Add TPM2 support to AEM

[littlebenlittle]

The problem you're addressing (if any)

AEM currently only supports TPM 1.2

Describe the solution you'd like

Add AEM support for hardware with TPM2 device. My initial thoughts are that this involves:

• Document AEM as it exists today
• Identify the core TPM functions used
• Map those functions to the appropriate TPM2 API calls
• Add an option for choosing between TPM1 or TPM2

Where is the value to a user, and who might that user be?

Manufacturers are starting to ship notebooks and motherboards with TPM2 devices. To support a broader range of devices, AEM should work with TPM1 as well as TPM2.

Broadly, TPM2 provides several advantages over TPM1 described in the spec. This should make AEM easier to maintain and update.

---

Relevant documentation you've consulted

AEM documentation

Related, non-duplicate issues

• https://github.com/QubesOS/qubes-issues/issues/6015

• https://github.com/QubesOS/qubes-issues/issues/4824

[DemiMarie]

IIRC someone already implemented this; I will check.

[itsrainingcode]

IIRC someone already implemented this; I will check.

Possibly this? Seems to be a work-in-progress for AMD CPUs -- I haven't tested it, but am only researching the topic.

See also this blog post, which links to a presentation by @miczyg1: https://blog.3mdeb.com/2020/2020-06-17-qubes_summation/

[miczyg1]

Yes, I have started rewriting the AEM module to TPM 2.0, however haven't finished. It should be rather added on top of the existing implementation with the detection of TPM family.

Also the work targeted custom GRUB with TrenchBoot support for AMD platforms.

[DemiMarie]

Yes, I have started rewriting the AEM module to TPM 2.0, however haven't finished. It should be rather added on top of the existing implementation with the detection of TPM family.

Thank you!!! How far along are you?

[miczyg1]

@DemiMarie as you can see from the git history, this effort is 1.5 years old and I am not sure how far from finishing I was. All I remember is that I have successfully integrated custom GRUB and used AMD SKINIT DRTM function to launch the Qubes OS, but the whole TPM 2.0 AEM logic was not yet functioning properly. I would gladly come back to the effort if resources allow me to do so, I am also fine if someone is willing to take over or help. I was aiming at AMD and TrenchBoot support, but tboot should also do well with Intel TXT right?

@pietrushnic cc

[pietrushnic]

@DemiMarie AFAIK we wanted to partner with Qubes OS Team and try to get grant for that. At least this is what I discussed with @marmarek. If situation changed please let me know. Also our hope was to use TrenchBoot instead of tboot.

[miczyg1]

We (3mdeb) have put up a proposal for the TrenchBoot as Anti Evil Maid provider: https://docs.dasharo.com/projects/trenchboot-aem/ It includes the work to get UEFI and TPM2 working. Feel free to review and suggest changes, we also added a Giscus plugin to give comments under the page.

[TommyTran732]

With https://github.com/QubesOS/qubes-antievilmaid/commit/87175b091af08efdb472b6ac5ae852ba769b746d merged, does it mean TPM 2.0 is supported now? Should the README be updated?

[TommyTran732]

Okay so I just tested it on my Thinkpad T14 gen 1, and it seems to work. A few observations:

• PCR 19 is not measured.
• According to some olds docs I found, PCR 18 is tboot, SINIT, MLE, and the first module. PCR 19 is the rest of the modules.
• The first module for tboot is Xen. However, when I change the initramfs, it also detected the change and does not release the secret. So it might be the case that PCR 19 is not needed anymore.
• It also detects tampering with the kernel parameters.

If it is indeed working, it would be great to have it documented properly in the README. Qubes Global Config needs to be updated and TPM 2.0 should be marked as supported.

[miczyg1]

TrenchBoot uses only PCR17 and PCR18

[TommyTran732]

TrenchBoot uses only PCR17 and PCR18

But as of now it's still tboot and not trenchboot though, right? Like the PR was for tboot

[miczyg1]

AEM consists of many packages. Some of them are not yet in production/upstream due to various reasons.

TPM2 support is pretty much complete and the upstream is Qubes repo, so it is different than other packages. Still the TPM2 support was not tested with tboot, but the scripts should be backward compatible and tboot should still work with TPM1.2. That said, the documentation was not yet changed, because tboot was not our target from the beginning and will probably be removed once the other components gets to upstream too.