search

TrenchBoot / trenchboot-issues

This repository is to centralize issues and development progress tracking for the TrenchBoot project.
4 stars 1 forks source link

Extend the AEM scripts to detect TPM version on the platform #14

Closed BeataZdunczyk closed 1 year ago

BeataZdunczyk commented 1 year ago

Is your feature request related to a problem? Please describe.

Currently, Qubes OS AEM fully supports TPM 1.2 but has no support for TPM 2.0. This issue is required to extend the AEM scripts to detect the TPM version on the platform and use the appropriate software stack for the given TPM.

Is your feature request related to a new idea or technology that would benefit the project? Please describe.

This task is required to extend Qubes OS AEM to support TPM 2.0 on Intel hardware.

Describe the solution you'd like

Extend the AEM scripts to detect the TPM version on the platform and use the appropriate software stack for the given TPM. This issue implements the AEM TPM 1.2 equivalent functionalities using TPM 2.0 software stack and as a result allowing the use of TPM 2.0 with Qubes OS AEM. It will require implementing the access to TPM 2.0 NVRAM, sealing and unsealing the secret data and generating TOTP.

Describe alternatives you've considered

N/A

Additional context

This feature request is part of Phase 2 in TrenchBoot as Anti Evil Maid project, as outlined in the documentation: https://docs.dasharo.com/projects/trenchboot-aem-v2/.

Relevant documentation you've consulted

N/A

SergiiDmytruk commented 1 year ago

@miczyg1, should 90anti-evil-maid/anti-evil-maid-unseal be updated as well?

miczyg1 commented 1 year ago

I guess so. We don't want any AEM script to touch TPM2.0 without proper support for it.

SergiiDmytruk commented 1 year ago

Added a couple commits to https://github.com/QubesOS/qubes-antievilmaid/pull/42 PR.

macpijan commented 1 year ago

@miczyg1 @krystian-hebel What should be exit criteria here? As I understand, we will not merge this draft right now, as it missing missing the TPM2 implementation, which is in the second task https://github.com/TrenchBoot/trenchboot-issues/issues/15 ?

Should we assume that review of the scripts + testing that TPM1.2 path still works is a success here?

krystian-hebel commented 1 year ago

Other than bad_pcrs check for PCR19 I think this should be testable before actual TPM2.0 implementation in Xen. It won't do measurements for TPM2.0 yet, but both PCR17 and PCR18 are extended by ACM. PCR19 may stay at all 00s, not sure what is expected to be measured to this PCR and by whom.

SergiiDmytruk commented 1 year ago

Dedicated PR: https://github.com/QubesOS/qubes-antievilmaid/pull/45

macpijan commented 1 year ago

Thank you @SergiiDmytruk

@miczyg1 I guess you could take a look at this then?

I asked Marek about the workflow we should apply also in the future (https://github.com/QubesOS/qubes-antievilmaid/pull/45#issuecomment-1569732519), but this answer should not block the review/test of this code (anyone can post review comments in this repo).

miczyg1 commented 1 year ago

Reviewed https://github.com/QubesOS/qubes-antievilmaid/pull/45

https://github.com/QubesOS/qubes-antievilmaid/pull/42 seems to be a container for all changes (for testing purposes?). Don't know if I should touch it yet and what readiness it has

macpijan commented 1 year ago

My understanding was that you should wait for green light from @SergiiDmytruk for a separate PR per each task. So far, we have only for the one task, and the rest of the two are still in progress.

miczyg1 commented 1 year ago

I assumed 45 is ready

macpijan commented 1 year ago

All comments in: https://github.com/QubesOS/qubes-antievilmaid/pull/45 are resolved