preisacm
/
masterthesis
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

edit TPM certs, IMA

master
Michael Preisach 5 years ago
parent
450e9269ce
commit
a6d3070f66
4 changed files with 90 additions and 40 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      thesis/02_background.tex
  2. 113
      thesis/04_implementation.tex
  3. 6
      thesis/05_outlook.tex
  4. BIN
      thesis/MAIN.pdf

11
thesis/02_background.tex
View File

@ -39,7 +39,7 @@ The last two entries describe vulnerabilities in dedicated TPM chips, which are
\begin{itemize} \begin{itemize}
\item \emph{CVE-2017-15361}: TPMs from Infineon used a weak algorithm for finding primes during the RSA key generation process. \item \emph{CVE-2017-15361}: TPMs from Infineon used a weak algorithm for finding primes during the RSA key generation process.
This weakness made brute force attacks against keys of up to 2048 bits length feasible. This weakness made brute force attacks against keys of up to 2048 bits length feasible.
According to Nemec et al.\cite{Nemec17}, 1024 bit keys required in the worst case scenario 3 CPU months and 2048 bit keys needed 100 CPU years. According to Nemec et al.\cite{Nemec17}, 1024 bit keys required in the worst case scenario 3 CPU months and 2048 bit keys needed 100 CPU years when using one core of an Intel Xeon E5-2650 v3 CPU.
Infineon was able to fix that vulnerability per firmware update for all affected TPMs. Infineon was able to fix that vulnerability per firmware update for all affected TPMs.
\item \emph{CVE-2019-16863}: This vulnerability is also known as "\emph{TPM fail}" \cite{moghimi20-tpmfail} and shows how to get an elliptic curve private key via timing and lattice attacks. \item \emph{CVE-2019-16863}: This vulnerability is also known as "\emph{TPM fail}" \cite{moghimi20-tpmfail} and shows how to get an elliptic curve private key via timing and lattice attacks.
The authors found TPMs from STMicroelectronics vulnerable, as well as Intel's fTPM implementation. The authors found TPMs from STMicroelectronics vulnerable, as well as Intel's fTPM implementation.
@ -109,10 +109,11 @@ The \emph{Endorsement Key} (EK) is the root key for the corresponding hierarchy.
\end{figure} \end{figure}
\autoref{fig:ek-key-generation} illustrates the certificate chain of building a new EK. \autoref{fig:ek-key-generation} illustrates the certificate chain of building a new EK.
Every TPM has, instead of the full EK, a unique key seed to derive root keys from. Every TPM has, instead of the full EK, a unique key seed to derive root keys from.
This key seed comes with a corresponding certificate. The EK can then be generated with a \emph{key derivation function} (KDF) which allows to add additional entropy to that of the TPM.
This TPM certificate is signed by the TPM manufacturer by using its own root \emph{Certificate Authority} (CA). According to Arthur et al.\cite[arthur15] in chapter 15, this additional entropy is not used and the parameter field is filled with zeroes.
When the platform user wants to create a new EK, a \emph{Key Derivation Function} (KDF) generates this new EK such that the TPM certificate identifies it and the chain keeps intact. As a result, although it is possible to generate an arbitrary number of EKs, the TPM generates always the same by default.
Since the platform supports root key generation, it is also possible to encrypt the key and store it on an external storage, e.g. on the platform disk. Only this default EK comes with a corresponding certificate which is signed by the TPM manufacturer by using its own root \emph{Certificate Authority} (CA).
Since the platform supports generating and using multiple root keys at a time, it is also possible to encrypt temporaily unused keys and store it on an external storage, e.g. on the platform disk.
Consequently it is quite easy to have different EKs at once to address privacy features also between different functions of the endorsement hierarchy. Consequently it is quite easy to have different EKs at once to address privacy features also between different functions of the endorsement hierarchy.
\section{Trusted Boot}% \section{Trusted Boot}%

113
thesis/04_implementation.tex
View File

@ -21,7 +21,7 @@ For demonstrating remote attestation via DAA over a simple network infrastructur
We decided to order one system with an AMD processor in it to find differences in handling the TPM between Intel and AMD systems. We decided to order one system with an AMD processor in it to find differences in handling the TPM between Intel and AMD systems.
All features used in this thesis were available on both platform types, so there were no differences found. All features used in this thesis were available on both platform types, so there were no differences found.
\begin{table}[ht] \begin{table}
\renewcommand{\arraystretch}{1.2} \renewcommand{\arraystretch}{1.2}
\centering \centering
\caption{Systems used for demonstration prototype} \label{tab:systems} \caption{Systems used for demonstration prototype} \label{tab:systems}
@ -195,48 +195,91 @@ However, we found no official information on when IMA was introduced or whether
Every kernel supporting IMA creates a virtual file at \texttt{/sys/kernel/security/ima/ascii\_runtime\_measurements}. Every kernel supporting IMA creates a virtual file at \texttt{/sys/kernel/security/ima/ascii\_runtime\_measurements}.
When IMA is disabled, which is the default, this file has only one entry representing the boot aggregate. When IMA is disabled, which is the default, this file has only one entry representing the boot aggregate.
By enabling IMA via kernel command line parameters, this file gets filled according to the policies defined. By enabling IMA via kernel command line parameters, this file gets filled according to the policies defined.
The first four parameters used in \autoref{code:tbkernelcommandlinetxt} define the behavior of IMA and how the measurement log should look like. The first four parameters used in \autoref{code:tbcommandlinetxt} define the behavior of IMA and how the measurement log should look like.
\begin{itemize}
\item \texttt{ima\_appraise=fix} appends the filehash as an extended file attribute for every accessed file.
\item \texttt{ima\_policy=appraise\_tcb, ima\_policy=tcb} analyzes resources owned by root and opened for execution.
\item \texttt{ima\_hash=sha256} sets the hashing algorithm.
\item \texttt{rootflags=i\_version} must be enabled when mounting the filesystem since IMA is checking that number before re-hashing the resource.
\end{itemize}
Unfoortunately, the resulting IMA log is between 2000 and 3000 lines long when the system is freshly booted.
The log can blow up to several 10000 entries when uptime exceeds several days.
However, a thrid party can comprehend the state of the attesting system, when parsing the IMA log.
Together with the corresponding PCR value, where the hashes of all entries are chained the TPM can \texttt{certify} correctness of the log.
\section{Interaction with TPM2} \section{Interaction with TPM2}
\subsection{Prove Certificate Chain} \subsection{Prove Certificate Chain}
Every TPM has a corresponding certificate which is part of a certificate chain maintained by the TPM manufacturer. Every TPM has a corresponding certificate which is part of a certificate chain maintained by the TPM manufacturer.
In our case, Infineon certifies its TPM with a number of intermediate CAs which itself are certified with Infineon's root CA.
The TPM certificate is available for RSA and ECC cryptofamilies respectively.
Since the verification workflow is the same on all machines and for both cryptofamilies, we demonstrate on system 1 how the process works.
Note that this works for Infineon TPMs.
Other Vendors like STM, AMD or Intel may provide certificates via download of their website.
\begin{enumerate} \begin{enumerate}
\item Collect certificates: Depending on the manufacturer, there are different ways to get the TPM's certificates. \item Read the certificate from the TPM NVRAM.
Infineon decided to store it as X.509 DER formatted blob on the TPM's non-volatile memory. The RSA certificate is located at address \texttt{0x1c00002}, that for ECC on address \texttt{0x1c0000a}:
Address \texttt{0x1c00002} holds the certificate for RSA based root keys, whereas \texttt{0x1c0000a} is the ECC equivalent. \begin{lstlisting}[numbers=none]
Although all TPMs are \emph{Infineon Optiga TPM SLB 9665}, the oldest device uses another intermediate CA from the manufacturer. root@amd1:~# tpm2_nvread -C o 0x1c0000a -o amd1_ecc.crt
\item Download Infineon intermediate and root CA certificates \end{lstlisting}
\item Verify Cert chain with openSSL. \item Download the certificates from the intermediate and root CA from infineon's website:
\begin{lstlisting}[numbers=none]
root@amd1:~# wget https://www.infineon.com/dgdl/Infineon-TPM_ECC_Root_CA-C-v01_00-EN.cer?fileId=5546d46253f65057015404843f751cdc -O infineon_ecc_root_ca.crt #Infineon root CA
root@amd1:~# wget https://www.infineon.com/dgdl/Infineon-OPTIGA-ECC-Manufacturing-CA_036-Issued_by_RootCA.crt-C-v01_00-EN.crt?fileId=5546d46262475fbe0162486417b73cbe -O infineon_ecc_intermediate_ca_036.crt #Infineon intermediate CA
\end{lstlisting}
\item Convert all certificates into PEM format. OpenSSL can only verify a chain in PEM format.
\begin{lstlisting}[numbers=none]
root@amd1:~# openssl x509 -inform DER -outform PEM -in infineon_ecc_root_ca.crt -out infineon_ecc_root_ca.pem
root@amd1:~# openssl x509 -inform DER -outform PEM -in infineon_ecc_intermediate_ca_036.crt -out infineon_ecc_intermediate_ca_036.pem
root@amd1:~# openssl x509 -inform DER -outform PEM -in amd1_ecc.crt -out amd1_ecc.pem
\end{lstlisting}
\item Check the certificate chain with OpenSSL.
The option \texttt{-untrusted} is required since the provided root CA is not in the OS' trust store and hence of unknown trust.
\begin{lstlisting}[numbers=none]
root@amd1:~# openssl verify -verbose -CAfile infineon_ecc_root_ca.pem -untrusted infineon_ecc_intermediate_ca_036.pem amd1_ecc.pem
amd1_ecc.pem: OK
\end{lstlisting}
\end{enumerate} \end{enumerate}
\begin{lstlisting}[float,language=bash, caption={Verifying the TPM Certificate}, label={code:verifytpmcert}] When OpenSSL returns \texttt{OK}, the certificate chain is intact and the TPM is indeed one from Infineon.
root@amd1:~# tpm2_nvread -C o 0x1c00002 -o amd1_1.cert To be correct: The website, probably hosted by infineon, provides a certificate chain which matches and the links to the corresponding parent certificate is correct.
root@amd1:~# tpm2_nvread -C o 0x1c0000a -o amd1_2.cert Unfortunately, Infineon do neither provide any website certification nor any checksums of the provided certificates.
michael@luna /run/media/michael/B50A-68E0 % openssl x509 -inform DER -outform PEM -in amd1_1.cert -out amd1_1.pem So, if the above described check fails, no source of trust can ensure that the root certificate is correct.
michael@luna /run/media/michael/B50A-68E0 % openssl x509 -inform DER -outform PEM -in amd1_2.cert -out amd1_2.pem
michael@luna /run/media/michael/B50A-68E0 % openssl x509 -inform DER -outform PEM -in intel1_1.cert -out intel1_1.pem We found, that both, ECC and RSA chains of all TPMs are intact.
michael@luna /run/media/michael/B50A-68E0 % openssl x509 -inform DER -outform PEM -in intel1_2.cert -out intel1_2.pem For documentation reasons, we provide the OpenSSL SHA256 checksums of all used certificates in \autoref{tab:certchksum}.
michael@luna /run/media/michael/B50A-68E0 % openssl x509 -inform DER -outform PEM -in intel2_2.cert -out intel2_2.pem These chaecksums were generated with:
michael@luna /run/media/michael/B50A-68E0 % openssl x509 -inform DER -outform PEM -in intel2_1.cert -out intel2_1.pem \begin{lstlisting}[numbers=none]
michael@luna /run/media/michael/B50A-68E0 % openssl x509 -inform DER -outform PEM -in OptigaEccMfrCA011.crt -out OptigaEccMfrCA011.pem openssl x509 -noout -fingerprint -sha256 -inform pem -in amd1_ecc.pem
michael@luna /run/media/michael/B50A-68E0 % openssl x509 -inform DER -outform PEM -in OptigaEccMfrCA036.crt -out OptigaEccMfrCA036.pem
michael@luna /run/media/michael/B50A-68E0 % openssl x509 -inform DER -outform PEM -in OptigaRsaMfrCA036.crt -out OptigaRsaMfrCA036.pem
michael@luna /run/media/michael/B50A-68E0 % openssl x509 -inform DER -outform PEM -in OptigaRsaMfrCA011.crt -out OptigaRsaMfrCA011.pem
michael@luna /run/media/michael/B50A-68E0 % openssl verify -verbose -CAfile Infineon-TPM_ECC_Root_CA-C-v01_00-EN.pem -untrusted OptigaEccMfrCA036.pem amd1_2.pem
amd1_2.pem: OK
michael@luna /run/media/michael/B50A-68E0 % openssl verify -verbose -CAfile Infineon-TPM_RSA_Root_CA-C-v01_00-EN.pem -untrusted OptigaRsaMfrCA036.pem amd1_1.pem
amd1_1.pem: OK
michael@luna /run/media/michael/B50A-68E0 % openssl verify -verbose -CAfile Infineon-TPM_ECC_Root_CA-C-v01_00-EN.pem -untrusted OptigaEccMfrCA036.pem intel2_2.pem
intel2_2.pem: OK
michael@luna /run/media/michael/B50A-68E0 % openssl verify -verbose -CAfile Infineon-TPM_ECC_Root_CA-C-v01_00-EN.pem -untrusted OptigaEccMfrCA011.pem intel1_2.pem
intel1_2.pem: OK
michael@luna /run/media/michael/B50A-68E0 % openssl verify -verbose -CAfile Infineon-TPM_RSA_Root_CA-C-v01_00-EN.pem -untrusted OptigaRsaMfrCA011.pem intel1_1.pem
intel1_1.pem: OK
michael@luna /run/media/michael/B50A-68E0 % openssl verify -verbose -CAfile Infineon-TPM_RSA_Root_CA-C-v01_00-EN.pem -untrusted OptigaRsaMfrCA036.pem intel2_1.pem
intel2_1.pem: OK
\end{lstlisting} \end{lstlisting}
\newpage \begin{table}
\renewcommand{\arraystretch}{1.2}
\centering
\caption{ECC certificate chain of used TPMs} \label{tab:certchksum}
%\rowcolors{2}{lightgray}{white}
\begin{tabular}{rp{9.9cm}}
\toprule
\textit{Certificate}&\textit{SHA256 checksum} \\
\midrule
\textbf{ECC root CA} &\texttt{CF:EB:02:FE:CD:55:AD:7A:73:C6:E1:D1:19:85:D4:C4: 7D:EE:24:8A:B6:3D:CB:66:09:1A:24:89:66:04:43:C3}\\
\textbf{ECC intermediate CA 036} &\texttt{2C:BF:6D:6C:39:94:47:0A:EC:D2:B1:F8:7F:5D:21:11: 08:D1:E0:A4:A8:1E:D9:CB:A2:6B:D2:98:96:5D:E0:1C}\\
\textbf{ECC intermediate CA 011} &\texttt{B5:59:A8:4E:63:32:A7:B4:E3:2B:4D:37:39:E3:72:E3: C5:17:BA:5A:4C:CF:FE:E1:DA:AF:80:BC:64:16:28:EE}\\
\textbf{ECC System 1 TPM} &\texttt{D8:C3:21:3E:BB:C2:CB:96:EA:14:2F:D5:57:61:79:04: BB:DE:8A:F9:21:2A:11:7D:4B:2E:FC:64:BD:35:C1:6E}\\
\textbf{ECC System 2 TPM} &\texttt{FE:1B:EF:42:8B:68:35:D3:FC:5A:13:A0:AE:12:19:BA: A1:60:D6:59:38:1D:79:8E:76:50:48:BE:5C:BD:83:A5}\\
\textbf{ECC System 3 TPM} &\texttt{92:29:68:6D:50:EE:34:08:30:DF:E7:30:D8:F3:C0:C7: 13:3C:DF:F0:6D:9E:2B:2E:0F:54:76:AE:B8:D6:1A:DA}\\
\textbf{RSA root CA} &\texttt{89:9E:35:47:4C:98:07:EB:4C:7F:2F:7A:12:DA:00:28: FB:25:0C:D0:21:54:D0:00:9F:CA:7D:9C:66:57:4F:3B}\\
\textbf{RSA intermediate CA 036} &\texttt{21:6C:47:D2:77:FC:40:CE:90:F0:86:83:21:CB:5E:F5: 91:FC:1D:D8:D0:E4:FD:A1:A2:C8:3C:17:BE:01:B0:7E}\\
\textbf{RSA intermediate CA 011} &\texttt{A8:33:79:F9:2A:34:1B:EB:61:B6:7F:03:50:66:44:94: 0F:EB:4B:85:EA:50:4A:9D:22:13:BC:A5:2C:88:9F:89}\\
\textbf{RSA System 1 TPM} &\texttt{F1:C7:6A:00:CF:2B:63:4D:38:C0:2E:73:3C:84:BF:30: 5C:C2:D3:61:DF:34:D8:95:BB:F1:0F:FB:6B:0C:79:E2}\\
\textbf{RSA System 2 TPM} &\texttt{CB:1F:7D:20:FE:B2:11:C4:2B:20:6B:4F:66:A6:14:1A: 37:94:5F:85:93:6D:2E:92:85:57:BF:3A:BF:9E:DA:DD}\\
\textbf{RSA System 3 TPM} &\texttt{BF:0B:4E:77:80:18:86:9A:EF:09:06:96:E2:4D:72:A3: 47:B6:E3:8F:AA:F9:9C:2E:C0:13:AB:70:E3:E4:5D:93}\\
\bottomrule
\end{tabular}
\end{table}
%TODO Edit pointer %TODO Edit pointer
tpm2-tools 4.x are usable to interact with the TPM from the command line. tpm2-tools 4.x are usable to interact with the TPM from the command line.
Available on all major releases after summer 2019. Available on all major releases after summer 2019.

6
thesis/05_outlook.tex
View File

@ -8,6 +8,12 @@ Still hard to set up a system like that.
Documentation is available, but hardly any implementations for DAA and IMA. Documentation is available, but hardly any implementations for DAA and IMA.
\section{Future Work} \section{Future Work}
\subsection{Closing the chain of trust between TPM manufacturer and DAA issuer}
Activate a credential with to certify that the Membership key is in the Endorsement hierarchy, which can be verified with the TPM certificate.
\begin{itemize}
\item Theoretical concept in the \emph{Practical Guide to TPM 2.0, pp 109 ff}
\item Practical approach: with EK, AK and AIK to show validity of EK:\\ \url{https://ericchiang.github.io/post/tpm-keys/?utm_campaign=Go%20Full-Stack&utm_medium=email&utm_source=Revue%20newsletter#credential-activation}
\end{itemize}
\section{Outlook} \section{Outlook}
Hardening of the system beyond IMA useful. Hardening of the system beyond IMA useful.

BIN
thesis/MAIN.pdf
View File

Binary file not shown.
Write Preview
Loading…
Cancel
Save