joachimmetz
commented
5 years ago @marcan interesting, thx for the update. Let me give this some thought, IMHO adding an option to pass the VMK or extending the '-k' option are both possible options.
Open marcan opened 5 years ago
joachimmetz
commented
5 years ago @marcan interesting, thx for the update. Let me give this some thought, IMHO adding an option to pass the VMK or extending the '-k' option are both possible options.
marcan
commented
5 years ago Note that this is for transparent TPM mode. I'm not sure how the wrapping works for e.g. TPM+PIN mode, or TPM+PIN+externalkey mode; I don't have any systems using those modes yet. I'm guessing it's pretty obvious though (just nesting decryptions probably), what to do should be evident by looking at the metadata of such a system.
TPM wrapped keys turn out to be rather trivial: the TPM encoded key contains the wrapped key to be passed to the TPM (exact structure depends on the TPM, and also there may be a header I haven't looked at in detail). If the PCR values are correct, the TPM unwraps the key and directly returns the 256-bit VMK.
So, for example, with physical access to a machine using TPM mode BitLocker, you can simply sniff the TPM bus and see the wrapped key being sent and the VMK being returned.
I think the best way to handle this would be to add a way for the user to specify a VMK directly, similar to how the user can currently specify a FVEK with
-k. Thoughts?