From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Emil Condrea <emilcondrea@gmail.com>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: vTPM Deep Quote validation
Date: Mon, 09 Mar 2015 13:26:42 -0400 [thread overview]
Message-ID: <54FDD7D2.5010400@tycho.nsa.gov> (raw)
In-Reply-To: <CAAULxKK33Vpk7OxtJ_wd=Yo2ogvJ2ZQruxeCbkUUwAnwD_6erg@mail.gmail.com>
On 03/09/2015 11:58 AM, Emil Condrea wrote:
> On Mon, Mar 9, 2015 at 4:40 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov>
> wrote:
>
>> On 03/08/2015 07:41 AM, Emil Condrea wrote:
>>
>>> I am trying to validate a Deep Quote request made by domU but I feel that
>>> something is missing. Right now when a domU requests TPM_ORD_DeepQuote:
>>> 1. vTPM:
>>> - unpacks the params: nonce, vTPM PCR selection and physical PCR selection
>>> - packs PCR_INFO_SHORT structure into buf that contains the selected vTPM
>>> PCRs
>>> - computes nonce as a SHA1 of: dquot_hdr, nonce, and previous packed buf
>>> - packs: nonce, physical PCR selection
>>> - receives physical pcr data and signature from manager and returns them
>>> to
>>> DomU
>>> 2. vTPM Manager
>>> - unpacks the params: nonce, PCR selection
>>> - execute TPM_Quote with: externalData = nonce
>>> - returns pcr data and signature to vTPM
>>>
>>> If domU user wants to validate the signature it has to do the exact
>>> process
>>> that the vtpm and manager did but the virtual PCR values are not included
>>> in response, just physical ones.
>>>
>>
>> The virtual machine can use TPM_PCRRead to get the value of the vTPM PCRs.
>> This is the same method that is used by the TPM_Quote2 command.
>
>
> I thought of using TPM_PCRRead from virtual machine but it was not clear
> for me if it is safe.
> Is it possible for the selected vTPM PCRs values to be different when
> performing
> composite hash on vTPM from the values read with TPM_PCRRead after
> executing DeepQuote?
One way to detect this is by reading the PCRs before and after asking
for a quote. If the values match, then the quote used those values; if
not, try the quote operation again. In either case, you should have a
log or other information on what values have been extended into the PCRs
so that a verifier can make sense of them: there is little reason to
include the PCRs in a quote if you can't reconstruct them.
As an alternative to retrying, you could try to reconstruct the PCRs
used in the quote by hashing the various possibilities drawn from the
logs. If the number of extend operations between the pre- and post-read
operations is reasonable, this could end up being faster than asking for
another quote from the (rather slow) hardware TPM.
> The TPM has context management for each application? (eg: when one
> application extends something
> into a PCR and another application extends other thing in the same PCR(at
> the same time moment),
> are they hashed together?)
This depends on the TPM multiplexing daemon (usually trousers in Linux).
I believe it just processes the requests in the order it receives them,
so without external synchronization they would be in an arbitrary order.
I am unsure if this is implemented (and would guess it is currently
not), but it would be possible for trousers to queue up several commands
(such as PCR reads and quote requests) from a single source and
guarantee that they are executed without intervening commands. In order
to avoid interactions with IMA, this would need an extension to the
Linux TPM character device interface to submit multiple commands for
processing without unlocking the TPM device.
> When I read the standard I understood that the PCRs can never be
> overwritten,
> just reset and extended.
>
> Thanks.
>
>>
>>
>> We can include the vTPM PCRS in response or the manager must perform
>>> TPM_Quote using the nonce received from domU in order to be able to have a
>>> successful validation on the client side.
>>>
>>
>> If you want a quote without any vTPM PCRs, you can specify an empty PCR
>> mask
>> to get something fairly close to this behavior - the nonce will be combined
>> with an empty deep quote structure instead of passed directly.
>>
>> What do you think? Is there something that I am missing ?
>>>
>>
>> It is useful to be able to ask for the current value of both physical and
>> virtual PCRs in a single atomic operation. Including the value of all PCRs
>> in the response could make the reply packet too large (which is part of the
>> reason why TPM_Quote2 removed them).
>>
>> --
>> Daniel De Graaf
>> National Security Agency
>>
>
--
Daniel De Graaf
National Security Agency
next prev parent reply other threads:[~2015-03-09 17:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-08 11:41 vTPM Deep Quote validation Emil Condrea
2015-03-09 14:40 ` Daniel De Graaf
2015-03-09 15:58 ` Emil Condrea
2015-03-09 17:26 ` Daniel De Graaf [this message]
2015-03-10 13:21 ` Emil Condrea
2015-03-09 14:51 ` Xu, Quan
2015-03-09 14:54 ` Emil Condrea
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54FDD7D2.5010400@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=emilcondrea@gmail.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.