1、Recovery from Vulnerabilities in TPM FirmwareEnhancing the TPM API for forward securityJeff Andersen,Staff Software Engineer,GoogleRecovery from Vulnerabilities in TPM FirmwareSecurity and Data ProtectionMost code has bugs:we fix the ones we can find before release,but there may be hidden onesThere
2、is a lot of code running on modern machines,from voltage regulators,to BIOS,up to userlandDont ever release bugs is not a strategySoftware bugs give us job securityStep 1:Release best-effort softwareStep 2:Find bugs and fix themStep 3:Roll out fixesStep 4:Verify the fixes have been appliedStep 5:Got
3、o step 1Critical capability:recoveryMutable code/configuration is measured before it runsMeasurements are stored in the TPMs memoryRemotely verifying softwareKernelBIOSUserspaceFlashFile systemAppAppAppMeasurementsTPMTPM:Trusted Platform ModuleMutable code/configuration is measured before it runsMea
4、surements are stored in the TPMs memoryThe TPM emits cryptographic proof of the measurements to a relying partyKernelBIOSUserspaceAppAppAppMeasurementsTPMRemote VerifierAttestationPolicyFlashFile systemTPM:Trusted Platform ModuleRemotely verifying softwareAttestations are signed with a key held by t
5、he TPMThe TPM must keep this key secretIf a bug causes the TPM to leak this secret,attestation and recovery dont workThe TPM must keep a secretKernelBIOSUserspaceAppAppAppMeasurementsTPMFlashFile systemTPM:Trusted Platform ModuleOne definition of TCB:the amount of code you need to blindy trust not t
6、o have bad bugsThe smaller the betterTrusted Computing BaseKernelBIOSUserspaceAppAppAppTPMOut of TCBIn TCBPlatform-dependentFlashFile systemTPM:Trusted Platform ModuleRecovery is not possible for bad bugsthat cause the TPM to leak its secretsOne definition of TCB:the amount of code you need to blind
7、y trust not to have bad bugsThe smaller the betterTrusted Computing BaseKernelBIOSUserspaceAppAppAppTPMOut of TCBIn TCBPlatform-dependentRecovery is not possible for bad bugs in BIOS that run without first being measuredFlashFile systemTPM:Trusted Platform ModuleThe TPM is just a place to run codeBa
8、d bugs here could leak all the secretsWe cannot recover from such bugs at scaleTPMs TCBStructure unmarshallerPolicy enforcement logicCommand dispatcherFirmware crypto libraryFlash memory logicBootloaderIn TCBCVE-2017-15361:ROCACVE-2019-16863:TPM-FAILBugs in RSA key generation,ECDSA signing,policy ch
9、ecksBad TPM bugsStructure unmarshallerPolicy enforcement logicCommand dispatcherFirmware crypto libraryFlash memory logicBootloaderIn TCBWe cant eliminate the TPMs TCB,but we can shrink it significantlyMinimizing the TPMs TCBStructure unmarshallerPolicy enforcement logicCommand dispatcherFirmware cr
10、ypto libraryFlash memory logicBootloaderOut of TCBIn TCBWe cant eliminate the TPMs TCB,but we can shrink it significantlyMinimizing the TPMs TCBStructure unmarshallerPolicy enforcement logicCommand dispatcherFirmware crypto libraryFlash memory logicBootloaderThe firmwareIn TCBFirmware might leak all
11、 its secretsRemoving TPM firmware from the TCBBootloaderFirmwareVersion XRemoving TPM firmware from the TCBBootloaderFirmwareVersion YFirmware might leak all its secretsRecovery step 1:update to new patched firmwareFirmwareVersion XFirmware might leak all its secretsRecovery step 1:update to new pat
12、ched firmwareRecovery step 2:give new firmware new secretsRemoving TPM firmware from the TCBBootloaderFirmwareVersion YFirmwareVersion XFirmware might leak all its secretsRecovery step 1:update to new patched firmwareRecovery step 2:give new firmware new secretsRecovery step 3:revoke trust in old se
13、cretsRemoving TPM firmware from the TCBBootloaderFirmwareVersion YFirmwareVersion XRemote verifierLets have the bootloader keep a secretVersion-unique secretsBootloaderFirmwareVersion XLets have the bootloader keep a secretLets have the bootloader measure TPM firmwareVersion-unique secretsBootloader
14、FirmwareVersion XHashLets have the bootloader keep a secretLets have the bootloader measure TPM firmwareLets have the bootloader derive a keyVersion-unique secretsBootloaderKDFHashFirmwareVersion XKDF:key derivation functionFirmwareVersion XLets have the bootloader keep a secretLets have the bootloa
15、der measure TPM firmwareLets have the bootloader derive a keyVersion-unique secretsBootloaderKDFHashFirmwareVersion YKDF:key derivation functionThe TPM firmware can have a secret known only to that version of firmwareThe TPM API did not provide any way of using that secretExposing version-unique sec
16、rets to usersBootloaderFirmwareVersion YObject templateAttributesPolicyKeypair parametersTPM API Primer:status quoStorage Primary SeedEndorsement Primary SeedPlatform Primary SeedDRBGPrimary keyEndorsement key,Attestation key,Sealing key,etc.DRBG:deterministic random bit generatorReserved handle0 x4
17、0000001(RH_OWNER)0 x4000000B(RH_ENDORSEMENT)0 x4000000C(RH_PLATFORM)Object templateAttributesPolicyKeypair parametersTPM API Primer:status quoStorage Primary SeedEndorsement Primary SeedPlatform Primary SeedDRBGPrimary keyEndorsement key,Attestation key,Sealing key,etc.DRBG:deterministic random bit
18、generatorObject templateAttributesPolicyKeypair parametersTPM API Primer:status quoPrimary keyEndorsement key,Attestation key,Sealing key,etc.Primary seeds do not change on firmware update,so neither do primary keysStorage Primary SeedEndorsement Primary SeedPlatform Primary SeedDRBG:deterministic r
19、andom bit generatorDRBGReserved handle0 x40000001(RH_OWNER)0 x4000000B(RH_ENDORSEMENT)0 x4000000C(RH_PLATFORM)Object templateAttributesPolicyKeypair parametersNew reserved handlesFW-limited primary keyEndorsement key,Attestation key,Sealing key,etc.Version-unique secretThese primary keys do changeon
20、 firmware updateStorage Primary SeedEndorsement Primary SeedPlatform Primary SeedDRBG:deterministic random bit generatorDRBGFirmware-limited handles:0 x40000140(RH_FW_OWNER)0 x40000141(RH_FW_ENDORSEMENT)0 x40000142(RH_FW_PLATFORM)EK templateAttributesPolicyKeypair parametersEndorsement keysEndorseme
21、nt Primary SeedEndorsement Key(EK)DRBGA TPMs EK is endorsed by its vendor during manufacturingEndorsement keysEndorsement Key(EK)Vendor PKIPKI:public key infrastructureEndorsement keysAttestation Key(AK)Endorsement Key(EK)Sealing keysNV indexesPCR quotesA TPMs EK is endorsed by its vendor during man
22、ufacturingEKs are the reason you trust any statement emitted from a TPMVendor PKIPKI:public key infrastructureEndorsement keysAttestation Key(AK)Endorsement Key(EK)Sealing keysNV indexesPCR quotesA TPMs EK is endorsed by its vendor during manufacturingEKs are the reason you trust any statement emitt
23、ed from a TPMIf the EK is leaked due to a firmware bug,how can the TPM ever be trusted again?Vendor PKIPKI:public key infrastructureFirmware-limited EKsFirmware-limited AKFirmware-limited EKFirmware-limitedsealing keysNV indexesPCR quotesThe bootloader can generate a firmware-limited EKThe bootloade
24、r can endorse it with an embedded CANew firmware gets new endorsed FW-limited keysBootloader embedded CAVendor PKIPKI:public key infrastructureCA:certificate authorityFirmware-limited EKsFirmware-limited AKFirmware-limited EKFirmware-limitedsealing keysNV indexesPCR quotesThe bootloader can generate
25、 a firmware-limited EKThe bootloader can endorse it with an embedded CANew firmware gets new endorsed FW-limited keysThe firmwares measurement is included in the EKs certificateBootloader embedded CAVendor PKIPKI:public key infrastructureCA:certificate authorityHey look,its DICEFirmware-limited AKFi
26、rmware-limited EKFirmware-limitedsealing keysNV indexesPCR quotesBootloader embedded CAVendor PKIDeviceID keyLayer 0 measurementUDSLayer 0 CDIVendor PKIDICE:a standard for attesting to low-level firmwareHey look,its DICEFirmware-limited AKFirmware-limited EKFirmware-limitedsealing keysNV indexesPCR
27、quotesBootloader embedded CAVendor PKIFirmware alias keyDeviceID keyLayer 0 measurementUDSLayer 0 CDIFirmware measurementFirmware CDIVendor PKIDICE:a standard for attesting to low-level firmwareHey look,its DICEFirmware-limited AKFirmware-limited EKFirmware-limitedsealing keysNV indexesPCR quotesBoo
28、tloader embedded CAVendor PKICDI-derived keyFirmware alias keyCDI-derived keyDeviceID keyLayer 0 measurementUDSLayer 0 CDIFirmware measurementFirmware CDIVendor PKIDICE:a standard for attesting to low-level firmwareSummary and call to actionSensitive platform firmware must be attestableAllows recove
29、ry from vulnerabilities at scaleVersion 1.83 of the TPM API introduces new primitives for TPM firmware attestation1Enables recovery from severe TPM vulnerabilitiesEnables standard mechanisms to bind DICE to TPMCall to actionTPM vendors:implement this new standardHyperscalers:start asking for this feature1 https:/trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=288Thank you!