[sim7c00]

its meant for secureboot, but i suppose the rest of the platform, built usually by other ppl than ones who designed the TPM, needs to also implement it correctly. an d as this article shows, this is not an easy feat. (this attack seems silly but it's really clever tbh. good inspired idea likely based in lots of domain expertise). - if you can protect the boot-chain with secureboot, what you can do for your private key, what for example AV vendors do, is have a (efi?)driver that contains the certificate, which is a boot-driver protected by secure-boot. - for windows this might require Microsoft cooperation to assign you a driver level so other stuff can't disable it (otherwise it's still tricky and possible to get around your protections likely). (windows -> process protection light / telam drivers). Optionally you could also have the certificate provided by an EFI applcation somehow that's signed / secured by secureboot. (could drop it on disk somewhere, efi partition is easily accessible...).

If the chain is protected by the tpm, this method if implemented correctly through the whole chain should protect your cert and pkey.

that being said _should_ is the keyword,. i dont think any platform really managed to escape all attacks, though a lot in this area do need hw access (the tweezers previously implemented by the author :)).

[RedShift1]

Heh I always thought that TPM was there to secure anything. If it's only meant for secure boot then I understand the poor tooling and absence of APIs to use the thing properly inside applications.

[Foxboron]

It's not meant for Secure Boot. They are two separate, but adjacent, technologies that provide their own security properties in a boot chain.

This is a common misconception.

[jnwatson]

It is absolutely used and designed for secure boot. There are now simpler mechanisms to accomplish the same thing, but if you want remote attestation, you need a TPM.

[sim7c00]

Hi Fox, i'm not aware of any other usages on the platform i'm familiar with sorry, maybe a gap in my understanding.

Afaik, if you want access to a chip like TPM, the OS will need to cooperate as such I/O access or MMIO or however it's accessed, will be privileged instructions likely.

I'd find it somewhat logical an OS or loader component starts verification, and then components upwards in the chain are well, chained together via verification, taking away the need to access the TPM after the initial modules are verified.

- Do you have any examples of how else the TPM is used? I'm very keen to learn more about it's use-cases.

[Foxboron]

> Hi Fox, i'm not aware of any other usages on the platform i'm familiar with sorry, maybe a gap in my understanding.

The TPM as a device is completely democratized and accessible by the normal user.

You can use it for platform attestation (which is this post is trying to point out might be broken in some cases), but it also works as a "discount" smartcard where you can seal data and shield keys.

Two examples here which I have written:

A file encryption utility for `age` that shields the keys in the TPM.

https://github.com/Foxboron/age-plugin-tpm

`ssh-tpm-agent` is an `ssh-agent` implementation that enables you to create TPM shielded keys and does signing operation on the TPM.

https://github.com/Foxboron/ssh-tpm-agent

Conceptually both of these tools can also use PCR policy sealing as a form of platform attestation, but I have not implemented that yet as it's a bit hard to do this in a user friendly way UX wise.

As noted by others, you can also do disk encryption. `systemd-cryptsetup` does this on Linux.

https://www.freedesktop.org/software/systemd/man/latest/syst...

> Afaik, if you want access to a chip like TPM, the OS will need to cooperate as such I/O access or MMIO or however it's accessed, will be privileged instructions likely.

Not really? `/dev/tpmrm0` is a TPM resource manager for Linux that is accessible by being part of the `tss` group.

> I'd find it somewhat logical an OS or loader component starts verification, and then components upwards in the chain are well, chained together via verification, taking away the need to access the TPM after the initial modules are verified.

This is only one of several use-cases of a TPM :)

This is also orthogonal of whether or not Secure Boot is part of the chain, depending on the operating system.

[sim7c00]

Thanks a lot for this reply Fox. this is really interesting stuff. thanks a ton!

[patmorgan23]

TPM isn't just for secure boot. Windows utilizes it for Bitlocker full disk encryption.

It's just not widely used for other applications.

[cryptonector]

That's still essentially part of the boot process. You can't use dTPMs as HSMs for TLS or whatever because dTPMs are way too slow.

[sim7c00]

Thanks, that's interesting. as commenter noted i'd say this is part of the boot-process, but you are right, it's not technically secure boot related. booting securely != secure boot that's correct :)