TPM2 primary key should not have dictionary attack protection enabled

[anssih]

systemd version the issue has been seen with

master (7728f6a)

Used distribution

Buildroot 2021.02.3 - should be reproducible anywhere

Linux kernel version used (uname -a)

5.4.123

CPU architecture issue was seen on

x86_64

Expected behaviour you didn't see

I expected that the systemd TPM2 primary key would not have dictionary attack protection enabled.

TPM provides a dictionary attack (DA) protection mechanism to prevent exhaustive searches of authorization values (e.g. passwords). The mechanism limits the amount of tries within a time period, causing TPM to enter DA lockout mode when this is exceeded which disallows further tries (TPM spec 2.0, r1p59 Part 1 sec 19.8 Dictionary Attack Protection).

The associated TPM failedTries counter will also be increased on an unclean system shutdown (19.8.6 Non-orderly Shutdown) as a properly timed shutdown could otherwise be used to prevent the counter increment after a real failed authentication attempt.

Depending on TPM configuration, the DA lockout mode may be lifted after a time period or it may require further explicit recovery action (see e.g. tpm2-software/tpm2-tools#1956).

In DA lockout mode, tpm2_seal() and tpm2_unseal() will fail in sym_Esys_Create() and sym_Esys_Load() with:

tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode

The authValues of objects automatically get DA protection unless the caller opts out. tpm2-util creates the primary key with userWithAuth attribute but does not opt out of DA protection using noDA.

However, the authValue that is used for the primary key is always zero (primary_sensitive.sensitive.userAuth) as we rely on the PCR policy hash for protection instead, so dictionary attack protection for the authValue does not make sense as the attacker already knows it to be zero.

It seems also to not be generally desirable to have e.g. storage encryption stop working if the user fails an unrelated authentication prompt, or if the system is power-cycled enough times (e.g. several systems I checked go to lockout mode at 3 tries or power-cycles, with 1 try restored after every 1000 seconds - another system was more generous with 31 tries 600 seconds). There may be use cases where that is desirable, but such behavior should not be the default or at least not an undocumented default.

The TPM specification itself says (r1p59 Part 1 page 133, sec 19.8):

The reason for being able to exclude entities from DA protection is that lockout of all TPM use could make the system unstable. The OS may have uses for the TPM that should not be blocked due to authorization problems with keys associated with user-mode applications. The OS is expected to use a well-known or high-entropy authValue for any entities that it manages and an authValue of neither type needs DA-protection.

Systemd is using a "well-known authValue" (zero) as described in the quote.

Specification references: TPM spec 2.0, r1p59 (https://trustedcomputinggroup.org/resource/tpm-library-specification/):

• DA protection: Part 1 sec 19.8 Dictionary Attack Protection
• sensitive: Part 2 sec 11.1.16 TPM2B_SENSITIVE_CREATE
• create command: Part 3 sec 24.1 TPM2_CreatePrimary

Unexpected behaviour you saw

The DA protection was enabled, and after power cycling the machine 3 times the TPM2-sealed encrypted storage did not open anymore.

Steps to reproduce the problem

1. Add a TPM2-sealed key to a LUKS volume with systemd-cryptenroll --tpm2-device=auto volume.
2. Run tpm2_getcap properties-variable and take note of the TPM2_PT_LOCKOUT_COUNTER, TPM2_PT_MAX_AUTH_FAIL, TPM2_PT_LOCKOUT_INTERVAL values.
3. Power cycle the system MaxAuthFail times, or slightly more if the LockoutInterval happens to elapse during that time. LockoutCounter should reach MaxAuthFail in which case inLockout goes to 1.
4. TPM2-unsealing and opening the encrypted volume does not work anymore (see below example output).

Additional program output to the terminal or log subsystem illustrating the issue

# cryptsetup --token-only --token-type=systemd-tpm2 --verbose luksOpen testfile file1
WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x00000921) 
Failed to load HMAC key in TPM: tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
Command failed with code -1 (wrong or missing parameters).

Fix discussion

I applied to following patch locally to solve our issue:

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index f066d17a91..88eee4c90c 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -265,7 +265,7 @@ static int tpm2_make_primary(
                 .publicArea = {
                         .type = TPM2_ALG_ECC,
                         .nameAlg = TPM2_ALG_SHA256,
-                        .objectAttributes = TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH,
+                        .objectAttributes = TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH|TPMA_OBJECT_NODA,
                         .parameters = {
                                 .eccDetail = {
                                         .symmetric = {

Unfortunately, this changes the primary key and therefore breaks tpm2_unseal for existing values and is therefore not appropriate for upstream systemd. tpm2_seal/tpm2_unseal would need a new flag to detect whether the object was originally sealed with NODA or not.

I can also accept a fix where the systemd-cryptenroll documentation is updated to mention dictionary lockout, though I personally believe it is not appropriate here.

[poettering]

Yeah, probably makes sense to turn off DA for this stuff, given we use a high entropy key anyway. To maintain compatibility we should extend the JSON object though, encoding whether DA is enabled or not, and if the field is absent assume it is enabled for compat. And maybe add an env var or so that allows people to tune DA behaviour if they actually want to enable it explicitly.

Would love a patch for that.

[ElvishJerricco]

There's a small group of us who have been experimenting with secureboot and TPM-locked LUKS root drives in NixOS. We've just discovered this issue, particularly because the Steam Deck's TPM defaults to:

TPM2_PT_MAX_AUTH_FAIL: 0x3
TPM2_PT_LOCKOUT_INTERVAL: 0x3E8

Which means you can't reboot the machine more than 3 times in 1000 seconds (about 16 minutes) without it locking out and falling back to another key slot. While 16 minutes is plenty most of the time and it's not too big a deal to fallback to entering a a key with a keyboard, the main reason I set it up this way was that the Steam Deck doesn't have a keyboard. :) Would be nice to be able to disable the lockout for the root drive!

[anssih]

Yeah, probably makes sense to turn off DA for this stuff, given we use a high entropy key anyway.

And just to clarify / reiterate, the DA protection here is for the authValue, which is always zero for us so an attacker already knows it, hence the spec suggests to disable it in this kind of a case.

---

I also hit this issue on an unrelated system yesterday, with DA lockout preventing system startup. Not sure how DA was triggered, exactly, as there was only a single reboot, but it might be related to the fact that some block devices were stuck so a HW watchdog reset might've occurred during shutdown. tpm2 getcap properties-variable showed the lockout counter had exceeded the maximum allowed at 3.

I was able to recover by entering

 tpm2 dictionarylockout --clear-lockout 

in the initramfs emergency shell and then rebooting the system.

[williamcroberts]

We can't just change the primary key attributes, because the existing child object will see a different parent and won't be able to load. It would have to be some upgrade trigger where the child gets reparented. The appropriate spec for the SRK is relevant to the templates in the EK spec with the provisioning guidance changes made, see:

• https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
• https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_Credential_Profile_EK_V2.1_R13.pdf

Because the old object has fixed parent set, we can't just duplicate the object to a new parent, we need to unseal under the old object and then reseal under the new parent (SRK).

However, with PR #26185 all new objects going forward will have no DA. So if folks want to work on an upgrade path, it's mostly there.

[williamcroberts]

Thinking about this more, this could be the upgrade path for everyone, if we base it off my PR #26185 in it's current form, tpm2_unseal would do:

1. If the parent isn't the persistent SRK, after unseal, call tpm2_seal again and seal it to the SRK with noda.
   • This is actually a nice thing about seal/unseal, it keeps a pretty clean upgrade path. Just understand all those old
     TPM2B_PRIVATE blobs work under their old parent if someone gets a copy of them.
2. Lennart is proposing a mini-service to do setup, this could probably happen there too IIUC.

[poettering]

quite frankly i wouldn't touch existing enrollments. I think it's totally OK to say that new enrollments get the SRK stuff and thus NODA, and old enrollments stay as they are.