UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

Size: px

Start display at page:

Download "UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies"

Lambert Pearson
6 years ago
Views:

1 GOLD PARTNER: Hlavní partner: Hlavní odborný partner: UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies Ing. Ondřej Ševeček GOPAS a.s. MCSM:Directory MVP:Security CISA CISM CEH CHFI ondrej@sevecek.com relevantní kurzy: GOC163 (Moderní bezpečnost), GOC169 (ISO 27001), GOC165 (CISM), GOC163 (GDPR a ZaKB)

2 UEFI Secure Boot Device Guard TPM WHB Hardware Virtual Machine

3 UEFI UEFI, SecureBoot, DeviceGuard, TPM a WHB

4 Unified Extensible Firmware Interface newer BIOS :-) backward compatible can be x32/x64 BIOS was 16bit better code and "drivers", bigger RAM two APIs boot services runtime services configurable from OS with a runtime service NVRAM non-volatile RAM config + OS variables accessible through runtime services from OS Hyper-V VM generations generation 1 = BIOS generation 2 = UEFI

5 UEFI knows its boot devices

6 UEFI boots from MBR and GPT disks old MBR disks (dumb jump to MBR) max 4 partitions, 2 TB sector 0 = MBR 512 bytes of code to jump into the Active partition boot sector 512+ bytes of code to find bootmgr on the partition (NTFS, FAT,...) GPT disks (understands) sector 1+ = GPT max 127 partitions, TB with 4kB sector disks partition GUIDS and types EFI system partition (ESP) = C12A7328-F81F-11D2-BA4B-00A0C93EC93B no active partition

7 UEFI knows FAT32 and can read EFI system partition EFI partition FAT32 (up to 32 GB) FASTFAT if supported can boot directly bootxxxxx.efi faster and OS configurable can check digital signatures of boot files removable media CD/DVD, USB flash single UDF/CDFS/FAT32 partition up to 32 GB

8 Firmware variables and UEFI locks NVRAM non-volatile RAM storage accessible read/write over runtime services API locking changes must be written during boot services phase by a trusted UEFI application RunAsPPL, DeviceGuard

9 UEFI lock on RunAsPPL

10 SecureBoot UEFI, SecureBoot, DeviceGuard, TPM a WHB

11 SecureBoot UEFI only GPT + EFI partition checking signatures of boot components UEFI: boot sector + boot loader OS: winload, kernel, drivers, LSASS,...

12 SecureBoot enabled on HW (msinfo32)

13 SecureBoot enabled on VM (msinfo32)

14 SecureBoot requirements GPT + EFI disk supporting OS 8.1/2012 x64 and newer disabled CSM (compatibility support mode) plus disable any "legacy" options password protected "BIOS" OS vendor public signature verification keys (re)loaded

15 Enabling secure boot within "BIOS"

16 SecureBoot protection protects against boot code modifications does not prevent booting "rogue OS" in itself

17 DeviceGuard UEFI, SecureBoot, DeviceGuard, TPM a WHB

18 LSASS sensitive memory vulnerability NTLM Process Process Process Process Process LSASS password TGT High-Level OS Attacker

19 Smart card principle public storage memory PC API calls CryptoCPU Attacker PIN master PIN protected private crypt memory OS firmware ROM

20 LSASS sensitive memory solution NTLM TGT Process Process Process Process LSASS Secure Kernel Isolate User Mode (IUM) High-Level OS Attacker password Hypervisor vmbus trustlet

21 Requirements SecureBoot => UEFI ensures that the secure kernel and lsass would load untouched the secure kernel ensures that only the first interface user (lsass) can use it

22 (Non)Protection long-term memory credential protection does not protect BitLocker AES FVEK yet vulnerabilities can be disabled by Admins with restart remotely (without UEFI lock) can be disabled by Admins with restart attended (with UEFI lock) hardware keyloggers software keyloggers RDP + HTTP basic auth loggers SSO injections memory dumping local management

23 Disabling DeviceGuard with UEFI lock

24 TPM UEFI, SecureBoot, DeviceGuard, TPM a WHB

25 Used by BitLocker to store volume decryptor TPM smart cards Windows Hello for Business

26 Trusted Platform/Policy Module on-board smart-card or plug-in module if supported by motherboard and BIOS or VM emulated unlocked with multiple entry-key-parts UEFI NVRAM hash boot sector hash boot loader hash,... +PIN possibly owner password for privileged operations clear, export,...

27 VM emulated TPM vs. hardware based

28 VM TPM emulation does not require physical TPM on the host data stored encrypted in the VM configuration file encrypted with HgsGuardian either local or remote if configured

29 TPM ownership always some password present maybe not known to us :-) OS can store owner password None Delegated binary blob only (not easily remembered) newer applications support only Full plain-text password any application support reset ownership password always possible must clear the TPM requires physical presence (BIOS instead of UEFI application)

30 TPM owner information in registry HKLM\System\CurrentControlSet\Service\TPM\WMI\Admin

31 TPM state and owner authorization in PowerShell Get-TPM

32 Clearing TPM without owner password

33 TPM virtual smart-cards smart-card logon Kerberos PKINIT enterprise PKI + client certificates change PIN with CTRL-ALT-DEL PIN length policy binds user identity to the machine

34 Provisioning TPM virtual smart card tpmvscmgr.exe create /name "useradlogon" /AdminKey PROMPT /PIN prompt /generate /pinpolicy minlen 4 # AdminKey: 48 hexa-digits (0-9,A-F) # PIN: 8 any-characters by default certutil csplist # Microsoft Smart Card Key Storage Provider certutil scinfo tpmvscmgr destroy /instance root\smartcardreader\0000 # if unknown, use Device Manager for lookup

35 Looking up virtual smart card device in devmgmt.msc

36 Attestation AD CS can require hardware attestations for issued certificates certificate request is signed by a TPM internal private key public verification key imported into CA manual enrollment by a RA registration authority? autoenrollment into defined device with attestation

37 Windows Hello for Business UEFI, SecureBoot, DeviceGuard, TPM a WHB

38 What? Convenience PIN store password on the disk, protected with a simpler PIN Windows Hello store password on the disk, protected with a thumbprint or anything payed within Office365 Windows Hello for Business smart card logon mapped from anything

39 Multiple-multifactor-biometric authentication maps to Kerberos PKINIT smart-card logon credentials stored locally in TPM or in software better then fingerprint-readers,... AD user, AAD user,... shadow account in Active Directory

40 Requires Device Registration with ADFS

41 Enabled with Group Policy

42 Nice to have UEFI GPT disks NVRAM variable locking SecureBoot signed boot components requires UEFI DeviceGuard isolated credential storage (secure kernel) requires SecureBoot TPM stores BitLocker keys provides virtual smart cards provides WHB UEFI Secure Boot Device Guard TPM WHB Hardware Virtual Machine

43 GOLD PARTNER: Hlavní partner: Hlavní odborný partner: UEFI, SecureBoot, DeviceGuard, TPM a WHB Ing. Ondřej Ševeček GOPAS a.s. MCSM:Directory MVP:Security CISA CISM CEH CHFI ondrej@sevecek.com relevantní kurzy: GOC163 (Moderní bezpečnost), GOC169 (ISO 27001), GOC165 (CISM), GOC163 (GDPR a ZaKB)

TLS Client Certificate and Smart Card Logon

TLS Client Certificate and Smart Card Logon TLS and Smart Card Logon Ing. Ondřej Ševeček GOPAS a.s. MCSM:Directory2012 MCM:Directory2008 MVP:Enterprise Security CEH: Certified Ethical Hacker CHFI: Computer Hacking Forensic Investigator CISA ondrej@sevecek.com