SABLE on TPM 20 Scott Constable Whats new in TPM 20 Completely new key hierarchy 21518 Syracuse University 2 Key Hierarchy TPM 12 21518 Syracuse University 3 Key Hierarchy TPM 20 21518 ID: 770134
Download Presentation The PPT/PDF document "SABLE on TPM 2.0 Scott Constable" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
SABLE on TPM 2.0 Scott Constable
What’s new in TPM 2.0? Completely new key hierarchy 2/15/18 Syracuse University 2
Key Hierarchy TPM 1.2: 2/15/18 Syracuse University 3
Key Hierarchy TPM 2.0: 2/15/18 Syracuse University 4 Key Cache Manager Storage Device TPM Device Platform Primary Seed Platform Password Platform Policy Endorsement Primary Seed Endorsement Password Endorsement Policy Storage Primary Seed Storage Password Storage Policy NULL Primary Seed x x Persistent Keys Transient Keys Storage Key Signing Key Primary Storage Key Primary Signing Key
What’s new in TPM 2.0? Completely new key hierarchies Everything is an “entity” 2/15/18 Syracuse University 5
Entities TPM 2.0 entities include: Hierarchies Lockout mechanism NV indexesPCRsKeysData Each entity can have its ownPasswordAccess control policy 2/15/18 Syracuse University 6
What’s new in TPM 2.0? Completely new key hierarchy Everything is an “entity” Uniform access control policies 2/15/18 Syracuse University 7
Access Control Policies Can be applied to any TPM entity Four kinds, inductively defined: Simple assertion policy : a single (atomic) authority assertionMulti-assertion policy : a conjuction (logical AND) of policiesCompound policy: a disjunction (logical OR) of policies 2/15/18 Syracuse University 8
Access Control Policies (Cont.) Flexible policy : a policy that can be updated by a trusted party When initialized, a flexible policy stores a digest of the public key that is allowed to update the policy How to Revoke a policy? Use a monotonic counter with TPM2_PolicyNVThis would allow us to allow multiple configurations (PCR values) to unlock one disk AND revoke access to the disk from one or more configurations, all without needing to change the FDE key 2/15/18 Syracuse University 9
Access Control Policies TPM2_PolicyAuthValue : Requires HMAC session TPM2_PolicyCommandCode : Only a particular command is allowed TPM2_PolicyCounterTimer: Predicate on time TPM2_PolicyCpHash : Only allow certain commands, parameters TPM2_PolicyLocality : Check that command is executed from a particular locality TPM2_PolicyNameHash : Apply the policy to certain objects TPM2_PolicyPCR : Check that specified PCRs have specified values when the command is executed TPM2_PolicyPassword: Require a password at command execution2/15/18Syracuse University10
Trust Protocol for SABLE on TPM 2.0 SABLE’s post-DRTM behavior comprises two distinct execution phases: Platform attestation FDE key generation 2/15/18 Syracuse University 11
Trust Protocol for SABLE on TPM 2.0 Platform attestation User enters a password , the authdata for a storage key . SABLE executes TPM2_Load ( ), where is a sealed blob of SEC secrets, encrypted by . SABLE executes TPM2_Unseal ( ) over an encrypt session, where is a TPM2 enhanced authorization policy that allows to be extracted in plaintext only when PCR17 and PCR19 are correct for SABLE and the boot modules, respectively, and the TPM locality is correct. If the operation succeeds, then two datum are returned: the plaintext passphrase, and entropy bits (32 bytes) representing the unique identity of this SEC. SABLE extends PCR19 with a special value. This effectively locks for the remainder of this boot cycle. The passphrase is displayed to the user. 2/15/18 Syracuse University12
Trust Protocol for SABLE on TPM 2.0 FDE key generation If the user recognizes the passphrase, he/she enters a countersign, , the authdata for a signing key owned by the user. SABLE computes where is a cryptographic hash algorithm is the standard definition of HMAC, parameterized by a hash algorithm is a public value generated during configuration time and included in an SEC's configuration file The KDF would generate a 512-bit key (the maximum size for LUKS) by repeating the HMAC 4096 times. 2/15/18 Syracuse University 13
Configuration Can use tpm2-tools to create the signing key and configure the SEC blob: 2/15/18 Syracuse University 14 $ tpm2_createprimary –-hierarchy=o –- pwdp =ownerpass \ --pwdk=keypass –-halg=sha256 –-kalg=rsa $ tpm2_evictcontrol –-auth=o --pwda=ownerpass –-persistent=0x04 $ tpm2_createpolicy [...] –-policy-file=policy.out $ tpm2_getrandom 32 > SEC.txt `# create SEC identity` $ echo “This is the passphrase!” >> SEC.txt $ tpm2_create –-parent=0x04 –-halg=sha256 –-kalg=keyedhash \ –I SEC.txt -u out.pub –r out.pri \ –-policy-file=policy.out Could write our own tool on TSS2, or use an automation script
Configuration The configuration tool should produce a key-value configuration file, which can be passed to SABLE as a module: key-handle=0x4512 sec-policy=<policy digest> pcr17=…pcr19=… etc.Thus will not require the user to reconfigure GRUB whenever the config is updated.Will allow for more flexible policies later on 2/15/18 Syracuse University 15
Discussion No TPM2 NVRAM NVRAM provides limited storage (~8KB) Platform owner autorization is required to define NVRAM spaces. By not requiring NVRAM, we allow each user to create as many SECs as he/she wants, without consulting the platform owner.We can still “lock” sealed blobs by invalidating their required authorization policy after they have been successfully unsealed. 2/15/18 Syracuse University 16
Discussion Security considerations: Because is never revealed in plaintext outside the TPM or SLB/MLE, it can never be seen by any user. Hence the FDE key should be impossible to derive outside of SABLE. If an evil maid learns the passphrase, she can convince the user to boot into a different environment. If an evil maid learns and , she can boot into the secure environment. 2/15/18 Syracuse University 17
Project Timeline Phase 1: “Hello World” (target March 9) [Tianyu] Reorganize SABLE for TPM 2.0 Update transport-layer TPM driver Update software crypto algorithms for TPM 2.0, e.g. SHA256Issue a TPM2_Startup() to the TPM with a success result Phase 2: Get SABLE Working (target April 18)Implement TPM2_Extend, TPM2_Load , and TPM2_Unseal , with the most basic security (password only) [Tianyu] Get SABLE to run start-to-finish and generate the FDE key [Tianyu] Build the configuration tool [Jonathan] Phase 3: Added Security (target May 9) Add HMAC MiM protections [Tianyu] Add access control policies [Tianyu]Add an encrypt channel to the NVRAM read [Jonathan]2/15/18Syracuse University18
Future Work Use compound policies to enable SEC groups Multiple configurations (e.g. PCR values) can be covered by one passphrase, one SEC identity, and one sealing key. This could make it easier for one user to keep track of many different SECs without having to remember all of the distinct passphrases, passwords, etc. Use flexible policies to ease the process of updating boot components Thus we wouldn’t require a new FDE key to be generated each time the system is updatedThis feature is obviously for convenience, not added security 2/15/18 Syracuse University 19
References “ A Practical Guide to TPM 2.0 ” Chapters 8-14, 17 TCG TPM 2.0 SpecificationSABLE TPM 2.0 SpecificationPBKDF2 2/15/18 Syracuse University 20