Conversation
|
I assume the focal-amd64 test fails because of bugs in an old tpm2-tss library version. Is there a way to get detailed journal logs from that test? The autopkgtest site seems to be unresponsive (pages never finish loading). |
You should be able to download https://autopkgtest.ubuntu.com/results/autopkgtest-focal-upstream-systemd-ci-systemd-ci/focal/amd64/s/systemd-upstream/20220227_140531_93b90@/artifacts.tar.gz which should have the test journal in the |
|
Now THAT is annoying: this issue seems to be culprit. It was fixed in version 2.3.3. And Ubuntu Focal ships... version 2.3.2. :) Since old Ubuntu versions are not going to ship updated systemd, maybe we could make version 2.3.3 (or 2.4.0) the minimum? |
|
yeah we can push it to 2.3.3, I'll upload to the PPA |
|
Great, that's even better, at least for testing purposes. Note that I didn't actually check if version 2.3.3 fully fixes the problem, but if it isn't too much work please update the library. |
|
uploaded 2.3.3 and re-triggered |
fa09ff7 to
df684e0
Compare
That seems to have worked, after the network issues (?) were fixed. Thanks for the update. |
df684e0 to
6328cf7
Compare
|
lgtm, ready to merge once #22563 is in. |
|
Setting "postponed" because #22563 needs to be merged first. |
|
(removing green label for now to avoid accidental merges, will re add it later) |
|
#22563 has been merged now. Please rebase. Should be ready for commit then too. |
Use a salted, unbound HMAC session with the primary key used as tpmKey, which mean that the random salt will be encrypted with the primary key while in transit. Decrypt/encrypt flags are set on the new session with AES in CFB mode. There is no fallback to XOR mode. This provides confidentiality and replay protection, both when sealing and unsealing. There is no protection against man in the middle attacks since we have no way to authenticate the TPM at the moment. The exception is unsealing with PIN, as an attacker will be unable to generate the proper HMAC digest.
6328cf7 to
61b3f2f
Compare
Note: this PR builds upon unmerged PR #22563.
This implements parameter encryption for sealing and unsealing secrets to a TPM. A separate salted and unbound HMAC session is used for that. The session key derivation process seems complicated, but in the end it boils down to encrypting a randomly chosen salt with a public key (in this case, the primary key). Only the TPM knows the secret part, and can decode the salt to derive the key correctly.
As far as security guarantees go, this provides confidentiality, integrity and replay protection. So common attacks based on eavesdropping or manipulating the TPM interface will fail. It does not however protect against man in the middle attacks. We would need to authenticate the TPM for that, possibly with its endorsement certificate (if available).
tpm-tss2 libraries provide a handy mechanism to dump data exchanged with TPMs into a
pcapfile, which then can be analyzed with Wireshark. That's what I did for testing. It would still be great if an actual security researcher could check whether the implementation has any obvious loopholes or weaknesses.