How to create a trust anchor with coreboot.

Similar documents
TPM v.s. Embedded Board. James Y

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Embedded System Security Trusted Platform Module

OVAL + The Trusted Platform Module

CSE543 - Computer and Network Security Module: Trusted Computing

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

CIS 4360 Secure Computer Systems Secured System Boot

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

Trusted Computing Group

Unicorn: Two- Factor Attestation for Data Security

Trusted Computing. William A. Arbaugh Department of Computer Science University of Maryland cs.umd.edu

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Sirrix AG security technologies. TPM Laboratory I. Marcel Selhorst etiss 2007 Bochum Sirrix AG

Secure, Trusted and Trustworthy Computing

Applications of Attestation:

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Platform Configuration Registers

Intelligent Terminal System Based on Trusted Platform Module

Mobile Platform Security Architectures A perspective on their evolution

Flicker: An Execution Infrastructure for TCB Minimization

Trusted Computing and O/S Security

TUX : Trust Update on Linux Kernel

CIS 4360 Secure Computer Systems. Trusted Platform Module

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

Refresher: Applied Cryptography

Offline dictionary attack on TCG TPM authorisation data

Protecting your system from the scum of the universe

Lecture Embedded System Security Introduction to Trusted Computing

Trusted Mobile Platform Technology for Secure Terminals

6.857 L17. Secure Processors. Srini Devadas

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

The Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu

Industrial IoT Security Attacks & Countermeasures

Java Specification Request 321: Trusted Computing API for Java. Tutorial on the Early Draft Review

Protecting your system from the scum of the universe

I Don't Want to Sleep Tonight:

Lecture Embedded System Security Introduction to Trusted Computing

Index. Boot sequence DRTM breakout measured launch, 336 local applications, 339 measured launch, 338 SINIT ACM, 338

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Creating the Complete Trusted Computing Ecosystem:

Technical Brief Distributed Trusted Computing

Firmware Updates for Internet of Things Devices

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

ISO/IEC INTERNATIONAL STANDARD. Information technology Trusted Platform Module Part 2: Design principles

Preliminary analysis of a trusted platform module (TPM) initialization process

Lecture Embedded System Security Introduction to Trusted Computing

CIS 4360 Secure Computer Systems. Trusted Platform Module

Trusted Computing: Introduction & Applications

Big and Bright - Security

Accelerating the implementation of trusted computing

Ari Singer. November 7, Slide #1

Extending the Linux Integrity Subsystem for TCB Protection. David Safford, Mimi Zohar,

A Hijacker's Guide to the LPC bus IAIK/EUROPKI2011/HIJACKER'S GUIDE 1

Open Source Facebook. David Hendricks: Firmware Engineer Andrea Barberio: Production Engineer

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

An Introduction to Trusted Platform Technology

Trusted Mobile Platform

Influential OS Research Security. Michael Raitza

GSE/Belux Enterprise Systems Security Meeting

Outline Key Management CS 239 Computer Security February 9, 2004

Introducing Hardware Security Modules to Embedded Systems

Bootstrapping Trust in Commodity Computers

Covert Identity Information in Direct Anonymous Attestation (DAA)

Existing Applications That Use TPMs

Lecture 3 MOBILE PLATFORM SECURITY

Binding keys to programs using Intel SGX remote attestation

CSE484 Final Study Guide

Justifying Integrity Using a Virtual Machine Verifier

ISO/IEC INTERNATIONAL STANDARD. Information technology Trusted Platform Module Part 1: Overview

Hypervisor Security First Published On: Last Updated On:

Verified Boot: Surviving in the Internet of Insecure Things. Randall Spangler Chrome OS Firmware Lead

Embedded System Security Mobile Hardware Platform Security

Embedded System Security Mobile Hardware Platform Security

Atmel Trusted Platform Module June, 2014

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci

Trusted Computing: Security and Applications

ROTE: Rollback Protection for Trusted Execution

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

How To Reinstall Grub In Windows 7 With Cd Rom

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci

TPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies

Lecture Notes 12 : TCPA and Palladium. Lecturer: Pato/LaMacchia Scribe: Barrows/DeNeui/Nigam/Chen/Robson/Saunders/Walsh

Construction of Trusted Computing Platform Based on Android System

Surviving in the wilderness integrity protection and system update. Patrick Ohly, Intel Open Source Technology Center Preliminary version

Cisco Desktop Collaboration Experience DX650 Security Overview

Trusted Platform Modules Automotive applications and differentiation from HSM

Trusted Network Connect (TNC) 3rd European Trusted Infrastructure Summer School September 2008

Transcription:

How to create a trust anchor with coreboot. Trusted Computing vs Authenticated Code Modules Philipp Deppenwiese

About myself Member of a hackerspace in germany. 10 years of experience in it-security. Did a lot work on trusted computing and system security at my last job at Rohde and Schwarz Cybersecurity. I am a Gentoo user. Now I am a web developer and system administrator.

Basics

Important acronyms TPM - Trusted Platform Module TCB - Trusted Computing Base PCR - Platform Con guration Register ACM - Authenticated Code Modules PKI - Public Key Infrastructure TEE - Trusted Execution Environment

TPM Trusted Platform Modules are smartcards with extra feature set. Version 1.2 and 2.0 are out. www.trustedcomputinggroup.org does the speci cation and compliance. The authorization is done via ownership model. User can own the TPM. A TPM is always passive and not active!

TPM 1.2 Created for Digital Rights Management but never used for it. Huge portests in the internet done by the FSF. TCG stepped back and modi ed the speci cation in order to provide an ownership model, DAA and revokable Endorsement Key in order to stop identi cation and provide full control. Algorithm sizes are limited RSA-2048 and SHA-1. There is one open source software stack.

TPM 1.2

TPM 2.0 Mainly build for Microsoft! Compliance testsuite and everything else was designed for Windows usage only. Speci cation was removed shortly after it appeared. You can't nd it on the internet. Supports modern cryptographic algorithms.

TPM 2.0 Two software stacks. IBM and Intel. TPM architecture/hierachy got much more complex. Protected against bus attacks by having DH key exchange to establish a secure connection.

Authen cated Code Modules The idea of signing blobs. Sometimes used with manifests like in the android application world. De nition mainly used and introduced by Intel. But the technology exists since ages. Always used to establish a Secure Boot / Veri Boot. ed User can't claim ownership in the most cases. It depends on the implementation.

Concept

1. Trust Anchor Minimal trusted computing base. Protected against hardware attacks. Only one trust anchor if possible! Cryptographic functionality must be given. Ownership must be enforced.

2. Chain of Trust Starts always with the Trust Anchor. Each chain element must be a minimal trusted computing base. Each chain element must be checked by the previous chain with a cryptographic mechanism before it gets executed. The chain of trust must be under control of the owner.

3. The last chain element Must always ensure the protection of the executed code. Normally used in conjunction with full disk encryption. Is the step into the usability and can offer some sort of authentication for the end user.

Implementa on

Trusted Boot vs Secure Boot The three principles of cryptography are integrity, authenticity and secrecy. Trusted Boot Integrity yes (Sealing) yes Authenticity yes (Sealing) yes Secrecy yes (Sealing) no Secure Boot Freedom yes partial Open Speci cation yes partial

Trusted Boot

Trusted Boot Every hash is extended into a PCR. If there is already a hash do XOR operation. Measurements are done before code execution of the next chain element. Start with the Core Root of Trust for Measurement in the BIOS. Chain can be a SRTM or a DRTM. DRTM is a combination of ACM and Trusted Boot. Chain doesn't enforce anything.

Secure Boot

Secure Boot Hash a blob. Sign the hash. Verify it. Veri cation is done before next stage is executed. Chain enforces ownership and error handling if a step can't be veri ed. Based on a complex PKI inside the instead of a trust anchor. rmware No hardware trust anchor except AMD PSP and Intel Bootguard.

Trusted Compu ng features.

Sealing/Binding Based on keys staying inside the TPM, like a smartcard. Padding scheme used is RSA-OAEP which is really important if it comes to sealing. Binding: -> Basically means using a TPM key for encrypting a blob. Sealing: -> Same as binding except adding the PCR into the cryptographic operation.

PCR and TCPA ACPI Log PCR are like slots for hashes. PCR can't be set to zero during runtime. TCPA log is used to document how the PCR values are calculated. Do cat /sys/class/tpm/tpm0/pcrs in order to get the PCR. Typically it can be found under /sys/kernel/security/tpm0/ascii_bios_measure ments

Pra cal applica on Create a trusted boot with sealing. Combine sealing/binding with disk encryption via hybrid encryption. OS can be secured with FDE and trusted boot. The last chain step will switch over to the big TCB.

Remote a esta on Two methods can be used: -> Based on a third party model. -> Direct Anonymous Authentication. 0. EK certi cate needs to be transferred in a trusted environment. 1. XOR all PCR to one hash with the TPM quote command.

Remote a esta on 2. Sign the hash by an special AIK key which is signed by the EK too. 3. Send the quote data to an authetication server. 4. One unique hash in order to attest platform integrity. Authentication is done via unique EK certi cate of the TPM itself.

Pra cal applica on Allows us to prove that the platform has a speci state. c If platform is safe then we can push credentials to it. There are different options to integrate a remote attestation: -> Using TLS by modifying the protocol. -> Using strongswan which is already integrated (TNC).

NVRAM, Monotonic Counter, TRNG Offers NVRAM which can be protected by the owner credential. Monotonic counter can be used againt replay attacks. True Random Number Generator.

coreboot and trusted compu ng

Basic Features coreboot offers support for TPM 1.2 and 2.0. Different interfaces can be used: LPC, SPI and I2C. Easy integration through devicetree and kcon g. Startup and basic functions can be found. Not capable of having a trusted boot starting with the CRTM. No TCPA ACPI log lled by coreboot itself.

Two so ware stacks Google has it own software stack. Second software stack exists for basic usage. All software stacks are using the same drivers.

SeaBIOS to the rescue Offers support for TPM 1.2 and 2.0 Includes a TPM menu for easy management via physical presence interface. TCGBIOS interface for bootloader usage. TCPA log is lled and done correctly. Measurements are done properly for everything which is executed by SeaBIOS. Since version 1.10.0 the TPM support is broken..

Flash protec ons needed Securing the trusted computing base. Includes coreboot + SeaBIOS. Protected Regions or SPI hw protections should be used. Not secure againt hardware attacks! Only if Bootguard or the PSP is used. If Bootguard is used I recommend the measured boot mode.

How to build a trusted boot Compile coreboot with TPM support and SeaBIOS. Claim the ownership on the platform. Linux: Install TrustedGrub2 from Rhode and Schwartz Cybersecurity https://github.com/rohde-schwarz- Cybersecurity/TrustedGRUB2 Windows: Use Bitlocker which is already integrated in Windows.

Is a trusted boot really safe? Evil Maid attacks are possible as long user interaction in the boot process is required. Can be migitated by STARK or MARK protocol. These attacks are only possible due to freedom of the boot process itself. If no user interaction is required the Evil Maid attack does not work. Hardware attacks are always possible. Using Intel Bootguard with measured mode and TPM 2.0 should make it really safe.

What's about updates in a trusted boot environment? Normally you need to reboot. Bypass the sealing with a binding key.. PCR pre-calculation is a solution. Look into the TCPA log or the code. rmware source There is no tool out there but it can simply be written ;).

Is there an Open Source TPM? Yes, buy a ARM Cortex-M4 board. Checkout https://chromium.googlesource.com/chromiumos/ third_party/tpm2/ https://chromium.googlesource.com/chromiumos/ third_party/cryptoc/ https://chromium.googlesource.com/chromiumos/ platform/ec/ Do some refactoring on the code.

Is there an Open Source TPM? Compile and ash it. Thanks to Google for doing a great job open sourcing hardware as well. Have fun.

Conclusion Trusted Computing isn't so bad. Some nices features which can be used in order to attest the platform state. VBOOT2 is a combination of trusted and secure boot. Easy to use except the PCR pre-calculation. Open Source TPM is available soon.

Links and Sources https://sourceforge.net/projects/ibmtpm20tss/ https://github.com/01org/tpm2.0-tss http://trousers.sourceforge.net https://github.com/rohde-schwarz- Cybersecurity/TrustedGRUB2

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback