Pass-Through /dev/tpm0 to appVMs

QubesOS / qubes-issues

The Qubes OS Project issue tracker

https://www.qubes-os.org/doc/issue-tracking/

532 stars 46 forks source link

Pass-Through /dev/tpm0 to appVMs #4427

Open dylangerdaly opened 5 years ago

dylangerdaly commented 5 years ago

Qubes OS version:

R4.0

Affected component(s):

TPM / dom0

Steps to reproduce the behavior:

N/A

Expected behavior:

Ability to pass through the TPM to appVM's

Actual behavior:

N/A

General notes:

I'd like to be able to use my TPM for SSH, GPG, HMAC Operations etc, is it possible to pass /dev/tpm0 to an appVM?

Parameter Encryption should solve not trusting the appVM, even dom0?

Related issues:

dylangerdaly commented 5 years ago

It looks like this is a feature Xen already supports, it's called vTPM

https://wiki.xenproject.org/wiki/Virtual_Trusted_Platform_Module_(vTPM)

Any chance we can just enable this?

I don't have any of the vtpm- commands in dom0, not sure if it needs to be compiled with Xen to be enabled, but this allows you to give appVMs (domU) vTPMs, then pass requests to the physical TPM.

jpouellet commented 5 years ago

I'd be concerned about doing that.

The TPM TSS is usually a rather large TCB, and I wouldn't want that multiplexing of a non-trivial binary protocol happening in dom0 and exposed to untrusted VMs.

If instead you wanted to avoid the emulation/multiplexing and pass the whole TPM through directly, you would:

allow VMs to interfere with trusted boot schemes like AEM and Heads by issuing e.g. take-ownership commands, and
potentially introduce a new persistence vector, since TPMs often have rewritable firmware (see e.g. https://www.infineon.com/cms/en/product/promopages/tpm-update/, https://www.chromium.org/chromium-os/tpm_firmware_update)

Neither case seems like a very good idea to me, and seems to somewhat violate Qubes' general design principles.

dylangerdaly commented 5 years ago

Fair enough, I didn't think of it that way.

Cheers @jpouellet

jpouellet commented 5 years ago

So, turns out I was partially wrong.

It is possible to have a reasonably-isolated reasonably-simple per-vm standalone TPM emulator whose storage is backed by something persistent in dom0 (not passed through to the physical TPM directly, but transitively protected by it if dom0 is itself protected by it).

There are efforts being made to this effect in other projects in the Xen ecosystem, and it might be reasonable for Qubes to do so eventually as well.

IMO this could be re-opened and considered in the distant future.

dylangerdaly commented 3 years ago

Is it possible to do TPM over qrexec? The people maintaining tpm2-tss have done a really good job of abstracting the software stack, it should be possible to port TPM2.0 (/dev/tpm0) in dom0 as a qrexec service to other appVMs.

tpm2-tss means the TPM2 is useful to Linux users now, this includes TPM for SSH Authenticate, Remote Attestation, openssl.

Does anyone know where to look to get started? I think it's possible to 'remote' TPMs over IP, this might be a good starting point.