From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bedivere.hansenpartnership.com ([66.63.167.143]:44154 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966102AbeEJOrf (ORCPT ); Thu, 10 May 2018 10:47:35 -0400 Message-ID: <1525963652.3258.4.camel@HansenPartnership.com> Subject: Re: [PATCH v3 2/2] usb: misc: xapea00x: perform platform initialization of TPM From: James Bottomley To: "David R. Bild" Cc: Jarkko Sakkinen , philip.b.tricca@intel.com, Jason Gunthorpe , Greg Kroah-Hartman , Peter Huewe , linux-usb@vger.kernel.org, linux-integrity@vger.kernel.org Date: Thu, 10 May 2018 07:47:32 -0700 In-Reply-To: References: <20180430125418.31344-1-david.bild@xaptum.com> <20180504130022.5231-3-david.bild@xaptum.com> <20180504190638.ikqhdvcqccakzdjd@ziepe.ca> <20180508105515.GB6132@linux.intel.com> <1525793148.3672.8.camel@HansenPartnership.com> <1525793785.3672.12.camel@HansenPartnership.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org List-ID: On Thu, 2018-05-10 at 09:25 -0500, David R. Bild wrote: > On Tue, May 8, 2018 at 10:36 AM, James Bottomley > wrote: > > > > On Tue, 2018-05-08 at 10:29 -0500, David R. Bild wrote: > > > On Tue, May 8, 2018 at 10:25 AM, James Bottomley > > > wrote: > > > > > > > > I don't see any reason to set an unreachable password for the > > > > platform hierarchy if the UEFI didn't. If the desire is to > > > > disable the platform hierarchy, then it should be disabled, not > > > > have a random password set. > > > > > > "Set random password and throw away the key" was my way of > > > disabling the platform hierarchy. Is there a better way of doing > > > that? > > > > Well, yes, use TPM2_HierarchyControl to set phEnable to CLEAR. > > > I'm not sure that will work for us. Let me give a little more detail > about this card. > > The TPM holds access credentials for connecting to the Xaptum > network. This approach enables secure, zero-touch provisioning for > IoT devices: Xaptum pre-provisions the TPMs *before* they are > assembled onto a device PCB. The device is shipped directly from > factory to end customer. The first time it turns on, the TPM is used > to authenticate the Xaptum network. Using a TPM protects the > credentials from being copied or duplicated by someone in the > manufacturing chain. OK, so these are effectively DevId keys. However, what makes you think knowing the platform auth allows you to duplicate the keys? As long as you created them correctly (as in without duplication authority) then even knowing the platform authorization I can't get them out of your TPM. > These cards are designed for existing devices, like IoT gateways. You > can't add a TPM to an existing PCB, but you can plug in a mini PCI-e > card. > > We provision the credentials (the DAA secret key, specifically) under > the platform hierarchy. The key can be used without platform > authorization, but not removed. If we disable the platform hierarchy > entirely, I think the credentials will no longer be available for > use. That's certainly true if you actually need to use the platform hierarchy. Your initial emails on the subject did say you were disabling it though ... > > > > I'd also say this is probably the job of early boot based on > > > > policy. > > > > > > Agreed. And since this card has no "early boot", the > > > driver/kernel need to do it. > > > > Early boot means userspace. for a hot pluggable device, this would > > probably be something in udev if you follow the no-daemon model and > > the daemon could do it if you do follow the daemon model. > > Could you expand on the udev approach? I might not understand enough > about udev (or the coming TPM resource manager changes) to follow the > suggestion. > > This seems unsafe to me. There's a race between a malicious > userspace program and the daemon to set the platform > authorization. If the malicious program wins, it can reset the TPM, > removing the credentials, and the device won't be able to connect to > the Xaptum network. (This is a liveness concern, not safety. A > denial-of-service attack, essentially.) OK, I'm getting confused by your threat model. I don't think knowing the platform auth I can obtain your keys. However, I agree, I can definitely remove them. However, setting platform auth doesn't solve this: I can execute a TPM2_Clear to regain the platform auth and if you disable this, I can't re-own the TPM at all. James From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [v3,2/2] usb: misc: xapea00x: perform platform initialization of TPM From: James Bottomley Message-Id: <1525963652.3258.4.camel@HansenPartnership.com> Date: Thu, 10 May 2018 07:47:32 -0700 To: "David R. Bild" Cc: Jarkko Sakkinen , philip.b.tricca@intel.com, Jason Gunthorpe , Greg Kroah-Hartman , Peter Huewe , linux-usb@vger.kernel.org, linux-integrity@vger.kernel.org List-ID: T24gVGh1LCAyMDE4LTA1LTEwIGF0IDA5OjI1IC0wNTAwLCBEYXZpZCBSLiBCaWxkIHdyb3RlOgo+ IE9uIFR1ZSwgTWF5IDgsIDIwMTggYXQgMTA6MzYgQU0sIEphbWVzIEJvdHRvbWxleQo+IDxKYW1l cy5Cb3R0b21sZXlAaGFuc2VucGFydG5lcnNoaXAuY29tPiB3cm90ZToKPiA+IAo+ID4gT24gVHVl LCAyMDE4LTA1LTA4IGF0IDEwOjI5IC0wNTAwLCBEYXZpZCBSLiBCaWxkIHdyb3RlOgo+ID4gPiBP biBUdWUsIE1heSA4LCAyMDE4IGF0IDEwOjI1IEFNLCBKYW1lcyBCb3R0b21sZXkKPiA+ID4gPEph bWVzLkJvdHRvbWxleUBoYW5zZW5wYXJ0bmVyc2hpcC5jb20+IHdyb3RlOgo+ID4gPiA+IAo+ID4g PiA+IEkgZG9uJ3Qgc2VlIGFueSByZWFzb24gdG8gc2V0IGFuIHVucmVhY2hhYmxlIHBhc3N3b3Jk IGZvciB0aGUKPiA+ID4gPiBwbGF0Zm9ybSBoaWVyYXJjaHkgaWYgdGhlIFVFRkkgZGlkbid0LsKg wqBJZiB0aGUgZGVzaXJlIGlzIHRvCj4gPiA+ID4gZGlzYWJsZSB0aGUgcGxhdGZvcm0gaGllcmFy Y2h5LCB0aGVuIGl0IHNob3VsZCBiZSBkaXNhYmxlZCwgbm90Cj4gPiA+ID4gaGF2ZSBhIHJhbmRv bSBwYXNzd29yZCBzZXQuCj4gPiA+IAo+ID4gPiAiU2V0IHJhbmRvbSBwYXNzd29yZCBhbmQgdGhy b3cgYXdheSB0aGUga2V5IiB3YXMgbXkgd2F5IG9mCj4gPiA+IGRpc2FibGluZyB0aGUgcGxhdGZv cm0gaGllcmFyY2h5LsKgwqBJcyB0aGVyZSBhIGJldHRlciB3YXkgb2YgZG9pbmcKPiA+ID4gdGhh dD8KPiA+IAo+ID4gV2VsbCwgeWVzLCB1c2UgVFBNMl9IaWVyYXJjaHlDb250cm9sIHRvIHNldCBw aEVuYWJsZSB0byBDTEVBUi4KPiAKPiAKPiBJJ20gbm90IHN1cmUgdGhhdCB3aWxsIHdvcmsgZm9y IHVzLsKgwqBMZXQgbWUgZ2l2ZSBhIGxpdHRsZSBtb3JlIGRldGFpbAo+IGFib3V0IHRoaXMgY2Fy ZC4KPiAKPiBUaGUgVFBNIGhvbGRzIGFjY2VzcyBjcmVkZW50aWFscyBmb3IgY29ubmVjdGluZyB0 byB0aGUgWGFwdHVtCj4gbmV0d29yay4gVGhpcyBhcHByb2FjaCBlbmFibGVzIHNlY3VyZSwgemVy by10b3VjaCBwcm92aXNpb25pbmcgZm9yCj4gSW9UIGRldmljZXM6IMKgWGFwdHVtIHByZS1wcm92 aXNpb25zIHRoZSBUUE1zICpiZWZvcmUqIHRoZXkgYXJlCj4gYXNzZW1ibGVkIG9udG8gYSBkZXZp Y2UgUENCLiBUaGUgZGV2aWNlIGlzIHNoaXBwZWQgZGlyZWN0bHkgZnJvbQo+IGZhY3RvcnkgdG8g ZW5kIGN1c3RvbWVyLiBUaGUgZmlyc3QgdGltZSBpdCB0dXJucyBvbiwgdGhlIFRQTSBpcyB1c2Vk Cj4gdG8gYXV0aGVudGljYXRlIHRoZSBYYXB0dW0gbmV0d29yay4gVXNpbmcgYSBUUE0gcHJvdGVj dHMgdGhlCj4gY3JlZGVudGlhbHMgZnJvbSBiZWluZyBjb3BpZWQgb3IgZHVwbGljYXRlZCBieSBz b21lb25lIGluIHRoZQo+IG1hbnVmYWN0dXJpbmcgY2hhaW4uCgpPSywgc28gdGhlc2UgYXJlIGVm ZmVjdGl2ZWx5IERldklkIGtleXMuICBIb3dldmVyLCB3aGF0IG1ha2VzIHlvdSB0aGluawprbm93 aW5nIHRoZSBwbGF0Zm9ybSBhdXRoIGFsbG93cyB5b3UgdG8gZHVwbGljYXRlIHRoZSBrZXlzPyAg QXMgbG9uZyBhcwp5b3UgY3JlYXRlZCB0aGVtIGNvcnJlY3RseSAoYXMgaW4gd2l0aG91dCBkdXBs aWNhdGlvbiBhdXRob3JpdHkpIHRoZW4KZXZlbiBrbm93aW5nIHRoZSBwbGF0Zm9ybSBhdXRob3Jp emF0aW9uIEkgY2FuJ3QgZ2V0IHRoZW0gb3V0IG9mIHlvdXIKVFBNLgoKPiBUaGVzZSBjYXJkcyBh cmUgZGVzaWduZWQgZm9yIGV4aXN0aW5nIGRldmljZXMsIGxpa2UgSW9UIGdhdGV3YXlzLiBZb3UK PiBjYW4ndCBhZGQgYSBUUE0gdG8gYW4gZXhpc3RpbmcgUENCLCBidXQgeW91IGNhbiBwbHVnIGlu IGEgbWluaSBQQ0ktZQo+IGNhcmQuCj4gCj4gV2UgcHJvdmlzaW9uIHRoZSBjcmVkZW50aWFscyAo dGhlIERBQSBzZWNyZXQga2V5LCBzcGVjaWZpY2FsbHkpIHVuZGVyCj4gdGhlIHBsYXRmb3JtIGhp ZXJhcmNoeS4gVGhlIGtleSBjYW4gYmUgdXNlZCB3aXRob3V0IHBsYXRmb3JtCj4gYXV0aG9yaXph dGlvbiwgYnV0IG5vdCByZW1vdmVkLsKgwqBJZiB3ZSBkaXNhYmxlIHRoZSBwbGF0Zm9ybSBoaWVy YXJjaHkKPiBlbnRpcmVseSwgSSB0aGluayB0aGUgY3JlZGVudGlhbHMgd2lsbCBubyBsb25nZXIg YmUgYXZhaWxhYmxlIGZvcgo+IHVzZS4KClRoYXQncyBjZXJ0YWlubHkgdHJ1ZSBpZiB5b3UgYWN0 dWFsbHkgbmVlZCB0byB1c2UgdGhlIHBsYXRmb3JtCmhpZXJhcmNoeS4gIFlvdXIgaW5pdGlhbCBl bWFpbHMgb24gdGhlIHN1YmplY3QgZGlkIHNheSB5b3Ugd2VyZQpkaXNhYmxpbmcgaXQgdGhvdWdo IC4uLgoKPiA+ID4gPiBJJ2QgYWxzbyBzYXkgdGhpcyBpcyBwcm9iYWJseSB0aGUgam9iIG9mIGVh cmx5IGJvb3QgYmFzZWQgb24KPiA+ID4gPiBwb2xpY3kuCj4gPiA+IAo+ID4gPiBBZ3JlZWQuwqDC oEFuZCBzaW5jZSB0aGlzIGNhcmQgaGFzIG5vICJlYXJseSBib290IiwgdGhlCj4gPiA+IGRyaXZl ci9rZXJuZWwgbmVlZCB0byBkbyBpdC4KPiA+IAo+ID4gRWFybHkgYm9vdCBtZWFucyB1c2Vyc3Bh Y2UuIGZvciBhIGhvdCBwbHVnZ2FibGUgZGV2aWNlLCB0aGlzIHdvdWxkCj4gPiBwcm9iYWJseSBi ZSBzb21ldGhpbmcgaW4gdWRldiBpZiB5b3UgZm9sbG93IHRoZSBuby1kYWVtb24gbW9kZWwgYW5k Cj4gPiB0aGUgZGFlbW9uIGNvdWxkIGRvIGl0IGlmIHlvdSBkbyBmb2xsb3cgdGhlIGRhZW1vbiBt b2RlbC4KPiAKPiBDb3VsZCB5b3UgZXhwYW5kIG9uIHRoZSB1ZGV2IGFwcHJvYWNoP8KgwqBJIG1p Z2h0IG5vdCB1bmRlcnN0YW5kIGVub3VnaAo+IGFib3V0IHVkZXYgKG9yIHRoZSBjb21pbmcgVFBN IHJlc291cmNlIG1hbmFnZXIgY2hhbmdlcykgdG8gZm9sbG93IHRoZQo+IHN1Z2dlc3Rpb24uCj4g Cj4gVGhpcyBzZWVtcyB1bnNhZmUgdG8gbWUuwqDCoFRoZXJlJ3MgYSByYWNlIGJldHdlZW4gYSBt YWxpY2lvdXMKPiB1c2Vyc3BhY2UgcHJvZ3JhbSBhbmQgdGhlIGRhZW1vbiB0byBzZXQgdGhlIHBs YXRmb3JtCj4gYXV0aG9yaXphdGlvbi7CoMKgSWYgdGhlIG1hbGljaW91cyBwcm9ncmFtIHdpbnMs IGl0IGNhbiByZXNldCB0aGUgVFBNLAo+IHJlbW92aW5nIHRoZSBjcmVkZW50aWFscywgYW5kIHRo ZSBkZXZpY2Ugd29uJ3QgYmUgYWJsZSB0byBjb25uZWN0IHRvCj4gdGhlIFhhcHR1bSBuZXR3b3Jr LiAoVGhpcyBpcyBhIGxpdmVuZXNzIGNvbmNlcm4sIG5vdCBzYWZldHkuwqDCoEEKPiBkZW5pYWwt b2Ytc2VydmljZSBhdHRhY2ssIGVzc2VudGlhbGx5LikKCk9LLCBJJ20gZ2V0dGluZyBjb25mdXNl ZCBieSB5b3VyIHRocmVhdCBtb2RlbC4gIEkgZG9uJ3QgdGhpbmsga25vd2luZwp0aGUgcGxhdGZv cm0gYXV0aCBJIGNhbiBvYnRhaW4geW91ciBrZXlzLiAgSG93ZXZlciwgSSBhZ3JlZSwgSSBjYW4K ZGVmaW5pdGVseSByZW1vdmUgdGhlbS4gIEhvd2V2ZXIsIHNldHRpbmcgcGxhdGZvcm0gYXV0aCBk b2Vzbid0IHNvbHZlCnRoaXM6IEkgY2FuIGV4ZWN1dGUgYSBUUE0yX0NsZWFyIHRvIHJlZ2FpbiB0 aGUgcGxhdGZvcm0gYXV0aCBhbmQgaWYgeW91CmRpc2FibGUgdGhpcywgSSBjYW4ndCByZS1vd24g dGhlIFRQTSBhdCBhbGwuCgpKYW1lcwotLS0KVG8gdW5zdWJzY3JpYmUgZnJvbSB0aGlzIGxpc3Q6 IHNlbmQgdGhlIGxpbmUgInVuc3Vic2NyaWJlIGxpbnV4LXVzYiIgaW4KdGhlIGJvZHkgb2YgYSBt ZXNzYWdlIHRvIG1ham9yZG9tb0B2Z2VyLmtlcm5lbC5vcmcKTW9yZSBtYWpvcmRvbW8gaW5mbyBh dCAgaHR0cDovL3ZnZXIua2VybmVsLm9yZy9tYWpvcmRvbW8taW5mby5odG1sCg==