search

tpm2-software / tpm2-pkcs11

A PKCS#11 interface for TPM2 hardware
https://tpm2-software.github.io
Other
277 stars 105 forks source link

OS cross-compatibility with persistent/native TPM, risks to full disk encryption and secure boot? #724

Closed datocrats-org closed 3 years ago

datocrats-org commented 3 years ago

From my reading of the Platform Configuration Register (PCR) docs for a few OS's and the TCG specifications, the PCR keys on the HSM/TPM are being used to store each of the keys the OS needs for secure boot and full disk encryption.

I'm equally curious and want to learn more about how cross-compatible this projects' libraries may be when using persistent on-HSM/TPM keys that are also used by the OS: Windows 10, Mac Big Sur, Ubuntu 20, other Linux, ChromeOS, iOS, and Android 9 (API level 28), iOS.

Questions

  1. Do you need to disable the secure boot and full disk encryption features of your OS while developing examples from this library?
  2. Can I accidentally overwrite the OS managed portions of my TPM with your library?

Questions around my environment

Similar to full disk encryption bitlocker provides me, I use Windows 10's secure boot functionality. I am planning to use WSL2 to begin building and provisioning TPM2 keys. I am worried that it is possible to accidentally overwrite the bitlocker keys while developing, in that I would physically overwrite those keys stored on the TPM. If true, how would I mitigate that?

Targeting other OS's

I want to cross-compile software using Go or Dart that can access each OS's TPM natively. Each OS appears to use a different method to manage the FDE and Secure Boot keys. I would rather not virtualize or use software, would like advice on the different environments folks use or target with the TPM2 software. I'm hopeful to draft some 'good hygiene' advice on how to recover your secure boot and FDE keys if needed. Here's what I'm seeing, it would be great if others could suggest some good docs for their OS they may have read in advance of testing this library.

niooss-ledger commented 3 years ago

Hello,

  1. Do you need to disable the secure boot and full disk encryption features of your OS while developing examples from this library?

No, this library can use another storage root key (SRK) which can co-exist with the keys used by full disk encryption, for example.

  1. Can I accidentally overwrite the OS managed portions of my TPM with your library?

It depends. If you issue a TPM2_Clear command (provided by program tpm2_clear in tpm2-tools), or TPM2_HierarchyChangeAuth, or something similar, it can affect OS managed portions. I would expect that using tpm2-pkcs11 will never run such commands, but if you perform tests, maybe some other projects can affect the state of the TPM, or lock it.

When running tests, I would personally suggest using a software TPM such as the one provided by https://github.com/stefanberger/swtpm or https://github.com/kgoldman/ibmswtpm2. By launching a software TPM and setting environment variables such as TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI to use it (eventually through a resource manager such as https://github.com/tpm2-software/tpm2-abrmd), it is possible to use tpm2-pkcs11, test things... without breaking an existing configuration using a real TPM (neither interfering with other OS features). Also swtpm can be used with QEMU to implement a virtual TPM for a virtual machine.

williamcroberts commented 3 years ago

From my reading of the Platform Configuration Register (PCR) docs for a few OS's and the TCG specifications, the PCR keys on the HSM/TPM are being used to store each of the keys the OS needs for secure boot and full disk encryption.

No, PCR's are measurements the boot and OS code extend into them. They are nothing more then performing a measured boot. The keys are separate, however policy can tether the use of a key to an expected measured state. Disk encryption keys are usually tethered to expected PCR state and a recovery/update password and/or using a policy derived from a signing authority.

I'm equally curious and want to learn more about how cross-compatible this projects' libraries may be when using persistent on-HSM/TPM keys that are also used by the OS: Windows 10, Mac Big Sur, Ubuntu 20, other Linux, ChromeOS, iOS, and Android 9 (API level 28), iOS.

You only cross compile when you compile on a host and deploy to a differing target machine. So in your case for Windows and Mac OS, you usually compile on the device. I am not really a Windoze or a Mac person, so I can't really speak to support, but I would imagine it can work. However, their may be some linux-ism's that need to be addressed. For Android, it should work, but you would need system level permissions (ie an OEM building your own Android flavor) to get what you want.

For cross compiling, the Android docs are pretty comprehensive:

Questions

  1. Do you need to disable the secure boot and full disk encryption features of your OS while developing examples from this library?

I don't think so, but my dev box doesn't have any of this turned on.

  1. Can I accidentally overwrite the OS managed portions of my TPM with your library?

No.

Questions around my environment

Similar to full disk encryption bitlocker provides me, I use Windows 10's secure boot functionality. I am planning to use WSL2 to begin building and provisioning TPM2 keys. I am worried that it is possible to accidentally overwrite the bitlocker keys while developing, in that I would physically overwrite those keys stored on the TPM. If true, how would I mitigate that?

I don't think you can, since the library only works on objects you explicitly add to the store through either the PKCS11 API or the tpm2_ptool command.

Don't develop against a hardware TPM, Develop against a software simulator then test against a sacrificial TPM The same logic of don't ever develop and test against the production DB doubles for HSM development. SOme software TPMs we use are:

Targeting other OS's

I want to cross-compile software using Go or Dart that can access each OS's TPM natively. Each OS appears to use a different method to manage the FDE and Secure Boot keys. I would rather not virtualize or use software, would like advice on the different environments folks use or target with the TPM2 software. I'm hopeful to draft some 'good hygiene' advice on how to recover your secure boot and FDE keys if needed. Here's what I'm seeing, it would be great if others could suggest some good docs for their OS they may have read in advance of testing this library.

Generally this is all on the end consumer (think distro) and I've seen lot's of different ways to do it. So I don't really have generic advice here. But in general you need to handle the PCR brittleness issue, ie an update changing PCR state. PolicyNV is a great way to do it, as you can put a policy in an NV index and that policy is tethered to PCR state. @idesai can provide more details on that flow if needed.

I'm closing this, this is a better question on the mailing list https://lists.01.org/postorius/lists/tpm2.lists.01.org/

  • ChromeOS TPM Usage appears to use the the storage root key (SRK) included as a recommendation in this project's interoperability docs.
  • Windows 10 docs are highly detailed and include PCR banks info that suggests at least the first ~8 PCRs maybe more need to be reusable in a specific order to achieve secure boot together with bitlocker unlock of the OS.
  • iOS and MacOS have SecureEnclave API docs that mostly omit or abstract away any hardware details. Apple does not consistently use the same hardware or even a TPM for the Secure Enclave. Depending on the device, it could be on-chip or separate chip. I'm still concerned as to the possibility of overwrite, and the overall capacity for key storage using the native hardware.
  • Ubuntu 20 seems to enable using the TPM for fde and secure boot even on ubuntu core and even mentions a virtual vTPM which would be good to see whether a virtualized TPM could help answer my questions in a controlled manner.
  • others folks use?