Trusted Computing and the Trusted Platform Module Bruce Maggs
advertisement
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno) Bryan Parno’s Travel Story 2 Attestation • How can we know that a system that we would like to use has not been compromised? 3 Bootstrapping Trust is Hard! Challenges: • Hardware App AppApp App 14 3 N 5 2 assurance • Ephemeral software Module 1 Module 3 • User Interaction OS S15 ( ( ) ) 987654321 10 11 12 13 14 Module Module 2 4 Safe? Yes! ^ H( ) 4 Bootstrapping Trust is Hard! Challenges: • Hardware Evil App assurance • Ephemeral software • User Interaction Safe? Evil OS Yes! 5 Trusted Platform Module Components https://en.wikipedia.org/wiki/Trusted_Platform_Module#/media/File:TPM.svg 6 TPM Chip Often found in business-class laptops https://en.wikipedia.org/wiki/Trusted_Platform_Module#/media/File:TPM_Asus.jpg 7 Caveat • The TPM is not 100% tamper proof! • Safe use requires physical security • In 2010 Christopher Tarnovsky extracted the private key from an Infineon TPM chip by • soaking the chip in acid to remove plastic • removing RF-shield wire mesh • probing with an extremely small needle 8 Built-In Unique Identifier • “Endorsement Key” permanently embedded in • • • • TPM RSA public-private key pair Private key never leaves the TPM chip Public key can be certified Master “storage root key” (SRK) created when TPM first used 9 On-Chip Algorithms • • • • • • RSA key-pair generation RSA encryption/decryption RSA signing Random number generation SHA-1 hashing Keyed-hash message authentication code (HMAC) 10 Platform Configuration Registers (PCRs) • A TPM contains several 20-byte PCRs • A PCR is initialized to zero at power on. • The only operation allowed on a PCR is to extend it: • val[PCR] = SHA1(val[PCR] . newval) • At boot time, a TPM-enabled PC takes a series of measurements and stores them in PCRs 11 HMAC • Hash with two inputs: a key and a block of data • Typically key is randomly generated • Key can be used (for example) to guarantee that the hash was freshly created 12 How HMAC can be used • TPM can hash contents of all storage on computer, or storage in certain places • Disks • Memory • Registers in the CPU • User can choose to execute only from known safe states 13 Applications • Storing and protecting sensitive information • Trusted boot • Attestation 14 TPM-Based Attestation Example [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04] Module Module Module Module BIOS OS Bootloader App App App PCRs TPM KPriv 15 Establishing Trust via a TPM [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04] random # Module Accurate! Module Module Module K Module Module AA p pA ppp OS Pu BIOS Bootloader BIOS Modul e Modul e Bootloader b OS p Module Module ( K Sign BIOS Bootloader priv Guarantees actual TPM logs Modul e Modul e OS random # AA p pA ppp p Guarantees freshness App App App Guarantees real TPM ) PCRs TPM KPriv 16 Microsoft BitLocker Drive Encryption • Password-protected encryption of • • • volume containing Windows OS, user files, e.g., C: Separate unencrypted volume contains files needed to load Windows TPM protects disk encryption key by encrypting it TPM releases key only after comparing hash of early (unencrypted) boot files with previous hash 17 Microsoft Secure Boot (Windows 8+) • Enabled by “UEFI” – Unified Extensible • • • Firmware Interface (replacement for traditional BIOS) Manufacturer’s and Microsoft public keys stored in firmware (can add other OS vendors) TPM checks that firmware is signed TPM checks that hash of boot loader has been signed with Microsoft public key 18 Microsoft Trusted Boot • Takes over after Secure Boot • Verifies all OS components, starting with Windows kernel • Windows kernel verifies boot drivers, start-up files 19 Microsoft Measured Boot • TPM signs measured boot log file • Remote attestation possible by transmitting signed boot log 20
