TPM authentication/verification aka key attestation

[grigorig]

Currently there is no way to authenticate a TPM, that is, verify that it is an authentic TPM, or even a specific trusted TPM. This opens the door to man in the middle attacks, such as outlined in the TPM Genie whitepaper.

There are various solutions to the problem:

• Create an endorsement key and download the associated endorsement certificate from the TPM. A valid certificate proves that the TPM was actually manufactured by the specified manufacturer. The certificate needs to be validated with standard PKI methods. This is rather complex, and may require network access. It's also not guaranteed that a TPM will actually ship with an endorsement certificate. Nonetheless, it would be suitable for sd-creds, for instance, but probably not for sd-cryptsetup.

• Create a fingerprint of the public part of a well-known key (e.g. a primary key) and store the fingerprint in a trusted location. This binds to a specific TPM with a "trust on first use" (TOFU) trust model. In the sd-cryptsetup case with secure boot, the storage location could be crypttab or kernel commandline arguments. When the key is regenerated, validate the fingerprint.

• Maybe something else?

One way or another, we should implement some kind of TPM authentication.

[grigorig]

Microsoft calls this "TPM key attestation" and it's documented here:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation

[grigorig]

For the first option, here's something quite interesting. Microsoft provides a package with manufacturer certificates. This is also used by the safeboot project. If we ship it, it should be easy to offline attest all TPMs that ship endorsement certificates. Maybe that would be good enough? The obvious upside is that it doesn't require any set up by the user.

[bluca]

Supporting the verification mechanism sounds great - but I think we should leave managing and shipping certificates to distributions and users. It's a lot of work (revocations, etc), and there's loads of them per vendor.

[grigorig]

Yes, this sounds like a good idea. Managing the bundle of certificates is not something systemd should do.

If we consider the second option, what would be a good place to store trusted TPM2 fingerprints for tools like systemd-creds or systemd-cryptenroll? We could just add a configuration file to /etc/systemd, but what that be considered suitable? It's not exactly generic configuration, but specific to a certain system.

[poettering]

Hmm, if we use the TPM2 LUKS enrollment we have in place now we already get the TOFU thing as side effect, no?

I mean, if we enroll a LUKS disk to the local TPM2, and the chip gets replaced, then it will not be able to unseal the LUKS decryption key, so we are good. Only if we talk to the original chip we'll be able to unseal the key. i.e. instead of a fingerprint of a public key we store something that is encrypted with the private key that never leaves the TPM2 chip, which should be as good?

Indepndently of that, how do you intend this authentication/verification to work? As a new step of the boot process, or as something done immediately before each TPM operation right before doing it?

[grigorig]

Hmm, if we use the TPM2 LUKS enrollment we have in place now we already get the TOFU thing as side effect, no?

So a fingerprint of the keyed hash object? Yeah that could work I guess, but if we identify by some well known key that is more universal, particularly if we want to do more things with the TPM.

Indepndently of that, how do you intend this authentication/verification to work? As a new step of the boot process, or as something done immediately before each TPM operation right before doing it?

I think every new session requires a new attestation, otherwise timing attacks could work (i.e. replace real TPM with fake just at the right time, after TPM was verified as genuine).

[poettering]

Hmm, if we use the TPM2 LUKS enrollment we have in place now we already get the TOFU thing as side effect, no?

So a fingerprint of the keyed hash object? Yeah that could work I guess, but if we identify by some well known key that is more universal, particularly if we want to do more things with the TPM.

Well, sure, the point that I am making is that for the usecase of disk encryption we don't need explicit TPM authentication/verification on TOFU, right? The enrollment is enough: only the TPM we originally talked to can be used to decrypt the LUKS volumes, so no need to authenticate them separately first.

Indepndently of that, how do you intend this authentication/verification to work? As a new step of the boot process, or as something done immediately before each TPM operation right before doing it?

I think every new session requires a new attestation, otherwise timing attacks could work (i.e. replace real TPM with fake just at the right time, after TPM was verified as genuine).

So I think there might be value in adding:

1. some mini service in systemd that validates the installed TPM2 against a set of certificates, and fails boot entirely if it is not valid. This of course would be optional functionality.

2. the same tool could then also get some key derived from the TPM2 seed and store it or a fingerprint of it either in /var/ or in /run/, and thus pin the chip to the installation.

3. the latter file we could declare an API and tell people how to validate a TPM against it. If the fingerprint is stored in /var/ we'd pin the chip to the installation for good. If the fingerprint is stored in /run/ we'd only pin it for the current boot.

4. Our tools like systemd-creds would be updated to check the fingerprint before doing their thing.

Might make sense to involve some tpm2-tss people in this discussion I guess. Maybe they have some thoughts. I presume this topic must have been discussed before.

[poettering]

@AndreasFuchsSIT as a tpm2-tss person, I was wondering if maybe you have some take on this? Should we bother with this in the systemd context? Does tpm2-tss have infra for this itself?

[grigorig]

TPM feature API (FAPI) provides support for this at least in theory, but I'm not so sure about the details. systemd currently only uses the "extended system API", and my understanding is that FAPI support in tpm2-tss is still in development. The "provision" operation of FAPI should always validate the EK certificate. FAPI seems much nicer to use, so if we can port to that at some point that might be great.

[poettering]

is that the API where one starts juggling with JSON objects? hmpf. turtles all the way down.

[AndreasFuchsTPM]

On FAPI and EKs
The FAPI (which is stable released for over a year) does the TPM EK Certificate check during provisioning. It then uses the EK to derive the SRK. In the future the SRK is always used for authenticating the TPM. So only a single use of the EK during provisioning. Reason being: To use the EK you either need to call TPM2_CreatePrimary() with PrivacyAdmin authorization (which we cannot expect at all times) or the EK would need to be stored via EvictControl (which occupies a TPM persistent slot unnessasarily). So we use the SRK (also stored on disk) for session encryption in FAPI (transparently). To get this for ESAPI you could go ahead and first ask the use to tss2_provision the FAPI and then you can call Fapi_GetEsysBlob() to get the SRK for use in ESAPI.

On TOFU
I'd agree that the LUKS key enrollment can be viewed as the first use and you have TOFU automatically, since the TPM will authenticate the user (via CPU) using the password and the user can authenticate the TPM as it will return the correct key that enables the disk decryption.

On Password Protection
The first thing about TPM-Genie-like attacks is that the password can be extracted from the wire if it is not protected by the TPM HMAC sessions. So in order to protect the password, you should call Esys_StartAuthSession() and use that during Esys_Unseal(). The rest is automated by ESAPI under the covers.

On Key Protection
The other thing in TPM-Genie attacks was the extraction of the disk key from the wire. This can be countered if you enable response parameter encryption. I.E. Just add Esys_TRSess_SetAttribute(session, TPMA_SESSION_ENCRYPT). In this case the first parameter (the disk key) of the Unseal response is encryption. (again ESAPI will to this transparently).

On Entropy
The entropy of the session key can be extended beyond the user password by an encrypted salt during StartAuthSession. For this you have to know a key on the CPU and encrypt something for it. Again ESAPI will do this automatically, you just need to get something into the tpmKey parameter. That's also what FAPI does internally. We get the SRK public key from disk and feed it into tpmKey and thus authenticate the TPM against the same TPM we know from disk.

Summary
I would recommend to use sessions with encryption and passwords.
If that is not enough, then I would recommend not to use the EK on every boot, but instead use the SRK and store a fingerprint of this on disk (i.e. the keyslot meta data).
Since I want to primarily protect my rootfs using tpm-based LUKS I will usually not have access to FAPI or network or whatnot.

[AndreasFuchsTPM]

Indepndently of that, how do you intend this authentication/verification to work? As a new step of the boot process, or as something done immediately before each TPM operation right before doing it?

I think every new session requires a new attestation, otherwise timing attacks could work (i.e. replace real TPM with fake just at the right time, after TPM was verified as genuine).

TBH this is a weird scenario unless you talk about remote machine access. And there I'd generally just recommend to not use the tpm2-tools on the target host, but to use them locally and tunnel the tcti via ssh: tpm2_getrandom -T "cmd:ssh somehost tpm2_send
Then you can make use of the TPM's end-to-end session capabilities.

Thus what remains are local machines and a timing attack on replacing a TPM is the same attack class as "full control of the system" and then you're screwed anyways.

So I think there might be value in adding:

1. some mini service in systemd that validates the installed TPM2 against a set of certificates, and fails boot entirely if it is not valid. This of course would be optional functionality.

2. the same tool could then also get some key derived from the TPM2 seed and store it or a fingerprint of it either in /var/ or in /run/, and thus pin the chip to the installation.

3. the latter file we could declare an API and tell people how to validate a TPM against it. If the fingerprint is stored in /var/ we'd pin the chip to the installation for good. If the fingerprint is stored in /run/ we'd only pin it for the current boot.

4. Our tools like systemd-creds would be updated to check the fingerprint before doing their thing.

The first problem is that not all TPMs have an EK from a vendor. Especially in cloud scenarios you would get a vtpm without one. So I would not rely on this.
The second problem is, where to put the verifier. If it's on the same machine, the one replacing the TPM could also just replace the code that does the verification.

Instead I'd recommend using classical remote attestation for remote machines; e.g. https://github.com/Fraunhofer-SIT/charra
But that is userspace (after systemd).

For desktops and laptops, the best solution came from Matthew Garret where the TPM would authenticate to a cellphone using TOTPs. A reimplementation for TPM2 lives here: https://github.com/tpm2-software/tpm2-totp
(see my demo here https://youtu.be/NFQ22SBlejk?t=1529)
This latter thing is what I'd put into every distro tbh.

But since this is a lot of stuff and this will become a very long thread, maybe we should have a call or something.