P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg
PV204 Security technologies
Trusted Boot, TPM, SGX
Petr Švenda svenda@fi.muni.cz @rngsec
Centre for Research on Cryptography and Security, Masaryk University
Please comment on slides with anything unclear, incorrect or suggestions for improvement
https://drive.google.com/file/d/1i8K1d8JpIesLnMbf8S4QUNs3UEXhLbUr/view?usp=sharing
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Overview
•Booting chain of programs
•BIOS as root of trust
•Verified and Measured boot
•Trusted boot in the wild
–Trusted Platform Module
–Chromium, Windows 8/10/11, UEFI…
•Dynamic root of trust
–Intel’s TXT, SGX
•
•
•
| PV204: Trusted boot
2
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Motivation – untrusted host platform
•Traditional role of operating system
–Isolate processed
–Manage privileges, authorize operations
•But how to deal with
–Debugger, disassembler
–Intercepted multimedia output
–Malware run along with banking app
–Keyloggers, Evil maid
–System administrators, Service providers
–…
–
•
•
| PV204: Trusted boot
D:\Documents\Obrazky\question.png
3
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Solution?
•Code signing (e.g., Microsoft AuthentiCode)
–Application binary is signed, PKI used to verify certificate
–If not signed, user is notified
–Mandatory signing for selected applications (drivers…)
–
–
–
–
–
–
–
–
| PV204: Trusted boot
Signed == Secure?
D:\Documents\Obrazky\question.png
4
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Signed == Secure?
5
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Trust in program’s functionality
•Trust in a program code?
–Signed code may still contain bugs and vulnerabilities
•Trust only in a program code?
–Underlying OS layers
–Underlying firmware
–Underlying hardware
–Memory used by the program
–Other code with access to the program’s memory/code
–…
•The program is almost never executed “alone”
| PV204: Trusted boot
6
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Problem statement
•How to make sure that valid programs run only within valid environment?
•
1.Is it possible to start valid “clean” environment on previously compromised machine?
2.Is it possible to prevent tampering of apps against an attacker with physical access?
3.How to prove what apps are running on local machine to a remote party?
| PV204: Trusted boot
7
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Classical boot chain
| PV204: Trusted boot
http://www.thegeekstuff.com/2011/02/linux-boot-process/
http://social.technet.microsoft.com/wiki/contents/articles/11341.the-windows-7-boot-process-sbsl.as
px
Linux
Windows
How to detect that BIOS or
OS Loader was modified?
(evil maid, bootkit…)
D:\Documents\Obrazky\question.png
8
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
How to arrive at the expected chain of apps?
1.Just trust the whole boot process
2.Make all applications in protected read-only memory
–If read-only => cannot be (maliciously) modified. But is it really what is running?
3.Signature-based approach: Verified boot
–Before next app is executed, its signature is verified
–Requires valid (unforged) public key (integrity)
–Requires trust to owner of private key (signs only valid applications)
–(but which particular apps were executed is not known, only that they were signed)
4.Create un-spoofable log what executed: Measured boot
–Before next app is executed, its hash (“measurement”) is added to un-spoofable log (TPM’s PCR)
–Will NOT prevent run of unwanted app, but environment cannot lie about what was executed
–Requires (protected) log storage (Trusted Platform Module)
–May require authentication of log (Remote attestation)
| PV204: Trusted boot
9
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
“Verified” boot
(signatures)
| PV204: Trusted boot
“Measured” boot
(cumulative hash)
Trusted boot
10
>
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
“Verified” boot
•
| PV204: Trusted boot
BIOS
MBR
GRUB
Kernel
User app
…
VERIFY (RSA)
VERIFY (RSA)
VERIFY (RSA)
VERIFY (RSA)
MEASURE: PCR = H(PCR | H(MBR))
MEASURE: PCR = H(PCR | H(GRUB))
MEASURE: PCR = H(PCR | H(Kernel))
MEASURE: PCR = H(PCR | H(User app))
Nothing => BIOS is Root of Trust
What verifies or
measures BIOS?
D:\Documents\Obrazky\question.png
RESET: PCR = 0
PCR = H(…H(H(0|H(MBR))|H(GRUB)…H(User app))
“Measured” boot
11
TPMLog.txt
User app
Kernel
GRUB
MBR
BIOS
Verified and measured approaches can be combined
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Root of trust (for verified/measured boot)
•Verified and Measured boot need some root of trust
–Initial piece of code that nobody verifies/measures
•Static root of trust
–Start building trusted chain after reset of whole device
•Dynamic root of trust
–Start building trusted chain without reset of device (faster)
•What can be root of trust?
–static root of trust: BIOS, UEFI firmware, Intel Boot Guard, AMD Platform Security Processor
–dynamic root of trust: Intel TXT, Intel SGX, Pluton
•Root of trust requires special protection
–As nobody verifies than nobody will detect eventual modification of it
–
| PV204: Trusted boot
12
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
BIOS as root of trust
•First code executed on CPU of target machine
•Privileged access to hardware
–E.g., can write into memory of OS code via DMA
•Provides code for System Management Mode (SMM)
–Routines executed during the whole platform runtime
–x86 feature since 386, all normal execution is suspended
–Used for power management, memory errors, hardware-assisted debugger…
–Very powerful mode (=> also target of “ring -2” rootkits)
–
| PV204: Trusted boot
13
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
BIOS – security considerations
•How BIOS verifies integrity of next module to run?
•Where public key(s) for verification are stored?
•How to handle updates of signing keys?
•How BIOS checks signatures on its own updates?
•How BIOS can be compromised?
•
| PV204: Trusted boot
D:\Documents\Obrazky\question.png
14
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
How BIOS can be compromised?
1.Maliciously written by BIOS vendor (backdoor)
2.Replacement of genuine BIOS by malicious one
–By physical flash (SPI programmer) of BIOS code
–By lack of flashing protection mechanism by original BIOS
–By code logic flaws in BIOS locking mechanisms
3.Modification of other code/data used by BIOS
–Bug in parsing unsigned data…
•Currently used protections:
–Chipset-enforced protection of flash memory with BIOS
–BIOS signature verification before new version is written
–Hardware-aided check of executed code (TPM, TXT, SGX)
–Check of BIOS signature before execution by CPU (IBG)
–
| PV204: Trusted boot
15
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
BIOS write locking – “locks”
•Prevent unauthorized BIOS flash (from host OS)
•Allow for authorized BIOS changes
–BIOS upgrade, signing keys update
–Change of persistent configurations (boot device…)
•Locking mechanism (locks) for BIOS memory write
1.Locks are unlocked after reboot
2.Signature on new BIOS version is verified by old BIOS, and new is flashed eventually (before
locking locks)
3.BIOS configuration (boot device priority) is written before locking locks
4.Locks locked before handling execution to other code
5.
| PV204: Trusted boot
16
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Attacks against BIOS locks
1.Attacks typically via BIOS code vulnerability
–BIOS usually does not takes (much) user input, but may parse BIOS update blob with some parts
unsigned (logo)
–Buffer overflow in logo parsing => Locks are not locked yet => write own BIOS
–http://invisiblethingslab.com/resources/bh09usa/Attacking%20Intel%20BIOS.pdf
2.Write into flash memory by SPI programmer
–
| PV204: Trusted boot
Which one is more serious? Different attacker models
1. Is remote, but patchable
2. Is local attacker, but requires design changes to prevent
D:\Documents\Obrazky\question.png
17
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Impact: Attack against Tails live-CD distro
•Tails is live-CD Linux distribution
•Designed to provide security even on previously compromised computer
–Boot complete fresh OS from live-CD + security tools
•Attack 1: Physical BIOS modification
–Modified BIOS inserts malicious code into Tails during boot time
–Known thread, physical access to computer assumed
•Attack 2: SMM rootkit (LightEater)
–Bug in BIOS exploited by remote party to modify SMM routines
•Main issue: Tails tries to start with clean erased computer, but some elements still persist erase
(BIOS modifications)
| PV204: Trusted boot
18
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
INTEL BOOT GUARD (IBG)
•
| PV204: Trusted boot
19
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Intel Boot Guard (IBG)
•Feature to protect BIOS
–Piece of trusted processor-provided, ROM-based code
–Runs first after reset, verifies Initial Boot Block (IBB)
1.“Measured” boot mode (TPM-based)
–Passively extends TPM’s PCRs by hash of IBB
2.“Verified” boot mode (digital signature)
–OEM vendor hardcodes public key via fuses into CPU
–Intel Boot Guard checks signature of IBB by OEM’s key
–Only vendor-approved IBB=>BIOS=>OS is executed
3.Combination of measured and verified mode
| PV204: Trusted boot
20
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
BIOS
Intel Boot Guard – new root of trust
•
| PV204: Trusted boot
BIOS
MBR
GRUB
Kernel
User app
…
Intel Boot Guard (CPU)
VERIFY (RSA)
VERIFY (RSA)
VERIFY (RSA)
VERIFY (RSA)
VERIFY (RSA)
MEASURE: PCR = H(BIOS-IBB)
MEASURE: PCR = H(PCR | H(MBR))
MEASURE: PCR = H(PCR | H(GRUB))
MEASURE: PCR = H(PCR | H(Kernel))
MEASURE: PCR = H(PCR | H(User app))
IBG: Measured mode
IBG: Verified mode
21
AMD Platform Security Processor (PSP) provides same functionality as IBG
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Intel Boot Guard – security improvements
•What attacks are mitigated by Intel Boot Guard?
•Direct BIOS flash by SPI programmer
–Mitigated, signature/measurement mismatch
•Remote change of BIOS / BIOS data
–Mitigated, signature/measurement mismatch
•Other bug(s) in BIOS code
–Not mitigated, signed code still contains bug
–
•Any new attacks opened by IBG?
| PV204: Trusted boot
22
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
How hard is to incorporate backdoor?
•OEM vendor can sign backdoored BIOS
–But multiple OEM vendors exist, open-source bootloaders (coreboot)
•Intel Boot Guard is written by Intel only
–But OEM fuses own verification public key, right?
–But it is the IBG code that actually verifies a signature!
•Trivial (potential) backdoor (inside IBG code inside CPU)
–if (IBB[SOME_OFFSET] == BACKDOOR_MAGIC) then always load provided BIOS (no signature check)
–Or possibly verify by some other public key (secure even when BACKDOOR_MAGIC is leaked)
| PV204: Trusted boot
23
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Short summary
•Signature-based “verified” boot approach
–Whitelisting approach – run only what is signed
–Robust signature process needed (trust in private key owner)
–Integrity of verification public key is critical
–Key management is necessary (multiple keys, key updates)
•“Measured” boot approach
–Un-spoofable log of hashes of executed code
–Can be remotely verified (remote attestation, explained later)
•Root of trust needs to be protected
–Historically was BIOS (+ update signatures + write locks)
–Intel Boot Guard/AMD Platform Security Processor inside CPU (signature of BIOS)
| PV204: Trusted boot
24
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TRUSTED PLATFORM MODULE
•
| PV204: Trusted boot
25
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TPM hardware
•Cryptographic smart card connected/inside to device
–Secure storage, cryptographic operations…
–(But not programmable JavaCard J)
•Physical placement
1.Additional chip on motherboard (discrete dTPM: Infineon, STM, Nuvoton)
2.Firmware module inside CPU (firmware fTPM: Intel, AMD)
3.Incorporated in CPU/peripheral (integrated iTPM: Pluton)
4.(Software TPM – for development and debugging)
•Accessed during boot time
–“Measured” boot (TPM’s PCR registers)
–BitLocker encrypted drive keys
•Accessed later (private key operation)
| PV204: Trusted boot
D:\Documents\Obrázky\TPM_Asus.jpg
26
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Trusted platform module
•
| PV204: Trusted boot
D:\Documents\Obrázky\TPM.svg.png
Author: Guillaume Piolle
27
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Trusted Platform Module (TPM)
•ISO/IEC 11889 standard for secure crypto-processor
•Versions published by Trusted Computing Group
–https://trustedcomputinggroup.org
–TPM 1.2 (2003-2011)
–TPM 2.0 (2013-now, not compatible with 1.2, but downgrade switch in BIOS)
•Tools to communicate with TPM
–Windows: Microsoft PCPTool, TSS.MSR, Windows API
–Linux: tpm_tools, tpm2_tools, GUI TPMManager
| PV204: Trusted boot
28
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Pluton chip (iTPM)
•Hardware chip inside AMD and Qualcomm CPU/SoC silicon die
–Co-developed by Microsoft, AMD and Qualcomm (Intel not yet)
–Similar functionality like Secure Enclave or ARM TrustZone
•own on-chip RAM, ROM, RNG, cryptographic co-processors…
•Only Microsoft signed firmware (Windows Update), downgrade protection
–On non-Windows systems provides only generic TPM 2.0 (iTPM)
•Used to implement TPM 2.0 functionality (integrated TPM => iTPM)
–But also more, design originally from Microsoft Xbox (DRM) and Azure Sphere
–SHACK (Secure Hardware Cryptography Key) implementation
–DICE (Device Identifier Composition Engine) implementation
–Robust Internet of Things (RIoT) specification compliance
29
| PV204: Trusted boot
https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDe
vices.pdf
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TPMALGTEST PROJECT
•
30
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
A white and black text with black text Description automatically generated
TPM analysis (TPMAlgTest project)
•TPMAlgTest data collection tools
–AMD, Intel, Infineon, Nuvoton, STM (total 80 TPM versions)
–FI MU computers, compatibility testing cluster, community submissions
–https://github.com/crocs-muni/tpm2-algtest
1.Algorithmic and performance support
2.Properties of cryptographic material (RSA and ECC keypairs)
–Frequency of changes in cryptographic library
3.Properties of Endorsement keys (on-chip or injected)
4.Analysis of randomness data (GetRandom(), ECC keys and nonces…)
31
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
•
32
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
33
| PV204: Trusted boot
•
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TPM 1.2 vs. TPM 2.0
| PV204: Trusted boot
https://en.wikipedia.org/wiki/Trusted_Platform_Module
•TPM 2.0 introduced algorithm flexibility (no longer fixed SHA-1)
–If (some) algorithm is broken, no need to create “TPM 3.0”
•TPM 2.0 often supports legacy API 1.2 (switch in BIOS)
•TPM 2.0 seems to focus on IoT-like devices (support TLS)
34
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Security functions provided by TPM-based systems
I.“Measured” boot with remote attestation
–Provide signed log of what executed on platform (PCR)
II.Storage of keys (disk encryption, private keys…)
–Can be additionally password protected
III.Binding and Sealing of data
–Encryption key wrapped by concrete TPM’s public key
IV.Platform integrity
–Software will not start if current PCR value is not right
| PV204: Trusted boot
35
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TPM Trusted Software Stack stack
| PV204: Trusted boot
Infineon, http://www.cs.unh.edu/~it666/reading_list/Hardware/tpm_fundamentals.pdf
36
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TPM PCR
•Platform Configuration Register (PCR)
•Measurement cumulatively stored in PCR
–measurement = SHA1(next block to execute)
–PCR[i] = SHA1(PCR[i] | new_measurement)
–Current block measure & store next before passing control
•PCR cannot be erased until reboot
–Every part that was executed is stored
–Possible to perform after-the-fact verification what executed
•Idea: boot what you want, but PCR will hold trace
•Multiple PCRs to support finer grained reporting
| PV204: Trusted boot
37
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Platform attestation – PCR registers
•W: PCPTool.exe GetPCRs
•L: cat `find /sys/class/ -name "tpm0"`/device/pcrs
| PV204: Trusted boot
38
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Remote attestation of platform state
•So you measured your boot. How to prove your state to remote party?
•
•Idea:
1.Take current PCR values (stored inside TPM)
2.Sign it by TPM’s attestation private key (AIK), (all inside TPM)
3.Send signed PCR values + TPMLog from computer to remote party
4.Remote party holds public key and can verify signature => trust in authenticity of PCR values
| PV204: Trusted boot
D:\Documents\Obrazky\question.png
39
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Remote attestation of platform state
•Apps running on your computer measured in PCRs
•Your TPM contains unique Endorsement key
•You can generate Attestation key inside TPM (AIK)
–And sign AIK by Endorsement key (inside TPM)
•You can sign your PCRs by AIK (inside TPM)
•Remote party can verify signature on AIK key
–Using public key of Endorsement key
•Remote party can verify signature on PCRs
–Using public key of AIK key
•Remote party now knows “what” you are running
•
| PV204: Trusted boot
40
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Remote attestation
•Multiple PCRs to support finer grained reporting
–not just single cumulative value
•Multiple PCRs available
–BIOS, ROM, Memory Block Register [index 0-4]
–OS loaders [5-7], Operating System [8-15]
–Debug [16], Localities, Trusted OS [17-22]
–Application specific [23]
•What is PCR measurement good for?
–PCR content can be signed by TPM’s private key and exported
–List of applications claimed to be executed (=> PCR expected value can be recomputed by remote
party)
–=> Remote attestation
–
•
| PV204: Trusted boot
41
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Platform attestation – PCR registers
•
| PV204: Trusted boot
PADS
TPM_VERSION_12
28
8cb1a2e093cf41c1a726bab3e10bc1750180bbc5
b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
68fffb7e5c5f6e6461b3527a0694f41ebd07e4e1
8e33d52190def152c9939e9dd9b0ea84da25d29b
b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
7c84e69cd581eefd7ebe1406666711fd4fda8aa8
01788a8a31f2dafcd9fe58c5a11701e187687d49
26cda47f1db41bedc2c2b1e6c91311c98b4e2246
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
ffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffff
0000000000000000000000000000000000000000
…
42
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TPM platform info
•Provides information about your platform state
•Included in PCR12 (Operating System information)
–
•
•
•
•
•
•
•
•
| PV204: Trusted boot
44
2
0
66
179136858
0
64
179136858
45
0
0
67
179136858
0
67
179136858
Reboot =>
43
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TRUSTED BOOT – REAL IMPLEMENTATIONS
•
| PV204: Trusted boot
44
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Verified boot - Chromium OS
•Starts with read-only part of firmware/BIOS (root of trust)
–Cannot be forged, but also cannot be not updated
–Contains permanently stored root RSA public key
•“Verified” boot strategy is used
–Verifies that all executed code is from Chromium OS source tree
–Code signatures verified by (shorter) keys signed by root key
•speed tradeoff + possibility to update compromised keys
•Does not completely prevent user to boot other OSes
–Developer mode turned on => signature on kernel not checked
–TPM is used to provide mode reporting (normal/devel/recovery)
•https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot
•https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot-crypto
| PV204: Trusted boot
45
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Chromium OS uses of TPM
•Limited remote attestation (PCR[0] used)
–to store developer and recovery mode switches
•Prevent rollback attack
–Prevented by strictly increasing version of key & firmware
–Version is written in TPM’s NV RAM location, only read-only firmware can update this location
–Key version prevents update to older (compromised) key
–Firmware version prevents update to vulnerable firmware
•Store selected user’s private keys (secure storage)
•Wrap selected disk encryption keys by TPM’s system key
•https://www.chromium.org/developers/design-documents/tpm-usage
•
| PV204: Trusted boot
46
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
UEFI SECURE BOOT
•Secured and Trusted Boot
| PV204: Trusted boot
47
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
UEFI secure boot principles
•Platform key (RSA 2048b, PK) for authentication of platform owner
•Key exchange keys (KEKs) for authentication of other components (drivers, OS components…)
1.“Setup" mode – platform key (PK) is not loaded yet
–Everybody can write its own platform key (become owner)
–Once PK is written, switch to “user” mode
2.“User” mode
–New keys (PKs, KEKs) can be written only if signed by PK
–New software components loaded only if signed by KEKs
–
| PV204: Trusted boot
48
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
•
| PV204: Trusted boot
> The potential boot process from system power on for a conventional BIOS system
Microsoft, Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware
49
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
•
| PV204: Trusted boot
> Diagram illustrating the potential measured boot process for UEFI platforms
50
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
WINDOWS 8/10/11 TRUSTED BOOT
•Secured and Trusted Boot
| PV204: Trusted boot
51
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
D:\Documents\Obrázky\bootProcess.png
Windows 8/10 trusted boot
•Certified Windows 8/10/11 devices have trusted boot by default
–“Verified” boot used (UEFI+OS sign)
–“Measured” boot used (TPM)
•TPM PCRs used for measurements
•TPM used for keys protection
–BitLocker disk encryption key
–ROCA CVE-2017-15361 is relevant
•If Infineon TPM used, patch!
•
•
•
•
| PV204: Trusted boot
D:\Documents\Obrázky\368px-Uefi_logo.svg.png
52
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Usage of TPM in BitLocker (disk encryption)
•Source of Volume Master Key (VMK)
53
| PV204: Trusted boot
M. Russinovich et. al., Windows Internals Part 2, 6th Edition
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
•
54
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Windows 8/10 – secure boot process
•Certified Windows 8/10 devices must have secure boot enabled by default
•
•
| PV204: Trusted boot
Microsoft, Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware
55
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TPM owner password
•You “own” TPM if you can set owner password
–One owner password per single TPM
•Password set during TPM initialization phase
–can be repeated, but content is erased
•Password protected storage of keys (Bitlocker…)
–
| PV204: Trusted boot
56
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
•
| PV204: Trusted boot
57
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
ATTACKS AGAINST TPM
•
58
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Attacks against systems with TPM
•Physical attacks
–Sniffing, side-channels, fault induction…
•Design/reference implementation weaknesses
–Buffer overflow in packet handling [2023], updated specification January 2024
•“Revision 98 Added parameter to MemoryMove(), MemoryCopy(), and MemoryConcat() to make sure that
the data being moved will fix into the receiving buffer.”
•Attacks against cryptographic implementations
–ROCA [2017, CRoCS], RSA factorization (Infineon)
–TPM-Fail vulnerability [2020], ECDSA nonce timing dependency (STM, Intel)
–TPMScan vulnerabilities [2024, CRoCS]
•Fixed low 4 bytes of ECDSA nonce, (older Intel fTPM)
•TPM-Fail-like nonce timing in other algorithm than ECDSA (Nuvoton)
–
•
•
59
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
•
60
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Research paper
•Paper written by CROCS and NUKIB [CHES’24]
–https://crocs.fi.muni.cz/papers/tpm_ches2024
•Several ECC nonce-related vulnerabilities discovered
–Known vulnerabilities by TPM-Fail (2019) – Intel, STM, Nuvoton
•Few topmost bits leaked via timing, ~1000s signatures to recover key
–Previously unreported vulnerabilities in ECSCHNORR and ECDAA
•inconsistent testing and reporting
•New serious vulnerability in older Intel fTPMs 11.5.0.1058-303.12.0.0
–Lowest bytes of nonces of ECDSA and ECSCHNORR fixed to 0x00000001
–Only nine signatures required to extract private key, no need for active observation
–Fixed in 400.x versions, but not publicly disclosed
61
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Attack: Sniffing commands/keys for BitLocker
•Nice writeup how to sniff BitLocker key when send from TPM to OS, then decrypt disk image
–https://pulsesecurity.co.nz/articles/TPM-sniffing
–
–
•fTPM and iTPM does not have exposed bus
•
62
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
BASIC COMPONENTS
•
| PV204: Trusted boot
63
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TPM keys
•Endorsement key (EK)
–Generated during manufacturing, permanent
–Remain in TPM device during whole chip lifetime
•TPM Storage Root Key (SRK)
–Generated by use after taking ownership
–New Storage root key can be generated after TPM clear
–Used to protect TPM keys created by application
•Various delegate keys
–Separate keys signed/wrapped by EK, SRK…
–Application can generate and store own keys
–Good practice: do not have single key for everything
–
–
| PV204: Trusted boot
64
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TPM storage keys
| PV204: Trusted boot
•Application keys encrypted under SRK
•Exported as protected blob
•Stored on mass-storage
•If needed, decrypted back and placed into slot
•Key usable until removed
–
–
http://www.cs.unh.edu/~it666/reading_list/Hardware/tpm_fundamentals.pdf
65
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TPM policy
•TPM releases secret only when PCR contains particular value
•Enforcement even in measured-only mode
–Key is not released if unexpected component was started (started => is included in measurements)
•Conditions can use ANDs and ORs
•How to handle policy updates?
–Change policy of state only from already valid state
–
| PV204: Trusted boot
66
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Programming with TPM
•The TPM Software Stack from Microsoft Research (C++, Java, C#, Python)
–https://github.com/Microsoft/TSS.MSR
•tpm2-tools
–Open-source TPM stack for Linux and Windows
–https://github.com/tpm2-software/tpm2-tools
–
| PV204: Trusted boot
67
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
D:\Documents\Obrazky\TPM_cloud_domc.png
Usage of TPM in cloud-computing
•Combination of virtualization and trusted computing
–Modified Xen hypervisor used to make standard TPM available for secret-less virtual machine
–Results in significant decrease in the size of trusted computational base (TCB)
•Several different implementations
–E.g., Red Hat keylime https://github.com/keylime/
•
| PV204: Trusted boot
http://bleikertz.com/research/acns2013.pdf
68
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
DYNAMIC ROOT OF TRUST
•
| PV204: Trusted boot
69
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Static Root of Trust Measurement (SRTM)
•Start trusted immutable piece of firmware
–E.g., BIOS loader or Intel Boot Guard
•Initiates measurement process
–Integrity of every next component is added to TPM’s PCRs
–Start ® BIOS ® PCI EEPROM ® MBR ® OS …
•But do we need to start (trusted boot) only after reboot?
–Takes relatively long time
–Can we execute the same process, but dynamically?
–Can we exclude long chain (BIOS, PCI…)?
•Long chain => large Trusted Computing Base (TCB)!
–
| PV204: Trusted boot
70
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Dynamic Root Trust Measurement (DRTM)
•Launch of measured environment at any time
–“Late lunch” option
–No need to reset whole platform
–Can be also terminated after some time
•Measurement process similar to static root of trust
–Application trust chain executed from dynamic root
•Implementation of DRTM
–Intel’s TXT (not used much in practice, server CPUs typically)
–Intel’s SGX (all Skylake processors and newer, from 2015)
•
•
–
•
•
| PV204: Trusted boot
71
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Intel’s Trusted Execution Technology
•Intel’s TXT uses a processor-based root of trust
–Option given in TCG specifications
•Goal: shorten chain of trust
–Run specific program in verified/trusted chain without restart
•Goal: provide independent root of trust (CPU-based)
–Processor isolates memory of Measured Launched Environment (MLE) from other processes
•Intel’s TXT still uses TPM to store measurements
•http://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-txt-software-development-
guide.pdf
•Outdated, abounded in favor of SGX
| PV204: Trusted boot
72
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Intel’s TXT issues
1.TXT still relies on BIOS provided code (SMM)
–TXT-started chain can be compromised by forged BIOS
–Hard to patch (design decision, not implementation bug)
–Proposed defence by hardening and sandboxing SMM
2.Bugs in TXT implementation
–Memory corruption, misconfiguring VT-d …
–Can be fixed after discovery
3.Bugs in processing residual state of pre-TXT lunch
–Maliciously modified ACPI tables
–Can be fixed after discovery
–
–
–
| PV204: Trusted boot
73
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
tboot – open-source implementation
•Pre-kernel/VMM module
•Based on Intel’s Trusted Execution Technology
•Performs a measured and verified launch of an OS kernel/VMM
•http://sourceforge.net/projects/tboot/
•
| PV204: Trusted boot
74
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Intel’s SGX : Security enclave
•Intel’s Software Guard Extension (SGX)
–New set of CPU instructions intended for future cloud server CPUs
•Protection against privileged attacker
–Server admin with physical access, privileged malware
•Application requests private region of code and data
–Security enclave (4KB for heap, stack, code)
–Encrypted enclave is stored in main RAM memory, decrypted only inside CPU
–Access from outside enclave is prevented on CPU level
–Code for enclave is distributed as part of application
•Trusted Computing Base significantly limited! J
–But proprietary Intel code inside CPU L
•
| PV204: Trusted boot
75
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Intel’s SGX – some details
•EGETKEY instruction generates new enclave key
–SGX security version numbers
–Device ID (unique number of CPU)
–Owner epoch – additional entropy from user
•EREPORT instruction generates signed report
–Local/remote attestation of target platform
•Debugging possible if application opt in
•Enclave cannot be emulated by VM
•
•
| PV204: Trusted boot
76
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
SGX hardened password verification
| PV204: Trusted boot
https://jbp.io/2016/01/17/using-sgx-to-hash-passwords/
77
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Intel SGX is/was very active research area
•Many small enclaves to cover whole program
–User-annotated code split into many enclaves (“microns”)
•Secure interaction between microns (attest, auth. encryption)
–Tor, H2O, FreeTDS and OpenSSL successfully transformed
•2685, 154, 473 and 307 LOC changes required respectively
•TCB only 20KLOC, PANOPLY specific overhead 24%
•Memory randomization of code inside enclave
–SGX program modified with custom LLVM compiler
–Added in-enclave loader for ASLR & swDEP (2703 LOC)
–Code&data split into 32/64B units randomized separately
•Full library OS based on SGX (Haven, Graphene-SGX)
–
| PV204: Trusted boot
78
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Recent attacks against SGX
•SGX is not a silver bullet
•Vulnerable to side-channels
–Attacker with physical access explicitly excluded from attacker model
–Impacted by Spectre attack (2017)
•https://github.com/lsds/spectre-attack-sgx
•https://github.com/osusecLab/SgxPectre
–Impacted by Foreshadow attack (CVE-2018-3615) https://foreshadowattack.eu/
•Reading out attestation private key
•Bugs of enclave code are still problem (developer)
•Not everything is running inside enclave (other code, user input…)
79
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Programming with Intel’s SGX
•Intel SGX SDK
–https://software.intel.com/en-us/sgx-sdk
–6th generation core processor (or later) based platform with SGX enabled BIOS support
•Example: Hardened password hashing
–https://jbp.io/2016/01/17/using-sgx-to-hash-passwords/
–https://github.com/ctz/sgx-pwenclave
•More SGX info
–http://theinvisiblethings.blogspot.cz/2013/08/thoughts-on-intels-upcoming-software.html
–http://theinvisiblethings.blogspot.cz/2013/09/thoughts-on-intels-upcoming-software.html
| PV204: Trusted boot
80
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Intel SGX deprecated on non-server CPUs (end 2021)
•Intel deprecated technology for the newest non-server CPUs
–Still present in server CPUs, utilized by Azure confidential computing…
•Not completely clear reasons so far
–Possibly mix of many past attacks which cannot be fixed without changing the architecture
significantly (and breaking compatibility)
•https://community.intel.com/t5/Intel-Software-Guard-Extensions/Intel-SGX-deprecated-in-11th-Gen-pr
ocessors/m-p/1351848
•https://edc.intel.com/content/www/us/en/design/ipla/software-development-platforms/client/platform
s/alder-lake-desktop/12th-generation-intel-core-processors-datasheet-volume-1-of-2/001/deprecated-t
echnologies/
•
81
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
TRUSTED COMPUTING - CRITIQUE
•
| PV204: Trusted boot
82
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Trusted Computing (TC) - controversy
•For whom is your computed trusted?
–Secure against you as an owner?
•Is TC preventing users to run code of their choice?
–Custom OS distribution?
–Open OEM system – locked on first installation
–Physical switch to unlock later
•Why some people from Trusted Computing consortium think that Trustworthy Computing might be better
title?
| PV204: Trusted boot
83
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Trusted computing - controversy
•R. Anderson, `Trusted Computing' FAQ (2003)
–http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
•J. Edge, UEFI and "secure boot“
–http://lwn.net/Articles/447381/
•R. Stallman, Can You Trust Your Computer?
–https://www.gnu.org/philosophy/can-you-trust.html
•Selected problems addressed in current designs
–
•
•
| PV204: Trusted boot
84
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Quo Vadis, TPM?
•~2004: Started with primarily aim at DRM enforcement (TPM 1.2)
–Some adoption, but also controversy, unclear future
•~2013: TPM 2.0 significantly renewed interest and scope of use
–Wide hardware support via certified dTPMs (Infineon, Nuvoton, STM) and non-certified fTPMs (Intel,
AMD)
–Microsoft Windows 11 requires TPM presence (measured boot, Bitlocker)
–Linux systemd rapidly adds measured boot https://systemd.io/TPM2_PCR_MEASUREMENTS/
•~2017: Support for TPM-based functions more common
•~2022: Pluton chip (Microsoft + AMD & Qualcomm), iTPM
–iTPM implementation (certification in progress), difficult to sniff TPM bus
–Directly updatable via Windows Update
–
–
85
| PV204: Trusted boot
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
https://crocs.fi.muni.cz @CRoCS_MUNI
Summary
•Two principal solutions for trusted boot
–Verified boot (signatures) and Measured boot (PCR+RA)
•Start from clean (and trusted) point
–Allow only intended software to run
–Or prove what actually executed
•Additional hardware inside motherboard / CPU provides wide range of new possibilities (TPM)
•Size of Trusted Computing Base matters (TPM/SGX)
•Controversy about implication of trusted boot
–Who owns and control target platform
| PV204: Trusted boot
86