket:127.0.0.1:2321 < getmanuf.bin > resp.bin cat resp.bin | xxd https://crocs.fi.muni.cz @CRoCS_MUNI List and extend PCRs (TPM2_CC_PCR_Extend) 39 | PV204: Trusted Boot // Try to obtain PCRs tpm2_listpcrs // Will be mostly zero for simulator, but non-zero for real TPM // TPM2_CC_PCR_Extend command (small enough to paste directly into echo) echo '80 02 00 00 00 41 00 00 01 82 00 00 00 01 00 00 00 09 40 00 00 09 00 00 00 00 00 00 00 00 01 00 0b 18 5f 8d b3 22 71 fe 25 f5 61 a6 fc 93 8b 2e 26 43 06 c 30 4e da 51 80 07 d1 76 48 26 38 19 69' | xxd -r -p > extend.bin // Send raw command tpm2_send_command -tcti socket:127.0.0.1:2321 < extend.bin > resp.bin // Display response in hexa cat resp.bin | xxd // Display PCRs again and observe that PCR_01 has changed 'PCR_01: 7a fe da f7 f1 b9 a5 e7...' tpm2_listpcrs https://crocs.fi.muni.cz @CRoCS_MUNI Remote attestation (TPM2_CC_Quote) 40 | PV204: Trusted Boot // Remote attestation (https://google.github.io/tpm-js/#pg_attestation) // Locate, extract and convert to binary TPM2_CC_CreatePrimary command // from https://google.github.io/tpm-js/#pg_attestation vim createprimary.bin, insert mode, paste from tpm-js, :%!xxd -r, :wq 0000 80 02 00 00 00 61 00 00 01 31 40 00 00 01 00 00 .....a...1@..... 0010 00 09 40 00 00 09 00 00 00 00 00 00 04 00 00 00 ..@............. 0020 00 00 38 00 01 00 0b 00 05 00 72 00 00 00 10 00 ..8.......r..... 0030 14 00 0b 08 00 00 00 00 00 00 20 e3 b0 c4 42 98 .......... ...B. 0040 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 ........o.$'.A.d 0050 9b 93 4c a4 95 99 1b 78 52 b8 55 00 00 00 00 00 ..L....xR.U..... 0060 00 // IMPORTANT: after xxd-r inside VIM, there might be additional 0x0a character - must be removed // Send to TPM tpm2_send_command -tcti socket:127.0.0.1:2321 < createprimary.bin > resp.bin // Display response in hexa cat resp.bin | xxd // Locate, extract and covert to binary TPM2_CC_Quote command from https://google.github.io/tpm-js/#pg_attestation // Freshness challenge is '0.ncmv81u451' // IMPORTANT: after xxd-r inside VIM, there might be additional 0x0a character - must be removed vim quote.bin, insert mode, paste from tpm-js, :%!xxd -r, :w, :q 0000 80 02 00 00 00 35 00 00 01 58 80 00 00 00 00 00 .....5...X...... 0010 00 09 40 00 00 09 00 00 00 00 00 00 0c 30 2e 6e ..@..........0.n 0020 63 6d 76 38 31 75 34 35 31 00 10 00 00 00 01 00 cmv81u451....... 0030 0b 03 0f 00 00 tpm2_send_command -tcti socket:127.0.0.1:2321 < quote.bin > resp.bin // Display response in hexa, shall be ~408B long and contains 'TCG' string cat resp.bin | xxd https://crocs.fi.muni.cz @CRoCS_MUNI OLDER TUTORIAL (TPM 1.2) 41 | PV204: Trusted Boot https://crocs.fi.muni.cz @CRoCS_MUNI Organizational • Not every computer have TPM chip – Make groups with at least one TPM-enabled computer – Use own computer (if TPM-enabled) or the provided ones • Usage differs between TPM1.2 and 2.0 (but backward compatible) • Usage of TPM differs between Windows and Linux – We will focus on Windows, but you may try Linux as well • Prepared software (Windows, Linux) – Preconfigured binaries and cheetsheet in IS 07_TPM.zip – Or https://www.fi.muni.cz/~xsvenda/tpm.zip – Use printed cheetsheet | PV204: Trusted Boot42 https://crocs.fi.muni.cz @CRoCS_MUNI Questions to answer 1. Figure out maker and version of TPM chip 2. Obtain number of OS boot counts 3. Obtain list of PCR registers 4. Generate new RSA keypair and export public key 5. Seal (encrypt) data so only your machine will be able to decrypt 6. (optional) Try to create Remote Attestation report | PV204: Trusted Boot43 https://crocs.fi.muni.cz @CRoCS_MUNI Fill the table on the whiteboard ☺ • Name of your computer (e.g., HP ProBook 6470b) • Supported version of TPM specification • TPM manufacturer and manuf. version • Number of OS Boot Counts • Platform Configuration Registers #used / #unused • Generate on-TPM RSA key (tick OK when done) • Seal data (tick OK when done) • Remote Attestation (tick OK when done) | PV204: Trusted Boot44 https://crocs.fi.muni.cz @CRoCS_MUNI| PV204: Trusted Boot45 https://crocs.fi.muni.cz @CRoCS_MUNI Sending TPM commands, tools • ISO/IEC 11889 standard for secure crypto-processor • Versions published by Trusted Computing Group – TPM 1.2 (2011), TPM 2.0 (2016, not compatible with 1.2) – https://trustedcomputinggroup.org • Windows: Microsoft PCPTool, TSS.MSR • Linux: tpm_tools, GUI TPMManager • (All tools and scripts available in single package) – https://www.fi.muni.cz/~xsvenda/tpm.zip | PV204: Trusted Boot46 https://crocs.fi.muni.cz @CRoCS_MUNI Is TPM chip inside my computer? • Windows – WinButton+R – tpm.msc (requires admin) • Linux – sudo apt-get install tpm-tools – tpm_setactive -s – tpm_setactive -a – tpm_version – (systemctl restart tcsd) • Check BIOS settings (TPM or Security chip…) | PV204: Trusted Boot47 https://crocs.fi.muni.cz @CRoCS_MUNI TPM platform info • Provides information about your platform state • W: PCPTool.exe GetPlatformCounters • L: not readily available, try – sudo cat /sys/kernel/security/tpm0/ascii_bios_measurements – sudo cat /sys/kernel/security/ima/ascii_runtime_measurements | PV204: Trusted Boot 44 2 0 66 179136858 0 64 179136858 45 0 0 67 179136858 0 67 179136858 Reboot => 48 https://crocs.fi.muni.cz @CRoCS_MUNI Platform attestation – PCR registers • W: PCPTool.exe GetPCRs • L: cat `find /sys/class/ -name "tpm0"`/device/pcrs | PV204: Trusted Boot49 https://crocs.fi.muni.cz @CRoCS_MUNI Platform info • Obtain information about your platform • Version info: pcptool GetVersion • Get platform counters: pcptool GetPlatformCounters | PV204: Trusted Boot 44 2 0 66 179136858 0 64 179136858 45 0 0 671791368580 67 179136858 Reboot => 50 https://crocs.fi.muni.cz @CRoCS_MUNI Encrypt data only for your TPM (Windows) • (RSA key with name openlab already generated) 1. Export public key – PCPTool.exe GetPubKey openlab openlab.pub 2. Encrypt data by public key – PCPTool.exe Encrypt openlab.pub Hello msg_enc.bin 3. Decrypt only on your machine – PCPTool.exe Decrypt openlab msg_enc.bin | PV204: Trusted Boot51 https://crocs.fi.muni.cz @CRoCS_MUNI Encrypt data only for your TPM (Linux) • Sealed storage using Root Storage Key • The proper way for TPM encryption is installing the openssl_tpm_engine,however the repository is not maintained anymore and does not build on my system (not even with OpenSSL 0.9.8) https://sourceforge.net/p/trousers/openssl_tpm_engine/ci/master/tree/ • There is a newer patched version, but too complicated: https://blog.hansenpartnership.com/using-your- tpm-as-a-secure-key-store/ | PV204: Trusted Boot echo "Hello World!" > cleartext.txt tpm_sealdata --well-known --infile cleartext.txt > encrypted.txt tpm_sealdata -z -i cleartext.txt > encrypted.txt cat encrypted.txt tpm_unsealdata --srk-well-known --infile encrypted.txt tpm_unsealdata -z -i encrypted.txt 52 https://crocs.fi.muni.cz @CRoCS_MUNI Holy grail: Remote attestation • Apps running on your computer measured in PCRs • Your TPM contains unique Endorsement key • You can generate Attestation key inside TPM (AIK) – And sign AIK by Endorsement key (inside TPM) • You can sign your PCRs by AIK (inside TPM) • Remote party can verify signature on AIK key – Using public key of Endorsement key • Remote party can verify signature on PCRs – Using public key of AIK key • Remote party now knows what you are running | PV204: Trusted Boot53 https://crocs.fi.muni.cz @CRoCS_MUNI Attestation keys 1. Create attestation identity key (AIK) – CreateAIK AIK_NAME filename aikNonce 2. Get public part of attestation key – GetPubAIK 3. Authentication of generated AIK to remote entity – Omitted (challenge-response and endorsement key used) 4. Get platform attestation signed by AIK – GetPlatformAttestation | PV204: Trusted Boot54 https://crocs.fi.muni.cz @CRoCS_MUNI 1. Create attestation key • PCPTool.exe CreateAIK myAIK test.tmp 1234 | PV204: Trusted Boot RSA1 2048 010001 9ddc3bb99eab0d9…d0fb46a48224cf15e9 0101000000000079139f69c93c042496a8e958ec5930662c6c ccafbf000000010…093873f194ce7b68ef667f00eca2090adad3 55 https://crocs.fi.muni.cz @CRoCS_MUNI 2. Get public part of attestation key • PCPTool.exe GetPubAIK test.tmp AIKPub.key | PV204: Trusted Boot RSA1 2048 010001 9ddc3bb99eab0d913cd…0a40de6d62424b9a311 56 https://crocs.fi.muni.cz @CRoCS_MUNI 3. Get platform attestation • PCPTool.exe GetPlatformAttestation myAIK attestation.tmp 4321 – TpmAttGeneratePlatformAttestation() called internally – Large XML file is produced • Why is AIK relevant for platform attestation? • Why make sense to have multiple AIKs? • Why is nonce 4321 included? | PV204: Trusted Boot57 https://crocs.fi.muni.cz @CRoCS_MUNI 4. Platform attestation – PCR registers | PV204: Trusted Boot PADS TPM_VERSION_12 28 8cb1a2e093cf41c1a726bab3e10bc1750180bbc5 b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 68fffb7e5c5f6e6461b3527a0694f41ebd07e4e1 8e33d52190def152c9939e9dd9b0ea84da25d29b b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 0000000000000000000000000000000000000000 0000000000000000000000000000000000000000 0000000000000000000000000000000000000000 b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 7c84e69cd581eefd7ebe1406666711fd4fda8aa8 01788a8a31f2dafcd9fe58c5a11701e187687d49 26cda47f1db41bedc2c2b1e6c91311c98b4e2246 0000000000000000000000000000000000000000 0000000000000000000000000000000000000000 ffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffff 0000000000000000000000000000000000000000 …58 https://crocs.fi.muni.cz @CRoCS_MUNI 4. Platform attestation – EFI boot info | PV204: Trusted Boot