search

Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
25 stars 0 forks source link

TPM 2.0, Measured Boot & Verified Boot Questions #1120

Open Interman90 opened 1 week ago

Interman90 commented 1 week ago

I contacted Novacustom because i'm interested in their V54 14" Laptop (with Dasharo UEFI Firmware) and asked them a couple questions. https://novacustom.com/product/v54-series/

Their answers surprised me a little bit and i want to double check, so that's what this post is for.

  1. They told me that it is NOT possible to disable TPM (2.0) in the (Dasharo) UEFI/BIOS. They even re-verified that after me pointing out there is an option “disable” (in the right of the picture) to be seen in the dasharo docs. They don’t know why that option is there (they suggested i'd ask here) but it’s definitely not possible to disable the TPM Chip they said.

    TCG2 Configuration

    • Is it really not possible to disable TPM (2.0)?
    • If so why?
    • And why is there an option "Disable" then?

  2. They also said it’s not possible to disable Measured Boot and Verified Boot. True? (According to my research disabling TPM 2.0 would also disable Measured Boot. But if you can’t disable TPM that obviously wont help.)

    2.1. AFAIK Measured Boot and Verfied Boot only make sure the UEFI Firmware has not been compromised. Am i right? (In this case i would not have to disable them anyway.)

  3. Am i right assuming that Linux (in my case Debian based Distros) do not use TPM (2.0) for anything except the user actively sets it up? (In other words, by default the OS ignores the Computer has a TPM 2.0 chip) Because i do not want to use TPM (2.0) / encrypt anything on my system.

miczyg1 commented 1 week ago

Is it really not possible to disable TPM (2.0)? If so why? And why is there an option "Disable" then?

It is not possible. All you can do is make firmware not touch it. TPM1.2 had a command to disable/deactivate it, but TPM2.0 doesn't. That's how Intel hardware works. The chipset always routed the TPM access to either fTPM or dTPM.

This is not an option. Text displayed on the right is just a help text. What you see is just a text label:

    text
      help   = STRING_TOKEN(STR_TCG2_DEVICE_STATE_HELP),
      text   = STRING_TOKEN(STR_TCG2_DEVICE_STATE_PROMPT),
        text   = STRING_TOKEN(STR_TCG2_DEVICE_STATE_CONTENT);

With strings defined as:

#string STR_TCG2_DEVICE_STATE_PROMPT        #language en-US "Current TPM Device"
#string STR_TCG2_DEVICE_STATE_HELP          #language en-US "Current TPM Device: Disable, TPM1.2, or TPM2.0"
#string STR_TCG2_DEVICE_STATE_CONTENT       #language en-US ""

So disable would be no TPM detected at all, or TPM1.2 or TPM2.0. The TPM device type string is updated at runtime:

  //
  // Update static data
  //
  switch (PrivateData->TpmDeviceDetected) {
    case TPM_DEVICE_NULL:
      HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_TCG2_DEVICE_STATE_CONTENT), L"Not Found", NULL);
      break;
    case TPM_DEVICE_1_2:
      HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_TCG2_DEVICE_STATE_CONTENT), L"TPM 1.2", NULL);
      break;
    case TPM_DEVICE_2_0_DTPM:
      HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_TCG2_DEVICE_STATE_CONTENT), L"TPM 2.0", NULL);
      break;
    default:
      HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_TCG2_DEVICE_STATE_CONTENT), L"Unknown", NULL);
      break;
  }

So it is just a bad description which was developed by upstream EDK2 developers.```

They also said it’s not possible to disable Measured Boot and Verified Boot. True? (According to my research disabling TPM 2.0 would also disable Measured Boot. But if you can’t disable TPM that obviously wont help.)

Yes, it is not possible to disable any of those. By removing a TPM it will only cause the measurement from measured boot to not be recorded into TPM PCRs, that's all. The measurements will still live in the TPM log area, although it will not be exposed if the TPM is removed (if TPM is socketable on a pin header for example).

AFAIK Measured Boot and Verfied Boot only make sure the UEFI Firmware has not been compromised. Am i right? (In this case i would not have to disable them anyway.)

That's verified boot task. Measured boot only gives information what were the hashes of executed components and delivers information about final state of the platform in a form of PCR values.

Am i right assuming that Linux (in my case Debian based Distros) do not use TPM (2.0) for anything except the user actively sets it up? (In other words, by default the OS ignores the Computer has a TPM 2.0 chip) Because i do not want to use TPM (2.0) / encrypt anything on my system.

There are things like IMA which may leverage TPM for its purposes. The PC does not ignore the TPM, it has a driver and initializes it (probably does a basic, fixed set of operations at the beginning and that's it). Besides it is up to the user to interact with TPM. Windows probably does much more with TPM than Linux.

pietrushnic commented 1 week ago

@miczyg1 Doesn't the HAP bit disable fTPM?

Am i right assuming that Linux (in my case Debian based Distros) do not use TPM (2.0) for anything except the user actively sets it up?

Yes, you have to explicitly tell the system what to do with information stored by TPM, e.g., you can encrypt your disk with a secret sealed to a certain state of TPM using systemd-cryptenroll

miczyg1 commented 1 week ago

I have opened PRs that fix the help text, which caused confusion: https://github.com/Dasharo/edk2/pull/173 https://github.com/Dasharo/edk2/pull/174

miczyg1 commented 1 week ago

@miczyg1 Doesn't the HAP bit disable fTPM?

Yes it does, but all NVC laptops have a dTPM. Also the ME is configured to always disable fTPM in our builds, so you are forced to use dTPM anyways. If fTPM is disabled, the TPM access is routed to SPI, otherwise it is always routed to fTPM. It is always routed to one or another. Never totally disabled/blocked.

pietrushnic commented 1 week ago

@miczyg1, is this an onboard soldered dTPM? If dTPM is on the SPI bus, the BIOS and kernel should be able to soft-disable it by not loading any drivers or communicating with that chip. IIUC SPI devices cannot initiate communication itself.

Are we aware if proprietary solutions have the ability to disable dTPMs?

@Interman90 What threat or attack model are you trying to avoid here? Knowing that we can help mitigate potential risks.

miczyg1 commented 1 week ago

@miczyg1, is this an onboard soldered dTPM? If dTPM is on the SPI bus, the BIOS and kernel should be able to soft-disable it by not loading any drivers or communicating with that chip. IIUC SPI devices cannot initiate communication itself.

It is soldered. And as I already wrote in my first comment it is only possible to NOT touch the TPM in the firmware. But it doesn't make the TPM disabled.

Are we aware if proprietary solutions have the ability to disable dTPMs?

I'm not, at least.

mkopec commented 1 week ago

Are we aware if proprietary solutions have the ability to disable dTPMs?

Lenovos have option to set the TPM to inactive or disabled. I don't know what it does though...

Maybe disabling SPI TPM in the flash descriptor would work?

miczyg1 commented 1 week ago

Maybe disabling SPI TPM in the flash descriptor would work?

That would still route the TPM traffic to fTPM I think. But with ME disabled, the fTPM would simply not communicate with CPU? Hacky but could maybe serve the purpose...

pietrushnic commented 1 week ago

We can consider that as a feature only if the attack model is clearly explained and supported by at least a couple of requests for confirmation from Wessel. This has enough value.

wessel-novacustom commented 1 week ago

We can consider that as a feature only if the attack model is clearly explained and supported by at least a couple of requests for confirmation from Wessel. This has enough value.

If more potential customers reply here with this same request, we can proceed with a feature request. However, I don't think there is enough demand for a TPM disabling feature.

Interman90 commented 1 week ago

Text displayed on the right is just a help text. What you see is just a text label ... So disable would be no TPM detected at all ... So it is just a bad description which was developed by upstream EDK2 developers.

Thanks for the clarification.

TPM1.2 had a command to disable/deactivate it, but TPM2.0 doesn't. That's how Intel hardware works. The chipset always routed the TPM access to either fTPM or dTPM

Doesn't the HAP bit disable fTPM?

Yes it does, but all NVC laptops have a dTPM. Also the ME is configured to always disable fTPM in our builds, so you are forced to use dTPM anyways. If fTPM is disabled, the TPM access is routed to SPI, otherwise it is always routed to fTPM. It is always routed to one or another. Never totally disabled/blocked.

Lenovos have option to set the TPM to inactive or disabled. I don't know what it does though... Maybe disabling SPI TPM in the flash descriptor would work?

That would still route the TPM traffic to fTPM I think. But with ME disabled, the fTPM would simply not communicate with CPU? Hacky but could maybe serve the purpose...

I also noticed that on Lenovo Thinkpads there is an option to disable TPM 2.0. https://download.lenovo.com/bsco/index.html#/ (Select Model e.g. Thinkpad P14s Gen 5 then go to Security -> Security Chip)

So it seems like this would be possible. (Despite TPM 2.0 has no official command to disable it.) But probably easier on fTPM only devices, which the Thinkpads most likely are?

What threat or attack model are you trying to avoid here?

I'm looking to keep the system simple. If i do not need/want something then i do not want it to be enabled or ideally not present at all. I don't want TPM because i do NOT want to encrypt ANYTHING on my computer. Unfortunately it's sometimes hard to say which os and software uses TPM 2.0 (this can also change with updates) and i want to avoid stuff being encrypted, especially without me knowing. Therefore, if i could disable TPM (2.0) i would be able to sleep way better at night. (My current systems do not have a TPM 2.0 Chip, but i will soon have to replace them, starting NOW with the laptop...)

I also just sent an email to a lenovo thinkpad specialist asking if it would be possible to disconnect the microphone and fingerprint reader hardware side. Depending on his answer i will have to make my final decision between the Novacustom V54 (can't disable TPM) and Thinkpad P14s Gen 5 Intel (Definitely can't disable Intel ME and/or remove Wifi Chip). (If i knew Dasharo will implement a feature to disable TPM 2.0 within the next couple months/half year i would order the V54 today.)

miczyg1 commented 1 week ago

So it seems like this would be possible. (Despite TPM 2.0 has no official command to disable it.) But probably easier on fTPM only devices, which the Thinkpads most likely are?

Still we have no idea how it works under the hood without public BIOS code.

I'm looking to keep the system simple. If i do not need/want something then i do not want it to be enabled or ideally not present at all. I don't want TPM because i do NOT want to encrypt ANYTHING on my computer. Unfortunately it's sometimes hard to say which os and software uses TPM 2.0 (this can also change with updates) and i want to avoid stuff being encrypted, especially without me knowing. Therefore, if i could disable TPM (2.0) i would be able to sleep way better at night. (My current systems do not have a TPM 2.0 Chip, but i will soon have to replace them, starting NOW with the laptop...)

Not that it is simply possible to recompile the firmware with disabled TPM drivers. That should just work.

Interman90 commented 1 week ago

Not that it is simply possible to recompile the firmware with disabled TPM drivers. That should just work.

But unless you are a Firmware developer this is probably to advanced? I'm just a hobby web developer so probably not something i can do myself?

Interman90 commented 6 days ago

Not that it is simply possible to recompile the firmware with disabled TPM drivers. That should just work.

Also lets assume i could do this. Would there be any drawbacks? What about Firmware Updates? (BTW: Does the Dasharo UEFI Firmware Update itself automatically?)

miczyg1 commented 6 days ago

Not that it is simply possible to recompile the firmware with disabled TPM drivers. That should just work.

Also lets assume i could do this. Would there be any drawbacks? What about Firmware Updates? (BTW: Does the Dasharo UEFI Firmware Update itself automatically?)

No, firmware does not update automatically by itself.

Interman90 commented 6 days ago

No, firmware does not update automatically by itself.

So basically i could flash a recompiled Dasharo UEFI Firmware with disabled TPM Drivers on the Device and if i ever had to use TPM i would just re-flash it with the "Stock" Dasharo UEFI Firmware?

Almost sounds like a plan. Thank you! :)

miczyg1 commented 7 hours ago

@Interman90 I have quickly patched the coreboot config to disable everything related to the TPM. The CI will produce a binary for you: https://github.com/Dasharo/coreboot/actions/runs/11799819216?pr=587

However I can not guarantee it will work. It would be better if you had a recovery method in case it doesn't boot.

Flashing can be done in OS (like DTS) using flashrom (but disable the locks beforehand in the Security Options):

flashrom -p internal -w <file> --ifd -i bios

EDIT: The CI failed... Could not find the proper EC artifacts. We will look into it.