[thudson]

This NSA report is a wonderfully thorough guide to configuring UEFI Secure Boot, although it is another example of how unusable security tools can be. This conplexity was my motivation for writing the safeboot[1] scripts, which wrap all of the signing key management, TPM key sealing, and attestation into a hopefully easier to use package.

1: https://safeboot.dev/

[strstr]

It’s cool to see other uses of the TPM in the wild! My coworkers and I maintain go-tpm-tools[0] for trying to make using the tpm straightforward.

[0] https://github.com/google/go-tpm-tools.

[mjg59]

(additional plug) portions of which are used to enable github.com/google/go-attestation, which aims to make it practical for verification of system boot state in a heterogeneous environment and is now being actively used inside Google.

[codethief]

I've been following safeboot for a while and it looks really, really cool!

One concern I've been having regarding a read-only root file system – an idea that I really like! – was how cumbersome software updates (say, through apt) and quick config changes (in /etc) must be. AFAIU I'd have to manually sign a new rootfs image every single time[0] which looks rather painful to me. I wish Linux distributions provided a clear separation between user-facing software & configs and system-internal stuff that one hardly ever has to touch: IMHO software & configs should by default get installed on a per-user basis and not require root. (And applications should also be sandboxed by default but I'm digressing…)

[0] https://safeboot.dev/install/#root-filesystem-updates

[thudson]

In practice it is a bit of a pain during the initial setup and package installation -- I was probably rebooting to recovery mode once a day or more to install some command line tool that I had forgotten about. Once the machine is configured then it is a more rare occurrence, although your usage might vary.

Something that I'm not happy about is that the snaps all live on the writable /var since they want to do automatic updates all the time. This is problematic for a locked-down configuration and might recommend against a snap based distribution.

Separating out the bootable bits from the rest of the packages might help, as would running more things in sandboxes. Another option that we're exploring is some lvm magic to create a snapshot, upgrade the snapshot, sign it, and then on the next reboot use it as the real root. This is also useful for fleet management -- the new root filesystem, kernel, initrd, etc can arrive "behind the scenes" and on the next reboot is the one that is used. Since the PCRs can be predicated as well, the PCR policy can be signed and sent along with the upgrade to make it seamless.

[codethief]

> Another option that we're exploring is some lvm magic to create a snapshot, upgrade the snapshot, sign it, and then on the next reboot use it as the real root.

This sounds very nice and similar to Android's A/B partitions!

> Since the PCRs can be predicated as well

This may be a stupid question but… what are PCRs? Google yields "polymerase chain reaction" – a method used, among others, for detecting the coronavirus but I'm sure that's not it. :)

[nextgens]

It's amazing that you disregard the most basic attack in your threat model (https://safeboot.dev/threats/): going after the TPM itself. TPMs are usually FIPS 140-2 L2: not something that's meant to be hardened against even basic hardware attacks.

IMHO the TPM should be a required piece but not the only piece of the puzzle. If I loose my laptop, I don't want the goods to be protected exclusively by a key that's trivial to recover from it (stored in something that's not a secure-element).

I've covered it in a talk I gave at 44con: https://www.youtube.com/watch?v=YZTWjLTz4AE

tl;dr; Use the TPM (and potentially other technologies like SGX) as part of your KDF to strengthen PIN/passphrase that the user provides. This breaks the asymmetry of offline attacks (attacker will always be bound by TPM/SGX-speed). Do NOT give it the only key required to decrypt your data.

[thudson]

Some forms of TPM tampering are explicitly addressed in the threat model:

> The PCR values in the TPM are not "secret", so an adversary with physical access could directly wire to the TPM and provide it with the correct measurements to extend the PCRs to match the signed values. The user PIN is still necessary to unseal the secret and the TPM dictionary attack protections both rate-limit and retry-limit the attacker.

Decaping chips to recover secrets is outside of the threat model, however.

[nextgens]

What I'm argueing in my talk is that it shouldn't be. Odds are your phone does it better :)

Decaping a chip from a lost laptop is far from science fiction and can be performed at a fixed cost. Mitigation is super-cheap... There's just no good reason to store the "final" key on the TPM.

Here I interleave rounds of argon2id (configured with parameters that fit my system: use up all the RAM and all the cores since there's nothing else to do in the initrd) with HMAC rounds from TPM and/or SGX (configured with the right policies so that they rate-limit and only unlock if the PCRs check out).

[e12e]

Surely TPM is only useful for getting to a trusted point/input for the key that encrypts the drive?

If an attacker can get hold of the hw long enough to get into the TPM they could just copy the encrypted drive, and replace the laptop entirely - the only thing needed would be to ship the typed pass-phrase home on next login?

I suppose ideally there'd be some kind of challenge-response to verify the TPM (very naive version - type in a wrong pin/pw first - if it's accepted you know the system is compromised..).

But, assuming the attacker can replace the whole system - I'm not sure I see how it could be trusted fully, assuming it's not under 24/7 watch (and even then, it could of course be compromised, but shifting the attack toward eg bribery, betrayal, neglect etc).

[rocqua]

It is very much news to me that key-recovery from the TPM is not supposed to be that hard.

If that is the case, how does it strengthen a PIN? Any attacker wanting to find a decryption key could simply extract the key, and then brute-force the PIN outside of the TPM constraints, can't they?

[nextgens]

The PIN isn't required if you decap the TPM.

[HelloNurse]

Decapping doesn't count as a "basic hardware attack".

[nextgens]

https://en.wikipedia.org/wiki/FIPS_140-2#Level_2

It definitely does when there is no attempt made at protecting against it. L2 means "tamper evidence", you need L3 for things to start to be designed to prevent it from being "basic".

SGX is L3, you'll be hard pressed to find a TPM that does better than L2.

Phrasing it another way: Even if you don't have the skills/equipment to do it. How much do you think it costs to get someone to do it for you? How reproducible is that process? Why are we assuming it's hard?

[R0b0t1]

I'm pretty sure their benchmark for hard is needing to take the device apart and do surgery on it. To me, that is what I would qualify as hard despite knowing how to do it, it's hard by way of being annoying.

Yes, I'd like more security, but it's not bad.

[m0zg]

For the NSA it does. :-)

[Avamander]

If the NSA is in your threat model, you've lost the game.

[vladvasiliu]

The way I see it, safeboot is a bunch of scripts helping to set up solutions already available.

I didn't look at it in details, but in one of the screenshots the system asks for a pin to unlock the disk.

I agree that storing a full decryption key in the TPM may be risky. Even if the thread model should be considered (it may not be interesting for an attacker to go around doing this to Joe Random's laptop) it is something that users should be aware of.

[m0zg]

Since you seem to know a thing or two about this: what's your take on fTPM? Is it better/worse than a separate TPM module?

[nextgens]

The answer is complicated.

IMHO It's clearly better than no TPM... as for whether it's better or worse than a physical chip, it's a different trade-off.

One one side you have:

- higher speed

- higher protection against physical attacks (if only because the die is larger... it's smaller and the "bus" isn't as trivial to interact with)

On the other:

- new side channels (think spectre, meltdown & friends) and they are probably easier to exploit thanks to the higher speed (more samples)

- more parties to trust (microcode, ME, ...)

- erasure is harder

For the specific purpose of hardening passphrases/keys ... use both. :p

[ezoe]

I don't like TPM. I generally don't like any hardware-based security features. The security must relies on sufficiently long passphrase in my brain remains secret.

Now I have to prepare for the five dollar wrench attack. [https://xkcd.com/538/]

Perhaps, I can use Shamir's Secret Sharing to share a key with other people I trust, including the lawyer I paid which must keep client's secret and exempt from police raid by law.

[ComodoHacker]

Thank you!

Please update your main page title, so a quick-made bookmark remains searchable when needed.