search

wolfSSL / wolfTPM

wolfTPM is a highly portable TPM 2.0 library, designed for embedded use.
https://www.wolfssl.com
GNU General Public License v2.0
232 stars 56 forks source link

Add TPM 2.0 Parameter Encryption support #110

Closed dgarske closed 3 years ago

dgarske commented 3 years ago

XOR then AES CFB @tomoveu

tomoveu commented 3 years ago

Quick update (this is the short version)

Had a "fun" tiny bug on the XOR symmetric attributes that made me sweat. Once solved, I figured out how to use unbounded, unsalted session for XOR parameter encryption. Turns out the logical first choice is the one with most specifics....

TCG Spec, Part 1

Chapter 21.2

the XOR obfuscation is (parameter, hashAlg, sessionValue, nonceNewer, nonceOlder)

Chapter 21.1

If the session is not being used for authorization, sessionValue is sessionKey.

Chapter 19.6.8

the sessionKey is Empty buffer when tpmKey and bind are TPM_RH_NULL (i.e unbounded, unsalted session).

So, if we have an empty buffer and no shared secret, how do we have parameter encryption? Well, see below ...

Chapter 19.6.9

A session started using this format (unbound, unsalted) can be used for parameter encryption while executing TPM commands. However, during these commands, the key used to encrypt the parameter will only use the authValue of the object being accessed by the commands in the key generation, so the strength of the encryption will be no better than the entropy in the authValue of the object.

Back to Chapter 19.6.8 we find sessionKey ≔ KDFa(sessionAlg, (authValue || salt), “ATH” , nonceTPM, nonceCaller, bits) and later clarifies

authValue if bind is not TPM_RH_NULL, a TPM2B_AUTH.buffer that is found in the sensitive area of a TPM entity; otherwise, an Empty Buffer

Also, the tradeoff now becomes obvious, but funny it is briefly mentioned on one single place. This is the result of extensive digging into the TCG Spec until I find the answers. Unbounded & unsalted session is supposed to be the simplest one, yet it is also the one with most specifics to get parameter encryption(surprisingly).

Anyways, both big challenges are solved - TPM session and SessionKey. I just need to use the KDFa and replace the parameter with the encrypted buffer. I will try to use your KDFa port @dgarske with Woflcrypt. Hopefully, no new surprises arise and next week I am done with the XOR. And I move to the CFB/AES :)

Cheers, Dimi

dgarske commented 3 years ago

Support for XOR parameter encryption was merged via #PR #122. AES CFB mode and keygen example are next.

tomoveu commented 3 years ago

Solving the parameter encryption issue found #129 before continuing with the addition of AES CFB

I expect 129 will be solved soon and we would have PR for AES CFB next week.

tomoveu commented 3 years ago

Thanks to great teamwork, full parameter encryption support is now added to wolfTPM by #129.

Kudos @dgarske :100: Very hard work at the end, with deep core redesign of wolfTPM to support HMAC sessions and full parameter encryption.

Looking forward to wolfTPM's major release :1st_place_medal: