1、Recovery from Vulnerabilities in TPM FirmwareEnhancing the TPM API for forward securityJeff Andersen,Staff Software Engineer,GoogleRecovery from Vulnerabilities in TPM FirmwareSecurity and Data ProtectionMost code ����has bugs:we fix the ones we can find before release,but there may be hidden onesThere
2、is a lot of code running on modern machines,from voltage regulators,to BIOS,up to userlandDont ever release������ bugs is not a strategySoftware bugs give us job securityStep 1:Release best-effort softwareStep 2:Find bugs a����nd fix themStep 3:Roll out fixesStep 4:Verify the fixes have been appliedStep 5:Got
3、o step 1Critical capability:recoveryMutable code/configuration is measured before it runsMeasurements are stored in the TPMs memoryRemotely verifying softwareKernelBIOSUserspaceFlashFile systemAppAppAppMeasurementsTPMTPM:Trusted Platform ������ModuleMutable code/configuration is measured before it runsMea
4、surements are stored in the TPMs memoryThe TPM emits cryptographic proof of the measurements to a relying partyKernel�����BIOSUserspaceAppAppAppMeasurementsTPMRemote VerifierAttestationPolicyFlashFile systemTPM:Trusted Platform ModuleRemotely verifying softwareAttestations are signed with a key held by t
5、he TPMThe TPM must keep this key secretIf a bug causes the TPM to leak this secret,attestation and rec������overy dont workThe TPM must keep a secretKernelBIOSUserspaceA����ppAppAppMeasurementsTPMFlashFile systemTPM:Trusted Platform ModuleOne definition of TCB:the amount of code you need to blindy trust not t
6、o have bad bugsThe smaller the betterTrusted Computing BaseKernelBIOSUserspaceAppAppAppTPMOut of TCBIn TCBPlatform-dependentFlashFile systemTPM:Trusted Platform ModuleRecovery is not possible for bad bugsthat cause the TPM to leak its secretsOn�����e definition of TCB:the amount of code you need to blind
7、y trust not to ha�������ve bad bugsThe smaller the betterTrusted Computing BaseKernelBIOSUserspaceAppAppAppTPMOut of TCBIn TCBPlatform-dependentRecovery is not possible for bad bugs in BIOS that run without first being measuredFlashFile systemTPM:Trusted Platform ModuleThe TPM is just a place to run codeBa
8、d bugs here could leak all the secretsWe cannot recover from such bugs at scaleTPMs TCBStructure unmarshallerPolicy enforc�������ement logicCommand dispatcherFirmware crypto libraryFlash memory logicBootloaderIn TCBCVE-2017-15361:ROCACVE-2019-16863:TPM-FAILBugs in RSA key generation,ECDSA signing,policy ch
9、ecksBad TPM bugsStructure unmarshallerPolicy enforcement logicCommand dispatcherFirmware crypto libraryFlash memory logicBootloaderIn TCBWe cant eliminate the TPMs TCB,but we can shrink it significantlyMinimizing the TPMs TCBStructure unmarshallerPolicy enforcement logicCommand dispatcherFirmware ������cr
10、ypto libraryFlash memory logicBootloaderOut of TCBIn TCBWe cant eliminate the TPMs TCB,but we can shrink it significantlyMinimizing the TPMs TCBStructure unmarshallerPolicy enforcement ������logicCommand dispatcherFirmware crypto libraryFlash memory logicBootloaderThe firmwareIn ��������TCBFirmware might leak all
11、 its secretsRemoving TPM firmware from the TCBBootloaderFirmwareVersion XRemoving TPM firmware from the TCBBootloaderFirmwareVersion YFirmware might leak all its secretsRecovery step 1:update to new patched firmwareFirmwareVersion XFirmware might leak all its secretsRecovery st�������ep 1:update to new pat
12、ched������ firmwareRecovery step 2:give new firmware new secretsRemov��������ing TPM firmware from the TCBBootloaderFirmwareVersion YFirmwareVersion XFirmware might leak all its secretsRecovery step 1:update to new patched firmwareRecovery step 2:give new firmware new secretsRecovery step 3:revoke trust in old se
13、cre�����tsRemoving TPM firmware from the TCBBootloaderFirmwareVersion YFirmwareVersion XRemote verifierLets have the bootloader keep a secretVersion-unique secretsBootloa������derFirmwareVersion XLets have the bootloader keep a secretLets have the bootloader measure TPM firmwareVersion-unique secretsBootloader
14、FirmwareVersion XHashLets have the bootloader keep a secretL�����ets have the bootloader measure TPM firmwareLets have the bootloader derive a keyVersion-unique secretsBootloaderKDFHashFirmwareVersion XKDF:key derivation functionFirmwareVersion XLets have the bootloader keep a secretLets have the bootloa
15、der measure TPM firmwareLets have the bootloader derive a keyVersion-unique secretsBootloaderKDFHashFirmwareVersion YKDF:key derivation functionThe TPM firmware �����can have a secret known only to that version of firmwareThe TPM API did not provide any way of using that secretExposing version-unique sec
16、rets to usersBootloaderFirmwareVersion YObject templateAttributesPolicyKeypair parametersTPM API Primer:status quoStorage Primary SeedEndorsement Primary SeedPlatform Primary SeedDRBGPrimary keyEndorsement key,Attestation key,Sealing ���key,etc.DRBG:deterministic random bit generatorReserved handle0 x4
17、0000001(RH_OWNER)0 x4000000B(RH_ENDORSEMENT)0 x4000000C(RH_PLATFORM)Object templateAttributesPolicyKeypair parametersTPM API Primer:status quoSt�����orage Primary SeedEnd����orsement Primary SeedPlatform Primary SeedDRBGPrimary keyEndorsement key,Attestation key,Sealing key,etc.DRBG:deterministic random bit
18、generatorObject templa����teAttributesPolicyKeypair parametersT������PM API Primer:status quoPrimary keyEndorsement key,Attestation key,Sealing key,etc.Primary seeds do not change on firmware update,so neither do primary keysStorage Primary SeedEndorsement Primary SeedPlatform Primary SeedDRBG:deterministic r
19、andom bit generatorDRBGReserved handle0 x40000001(RH_OWNER)0 x4000000B(RH_ENDORSEMENT)0 x4000000C(RH_PLATFORM)Object templateAttributes�����PolicyKeypair parametersNew reserved handlesFW-limited primary keyEndorsement key,Attestation key,Sealing key,etc.Version-unique secretThese primary keys do changeon
20、 firmware updateStorage Primary SeedEndorsement Primary SeedPlatform Primary SeedDRBG:deterministic random bit generatorDRBGFirmware-limited handles:0 x40000140(RH_FW_OWNER)0 x40000141(RH_FW_ENDORSEM�������ENT)0 x40000142(RH_FW_PLATFORM)EK te�������mplateAttributesPolicyKeypair parametersEndorsement keysEndorseme
21、nt Primary SeedEndorsement Key(EK)DRBGA TPMs EK is endorsed by i����ts vendor during manufacturingEndorsement keysEnd�������orsement Key(EK)Vendor PKIPKI:public key infrastructureEndorsement keysAttestation Key(AK)Endorsement Key(EK)Sealing keysNV indexesPCR quotesA TPMs EK is endorsed by its vendor during man
22、ufacturingEKs are the reason you trust any statement emitted from a TPMVendor PKIPKI:public key infrastructureEndorsement keysAttestation Key(AK)Endorsement Key(EK)S���ealing keysNV indexesPCR quotesA TPMs EK is endorsed by its vendor during manufacturing����EKs are the reason you trust any statement emitt
23、ed from a TPMIf the EK is leaked due to a firmware bug,how can the TPM ever be trusted again?Vend������or PKIPKI:public key infrastructureFirmware-limited EKsFirmware-limited AKFirmware-limited EKFirmware-limitedsealing keysNV indexesPCR quotesThe bootloader can generate a firmware-limited EKThe bootloade
24、r can endorse it with an embedded CANew firmware gets new endorsed FW-limited keysBootloader embedded CAVendor PKIPKI:public key infrastructureCA:certificate authorityFirmware-limited EKsFirm������ware-limited AKFirmware-limited EKFirmware-limitedsealing keysNV indexesPCR quotesThe bootloader can generate
25、 a firmware-limited EKThe bootloader can endorse it with an embedded CANew firmware gets new endorsed FW-limited keysThe firmwares measurement is included in the EKs certificateBootloader embedded CAVendor PKIP����KI:public key infrastructureCA:certificate �������authorityHey look,its DICEFirmware-limited AKFi
26、rmware-limited EKFirmware-limitedsealing keysNV ������indexesPCR quotesBootloader embedded CAVendor PKIDeviceID keyLayer 0 measurementUDSLayer 0 CDIVendor PKIDICE:a standard for attesting to low-level firmwareHey look,its DICEFirmware-limited AKFirmware-limited EKFirmware-limitedsealing keysNV indexesPCR
27、quotesBootloader embedded CAVendor PKIF��������irmware alias keyDeviceID keyLayer 0 mea�������surementUDSLayer 0 CDIFirmware measurementFirmware CDIVendor PKIDICE:a standard for attesting to low-level firmwareHey look,its DICEFirmware-limited AKFirmware-limited EKFirmware-limitedsealing keysNV indexesPCR quotesBoo
28、tloader embedded CAVendor PKICDI-derived keyFirmware alias keyCDI-derived keyDeviceID keyLayer 0 measurementUDSLayer 0 CDIFirmware measurement������Firmware CDIVendor PKIDICE:a standard for attesting to low-level firmwareSummary and call to actionSensitive platform firmware must be attestableAllows recove
29、ry from vulnerabilities at scaleVersion 1.83 of the TPM API introduces new primitives for TPM firmware attestation1Enables recovery from severe TPM vulnerabilitiesEnables standard mechanisms to bind DICE ��������to TPMCall������� to actionTPM vendors:implement this new standardHyperscalers:start asking for this feature1 https:/trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=288Thank you!
sgpjbg002
工作日 8:30 - 17:30
会员动态:
报告分类
新质生产力
ChatGPT
新能源汽车
大模型
Sora
机器人
微短剧
芯片
薪酬
白皮书
低空经济
数据要素
创新药
人工智能
AI产业
信息科技
互联网
消费经济
汽车交通
电商零售
传媒娱乐
医药健康
投资金融
能源环境
地产开发
传统产业
全球化
其它
扫码登录
手机快捷登录
账号登录
