Extend the AEM scripts to use appropriate software stack for TPM 2.0

[BeataZdunczyk]

Is your feature request related to a problem? Please describe.

Currently, only TPM 1.2 is supported in Qubes OS AEM service code. This issue is required to extend the AEM scripts to use the appropriate software stack and functions for TPM 2.0.

Is your feature request related to a new idea or technology that would benefit the project? Please describe.

This task is required to extend Qubes OS AEM to support TPM 2.0 on Intel hardware.

Describe the solution you'd like

Extend the AEM scripts to use the appropriate software stack and functions for TPM 2.0. TPM 1.2 and TPM 2.0 software stacks are not compatible, so the scripts themselves must use the proper API for a given TPM and its respective software stack.

Describe alternatives you've considered

N/A

Additional context

This feature request is part of Phase 2 in TrenchBoot as Anti Evil Maid project, as outlined in the documentation: https://docs.dasharo.com/projects/trenchboot-aem-v2/.

Relevant documentation you've consulted

N/A

[SergiiDmytruk]

PR with changes is https://github.com/QubesOS/qubes-antievilmaid/pull/42

Took commands from https://github.com/3mdeb/qubes-antievilmaid-amd/pull/1/files (with some fixes) as implementation for TPM2 to make scripts handle both versions (branching is in wrapper functions). https://github.com/QubesOS/qubes-tpm-extra and https://github.com/QubesOS/qubes-trousers-changer/ will also need patches. Fixed some issues, but looks like TPM1 is broken by the changes at the moment (sealing it seems).

[SergiiDmytruk]

Fixed TPM1 code path (need to also try without -z though). Now can try with TPM2, although there are already a couple open questions about some operations in TPM2 case.

[SergiiDmytruk]

TPM1 with -z works fine too. Not yet sure if TPM2 needs -z support, at least some commands don't have an equivalent.

...-tpm-setup and ...-install work for TPM2. Unsealing currently tries to start tpm2-abrmd and fails, because there is no dbus unit. Need to see if that's a required dependency or it can work without dbus.

[SergiiDmytruk]

Not yet sure if TPM2 needs -z support, at least some commands don't have an equivalent.

There is no predefined SRK, it's created by the user.

...-seal now works as well. ...-unseal doesn't seem to work because some files don't make it into initramfs, but I think current state is enough to send PR for #13. PR for this task can adjust something if needed.

[SergiiDmytruk]

Turned out that owner password wasn't set on TPM2, made it work and updated commands that use the password.

If I don't forget anything, still need to:

• do world-readable/AUTHWRITE NVRAM entry on TPM2 (for freshness)
• handle SRK password

[SergiiDmytruk]

...-unseal doesn't seem to work because some files don't make it into initramfs

Because code is a great example of spaghetti and part of the logic is in another script which is run before systemctl start tcsd... It almost works by now (data is good on root drive and is copied to boot partition, need to see why aem-unseal failed once again).

NVRAM should be solved using tpm2_policycommandcode, it's verbose but seems to work.

[SergiiDmytruk]

need to see why aem-unseal failed once again

After fixing some trivial issues, turned out that unsealing of data works only until a reboot. It complains about failing an integrity check, but not clear what is changed inside TPM by restart. And, of course, the Internet has only questions about making sealed data work after reboot and no answers including in the issues of tpm2-tools... Making the data persistent might work, but scripts are meant to work with files and TPMs have limited memory.

[SergiiDmytruk]

Contexts aren't sealed data, need to store private and public files of sealed data and load it back into TPM to receive a context that's valid until poweroff. Finally, almost all things work for TPM2.

SRK password part seems to need a change in how password is checked for correctness and this will work too.

I'll then post patches for 2 other packages that require modification for TPM2. The thing is they are TPM1 oriented, but at the same time mostly utilities for AEM scripts. Need to decide how/where to do these changes.

[SergiiDmytruk]

That was a bit optimistic. There were also issues with DA lockout. But it seems to work now.

Large comment describing current state and call for comments: https://github.com/QubesOS/qubes-antievilmaid/pull/42#issuecomment-1586350791

[SergiiDmytruk]

In process of updating PR to be suitable for review/submission. Moving more existing code into functions, so that a later commit could just add TPM2 version of those functions and be done.

[SergiiDmytruk]

PR that prepares the code to adding TPM2 support: https://github.com/QubesOS/qubes-antievilmaid/pull/47

[SergiiDmytruk]

Updated PR and prepared changes for other packages in: https://github.com/TrenchBoot/qubes-tpm-extra/tree/tpm2-support https://github.com/TrenchBoot/qubes-trousers-changer/tree/tpm2-support

Tried to avoid putting config to initrd, but not sure how to load binary PCR file into auth session.

Might test a bit more and maybe documentation need to be updated, but docs could wait until further in review.

[SergiiDmytruk]

Testing with TOTP showed that tpm2_create doesn't work with data larger than 128 bytes (LUKS key is 192 bytes) and actually stores it in the TPM, so had to switch to creating an encryption key and using tpm2_encryptdecrypt.

Sent auxiliary PRs: https://github.com/QubesOS/qubes-tpm-extra/pull/7 https://github.com/QubesOS/qubes-trousers-changer/pull/6 And updated main PR to not be a draft anymore.

[macpijan]

Fixed in: https://github.com/QubesOS/qubes-antievilmaid/pull/42