search

kukrimate / tpm-gpio-fail

TPM GPIO fail detection utility and proof of concept exploit
GNU General Public License v2.0
5 stars 1 forks source link

Test on Dell Precision Tower 3620 (Kaby Lake, i7-7700) #1

Closed paulmenzel closed 2 months ago

paulmenzel commented 2 months ago

On a Dell Precision Tower 3620/0MWYPT, BIOS 2.28.0 12/13/2023, I get:

$ export PATH=/dev/shm/tpm2-tools/tools/:$PATH
$ sudo /dev/shm/tpm2-tools/tools/tpm2 getcap properties-fixed
TPM2_PT_FAMILY_INDICATOR:
  raw: 0x322E3000
  value: "2.0"
TPM2_PT_LEVEL:
  raw: 0
TPM2_PT_REVISION:
  raw: 0x74
  value: 1.16
TPM2_PT_DAY_OF_YEAR:
  raw: 0xA7
TPM2_PT_YEAR:
  raw: 0x7DF
TPM2_PT_MANUFACTURER:
  raw: 0x4E544300
  value: "NTC"
TPM2_PT_VENDOR_STRING_1:
  raw: 0x726C7300
  value: "rls"
TPM2_PT_VENDOR_STRING_2:
  raw: 0x4E504354
  value: "NPCT"
TPM2_PT_VENDOR_STRING_3:
  raw: 0x20000000
  value: ""
TPM2_PT_VENDOR_STRING_4:
  raw: 0x20000000
  value: ""
TPM2_PT_VENDOR_TPM_TYPE:
  raw: 0x1
TPM2_PT_FIRMWARE_VERSION_1:
  raw: 0x10003
TPM2_PT_FIRMWARE_VERSION_2:
  raw: 0x20008
TPM2_PT_INPUT_BUFFER:
  raw: 0x400
TPM2_PT_HR_TRANSIENT_MIN:
  raw: 0x3
TPM2_PT_HR_PERSISTENT_MIN:
  raw: 0x7
TPM2_PT_HR_LOADED_MIN:
  raw: 0x3
TPM2_PT_ACTIVE_SESSIONS_MAX:
  raw: 0x40
TPM2_PT_PCR_COUNT:
  raw: 0x18
TPM2_PT_PCR_SELECT_MIN:
  raw: 0x3
TPM2_PT_CONTEXT_GAP_MAX:
  raw: 0xFFFF
TPM2_PT_NV_COUNTERS_MAX:
  raw: 0x10
TPM2_PT_NV_INDEX_MAX:
  raw: 0x800
TPM2_PT_MEMORY:
  raw: 0x6
TPM2_PT_CLOCK_UPDATE:
  raw: 0x400000
TPM2_PT_CONTEXT_HASH:
  raw: 0xB
TPM2_PT_CONTEXT_SYM:
  raw: 0x6
TPM2_PT_CONTEXT_SYM_SIZE:
  raw: 0x80
TPM2_PT_ORDERLY_COUNT:
  raw: 0xFF
TPM2_PT_MAX_COMMAND_SIZE:
  raw: 0x800
TPM2_PT_MAX_RESPONSE_SIZE:
  raw: 0x800
TPM2_PT_MAX_DIGEST:
  raw: 0x20
TPM2_PT_MAX_OBJECT_CONTEXT:
  raw: 0x392
TPM2_PT_MAX_SESSION_CONTEXT:
  raw: 0xE9
TPM2_PT_PS_FAMILY_INDICATOR:
  raw: 0x1
TPM2_PT_PS_LEVEL:
  raw: 0x0
TPM2_PT_PS_REVISION:
  raw: 0x100
TPM2_PT_PS_DAY_OF_YEAR:
  raw: 0x0
TPM2_PT_PS_YEAR:
  raw: 0x0
TPM2_PT_SPLIT_MAX:
  raw: 0x80
TPM2_PT_TOTAL_COMMANDS:
  raw: 0x6B
TPM2_PT_LIBRARY_COMMANDS:
  raw: 0x65
TPM2_PT_VENDOR_COMMANDS:
  raw: 0x6
TPM2_PT_NV_BUFFER_MAX:
  raw: 0x400
$ sudo tpm2 shutdown -c && sudo ./inteltool && sudo tpm2 startup -c
Trying to reveal Primary to Sideband Bridge (P2SB),
let's hope the OS doesn't mind... done.
SBREG_BAR = 0xfd000000 (MEM)

Hiding Primary to Sideband Bridge (P2SB).
ERROR:tcti:src/tss2-tcti/tcti-device.c:506:Tss2_Tcti_Device_Init() timeout waiting for response from fd 3
kukrimate commented 2 months ago

@paulmenzel The timeout seems to tell me that it is indeed vulnerable and the TPM got reset. it would be nice if you could check if the PCRs /sys/class/tpm/tpm0/pcr-sha256/* are indeed reset after running the PoC tho.

paulmenzel commented 2 months ago

State before:

$ grep -R . /sys/class/tpm/tpm0/pcr-sha256/
/sys/class/tpm/tpm0/pcr-sha256/17:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/7:0FA17373EAFC9DCB2A70111705348AF9C186D982E723B4FD5F0B318AF0DE320D
/sys/class/tpm/tpm0/pcr-sha256/15:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/5:3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
/sys/class/tpm/tpm0/pcr-sha256/23:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/13:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/3:3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
/sys/class/tpm/tpm0/pcr-sha256/21:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/11:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/1:E03FBF2999E0587F9C693C79DA103C356C99542541FC020E7D3159672A096D53
/sys/class/tpm/tpm0/pcr-sha256/18:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/8:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/16:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/6:AF1F920AF19E185B644FD89E49A9166B6C143689FF23391D21AAE4B074CC5BC4
/sys/class/tpm/tpm0/pcr-sha256/14:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/4:3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
/sys/class/tpm/tpm0/pcr-sha256/22:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/12:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/2:3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
/sys/class/tpm/tpm0/pcr-sha256/20:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/10:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/0:6B37CC67EE4871318149DF4FAF015238FF4A3A30A128815D803ED814EC0F77B8
/sys/class/tpm/tpm0/pcr-sha256/19:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/9:0000000000000000000000000000000000000000000000000000000000000000

Run PoC:

$ sudo ./inteltool 
Trying to reveal Primary to Sideband Bridge (P2SB),
let's hope the OS doesn't mind... done.
SBREG_BAR = 0xfd000000 (MEM)

Hiding Primary to Sideband Bridge (P2SB).

Files are empty:

$ grep -R . /sys/class/tpm/tpm0/pcr-sha256/
$ ls /sys/class/tpm/tpm0/pcr-sha256/
0  1  10  11  12  13  14  15  16  17  18  19  2  20  21  22  23  3  4  5  6  7  8  9
$ cat /sys/class/tpm/tpm0/pcr-sha256/0
$
kukrimate commented 2 months ago

@paulmenzel you also have to do tpm2_startup -c after running the PoC to get the correct empty PCRs.

But yes that definitely means the TPM was reset

paulmenzel commented 2 months ago

@paulmenzel you also have to do tpm2_startup -c after running the PoC to get the correct empty PCRs.

But that failed as per my first comment.

ERROR:tcti:src/tss2-tcti/tcti-device.c:506:Tss2_Tcti_Device_Init() timeout waiting for response from fd 3

What am I missing?

kukrimate commented 2 months ago

ERROR:tcti:src/tss2-tcti/tcti-device.c:506:Tss2_Tcti_Device_Init() timeout waiting for response from fd 3

I usually get this too. just do poc, startup (ignore the error) and then check PCRs

(optionally you can also do TPM shutdown before the PoC to avoid the dirty shutdown flag in the TPM but that is optional)

paulmenzel commented 2 months ago

Thank you for your response in IRC:

compile the poc variant for your platform, then just do tpm2_shutdown -c && ./inteltool && tpm2_startup -c and afterwards check the PCRs in sysfs. you can ignore any errors in the console btw. some are normal

Here you go:

$ cd ~/src/tpm-gpio-fail/poc/skl_kbl_100_200/ && sudo tpm2 shutdown -c && sudo ./inteltool && sudo tpm2 startup -c
Trying to reveal Primary to Sideband Bridge (P2SB),
let's hope the OS doesn't mind... done.
SBREG_BAR = 0xfd000000 (MEM)

Hiding Primary to Sideband Bridge (P2SB).
ERROR:tcti:src/tss2-tcti/tcti-device.c:506:Tss2_Tcti_Device_Init() timeout waiting for response from fd 3 
$ grep -R . /sys/class/tpm/tpm0/pcr-sha256/
/sys/class/tpm/tpm0/pcr-sha256/17:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/7:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/15:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/5:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/23:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/13:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/3:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/21:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/11:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/1:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/18:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/8:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/16:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/6:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/14:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/4:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/22:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/12:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/2:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/20:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/10:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/0:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/19:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/9:0000000000000000000000000000000000000000000000000000000000000000

Feel free to close the issue, once you looked at it.

kukrimate commented 2 months ago

Yep that worked!