[nextgens]

It's amazing that you disregard the most basic attack in your threat model (https://safeboot.dev/threats/): going after the TPM itself. TPMs are usually FIPS 140-2 L2: not something that's meant to be hardened against even basic hardware attacks.

IMHO the TPM should be a required piece but not the only piece of the puzzle. If I loose my laptop, I don't want the goods to be protected exclusively by a key that's trivial to recover from it (stored in something that's not a secure-element).

I've covered it in a talk I gave at 44con: https://www.youtube.com/watch?v=YZTWjLTz4AE

tl;dr; Use the TPM (and potentially other technologies like SGX) as part of your KDF to strengthen PIN/passphrase that the user provides. This breaks the asymmetry of offline attacks (attacker will always be bound by TPM/SGX-speed). Do NOT give it the only key required to decrypt your data.

[thudson]

Some forms of TPM tampering are explicitly addressed in the threat model:

> The PCR values in the TPM are not "secret", so an adversary with physical access could directly wire to the TPM and provide it with the correct measurements to extend the PCRs to match the signed values. The user PIN is still necessary to unseal the secret and the TPM dictionary attack protections both rate-limit and retry-limit the attacker.

Decaping chips to recover secrets is outside of the threat model, however.

[nextgens]

What I'm argueing in my talk is that it shouldn't be. Odds are your phone does it better :)

Decaping a chip from a lost laptop is far from science fiction and can be performed at a fixed cost. Mitigation is super-cheap... There's just no good reason to store the "final" key on the TPM.

Here I interleave rounds of argon2id (configured with parameters that fit my system: use up all the RAM and all the cores since there's nothing else to do in the initrd) with HMAC rounds from TPM and/or SGX (configured with the right policies so that they rate-limit and only unlock if the PCRs check out).

[e12e]

Surely TPM is only useful for getting to a trusted point/input for the key that encrypts the drive?

If an attacker can get hold of the hw long enough to get into the TPM they could just copy the encrypted drive, and replace the laptop entirely - the only thing needed would be to ship the typed pass-phrase home on next login?

I suppose ideally there'd be some kind of challenge-response to verify the TPM (very naive version - type in a wrong pin/pw first - if it's accepted you know the system is compromised..).

But, assuming the attacker can replace the whole system - I'm not sure I see how it could be trusted fully, assuming it's not under 24/7 watch (and even then, it could of course be compromised, but shifting the attack toward eg bribery, betrayal, neglect etc).

[rocqua]

It is very much news to me that key-recovery from the TPM is not supposed to be that hard.

If that is the case, how does it strengthen a PIN? Any attacker wanting to find a decryption key could simply extract the key, and then brute-force the PIN outside of the TPM constraints, can't they?

[nextgens]

The PIN isn't required if you decap the TPM.

[HelloNurse]

Decapping doesn't count as a "basic hardware attack".

[nextgens]

https://en.wikipedia.org/wiki/FIPS_140-2#Level_2

It definitely does when there is no attempt made at protecting against it. L2 means "tamper evidence", you need L3 for things to start to be designed to prevent it from being "basic".

SGX is L3, you'll be hard pressed to find a TPM that does better than L2.

Phrasing it another way: Even if you don't have the skills/equipment to do it. How much do you think it costs to get someone to do it for you? How reproducible is that process? Why are we assuming it's hard?

[R0b0t1]

I'm pretty sure their benchmark for hard is needing to take the device apart and do surgery on it. To me, that is what I would qualify as hard despite knowing how to do it, it's hard by way of being annoying.

Yes, I'd like more security, but it's not bad.

[m0zg]

For the NSA it does. :-)

[Avamander]

If the NSA is in your threat model, you've lost the game.

[wolfgke]

> If the NSA is in your threat model, you've lost the game.

For example for cryptographic primitives, if you didn't include the NSA in your threat model, you did something deeply wrong in your modelling.

[vladvasiliu]

The way I see it, safeboot is a bunch of scripts helping to set up solutions already available.

I didn't look at it in details, but in one of the screenshots the system asks for a pin to unlock the disk.

I agree that storing a full decryption key in the TPM may be risky. Even if the thread model should be considered (it may not be interesting for an attacker to go around doing this to Joe Random's laptop) it is something that users should be aware of.

[m0zg]

Since you seem to know a thing or two about this: what's your take on fTPM? Is it better/worse than a separate TPM module?

[nextgens]

The answer is complicated.

IMHO It's clearly better than no TPM... as for whether it's better or worse than a physical chip, it's a different trade-off.

One one side you have:

- higher speed

- higher protection against physical attacks (if only because the die is larger... it's smaller and the "bus" isn't as trivial to interact with)

On the other:

- new side channels (think spectre, meltdown & friends) and they are probably easier to exploit thanks to the higher speed (more samples)

- more parties to trust (microcode, ME, ...)

- erasure is harder

For the specific purpose of hardening passphrases/keys ... use both. :p

[ezoe]

I don't like TPM. I generally don't like any hardware-based security features. The security must relies on sufficiently long passphrase in my brain remains secret.

Now I have to prepare for the five dollar wrench attack. [https://xkcd.com/538/]

Perhaps, I can use Shamir's Secret Sharing to share a key with other people I trust, including the lawyer I paid which must keep client's secret and exempt from police raid by law.