Trusted Platform Module

In the previous article, we discussed end device security and various factors affecting it. There was a fleeting mention about TPM - the Trusted Platform Module. In this installment we will discuss mode about the TPM.

Generally, for any device, the safest way to ensure it's integrity is to make sure it always boots from a secured, verified and unalterable source. This forms the logical "root" of the entire boot process. Once the device boots from a trusted source, it further uses it to verify each and every software component it utilizes. Every module checks and verifies integrity of the next module to be loaded thus forming a "chain of trust" which if broken can be easily detected. This chain of trust then can be extended to encompass other devices across and upstream the network hierarchy. In this installment, let's have a deeper look at TPM.

What is TPM?

TPM is (generally) a chip designed to provide security related functions. It provides functionality such as generating cryptographic keys, recording and verification of system state integrity and a very limited storage (for storing security keys). So essentially TPM is a secure cryptoprocessor. TPM forms “root of trust” and hence acts as a starting point in the “chain of trust”.

TPM is a passive component – it doesn’t initiate any computation, nor does it alter or influence execution of code. It just responds to the queries initiated by other (hardware/software) components. TPM is generally a SMD on motherboard (TPM standard version 1.2), however as per latest standard (2.0), implementation range can span from hardware to Cloud (software). Once added, TPM becomes a permanent component of the platform.

Components of TPM

There are two essential components of a TPM – cryptographic engine and a set of registers.

Cryptograhic engine provides encryption-decryption capabilities, digital signatures and hashing functionality. The set of registers called Platform Configuration Registers are used to store representation of platform state.

Apart from these essential components, TPM also provides a limited memory to store keys or data. TPM provides a monotonic counter, and a mechanism to exchange data securely with TPM. Using these facilities,TPM provides platform attestation (reporting platform state) and sealing (using platform state to authorize access to keys and other data).

TPM provides platform integrity measurements and cryptographically binds secrets with a platform.

Standards, features and the TCG

TPM standard is maintained by the TCG – Trusted Computing Group. TPM standard version 1.2 is in wide use. Latest revision of version 2.0 became available in September 2016. Following table gives a comparative summary of both versions.
TPM 1.2
TPM 2.0
Architecture
One size fits all
Platform specific 4-part
Algorithms
SHA-1, RSA, MGF1 (PKCS#1), Optional: AES
SHA-1, SHA-256, RSA, ECC, HMAC, AES 128-bit, MGF1 (PKCS#1)
Crypto primitives
  • Random number generator
  • public key crypto algorithm
  • crypto hash function
  • mask generator
  • digital signature generator and verifier
  • direct anonymous attestation
  • key generator
  • (optional) symmetric key
  • Random number generator
  • Public key crypto algorithms
  • Crypto hash functions
  • Mask generator
  • Digital signature generator and verifier
  • Direct anonymous attestation
  • Symmetric key generator
  • Exclusive-or
  • Key derivation functions
Hierarchy
One (storage)
Three (platform, storage, endorsement)
Root keys
One (RSA-2048)
Multiple keys and algorithms
Authorization
HMAC, PCR, locality, physical presence
Password, HMAC, policy (covers HMAC, PCR, locality and physical presence)
NV RAM
Unstructured data
Unstructured data, counter, bitmap

How TPM works

Each TPM has a unique and secret RSA key burned in by the manufacturer. This key is used by TPM in further computing.

Platform initialization and state measurement

BIOS can take advantage of TPM. TPM along with UEFI BIOS forms a “Root of Trust”. At the time of boot up platform state is “measured” and stored in the TPM PCRs. Platform state is represented in TPM as hashes. TPM’s own RSA key is used to calculate the hashes. Just to give some idea, following are some of the items stored in TPM’s PCRs:

  • BIOS, ROM, Memory Block register
  • OS loaders
  • OS
  • Localities, Trusted OS
  • Applications specific information

This is used to provide “Measured Boot” functionality. Measured Boot is a process by which pre-boot software (e.g. firmware) uses TPM to verify nothing has changed in the pre-boot environment. Starting from power-on, each piece of code that is executed measures (hashes) next piece of code and extends PCR before executing it. The first piece of code that is executed (BIOS) is write-protected hence guarantees that nobody can spoof this sequence of measurements. This forms the “Root of Trust”.

Transaction validation

Once the “Root of Trust” is created, it is used in establishing “Chain of Trust”, which provides Trusted Execution Environment. It goes without saying that in order to take advantage of TPM, OS and applications should equally capable of utilizing TPM’s features. Applications need to be designed/enhanced to leverage TPM’s power. Typically all these applications rely on the keys generated by TPM to enforce secure execution environment.

When a software requests generation of a key, TPM generates a new RSA key, concatenates it with a value known only to TPM (“proof”), adds authorization data and encrypts all this information, returning this encrypted “blob” to requesting software. When the software wants to use the key, it sends “key load” command and the encrypted “blob” to TPM. TPM verifies the blob by checking that the “proof” is its own and then loads the RSA key into TPM memory. Software then can use this loaded key into further transactions.

Types of TPM

Version 1.2 of the standard defined a single type for everything. Version 2.0 defines 5 different types suitable for different kinds of platforms. Following table lists different types of TPM and compares different aspects like level of security, price and typical use scenarios.

TPM type
Security level
Security feature
Relative cost
Typical application
Discrete
Highest
Chip, tamper proof
100
Critical systems
Integrated
Higher
Hardware
10
Gateways
Firmware
High
Trusted Execution Environment
1
Infotainment
Software
NA
Same as OS platform
0.1
Testing/prototyping
Virtual
High
Hypervisor
0.01
Cloud environment

Concerns

There has been some resistance to whole-hearted acceptance of TPM from Open Source community as well as some corporates due to few concerns.

One of the concern is ability to abuse of remote validation software by which selective software can be allowed to execute, there by gaining an edge over competition.

Second concern is in case somebody gains physical or administrative access to TPM, security of the entire platform can be compromised.

Types of attacks

Like any other connected platform, TPM is also vulnerable for attacks. These attacks can be grouped in to four categories.

  • Software attacks – which exploit implementation flaws.
  • Fault attacks – which take advantage of design flaws (e.g. Voltage ranges, clock frequencies, UV light etc.)
  • Side channel attacks – like monitoring analogue signals. CIA claims to have hacked TPM using differential power analysis in 2010.
  • Invasive attacks – in which attacker gains physical access to the platform. In 2010, TPM was hacked by probing an internal bus. Cold-boot attacks are also possible with physical access to hardware.

References

Comments

Post a Comment

Popular posts from this blog

Security in Linux Kernel - Part 2

Image
  In the previous part of this series, we saw role of LSMs in kernel security. As mentioned earlier, there are eight LSMs available today in the modern Linux kernel. In this part, let's have a look at different main stream LSMs. SMACK Simplified Mandatory Access Control Kernel ( SMACK ) is designed primarily for embedded linux systems with an intention to make it easier for administrators. This was the second LSM (after SELinux) to be accepted in the linux kernel. It appeared in the 2.6.25 kernel release. This is an attribute (label) based simple LSM, and is the default for Linux implementations tuned for Automotive industry. Yama Yama collects system-wide DAC security restrictions that are not handled by the core kernel itself. It offers control over scope of ptrace() system call to control ptrace attachment by processes. Build time configuration option CONFIG_SECURITY_YAMA and runtime option through sysctls can be used to enable this LSM. The ptrace restrictions can be controll
Read more

Common Git Tips

Image
Obtain list of commits git reflog --oneline git log --oneline These commands will also print commit ID - a.k.a. commit hash. Obtain list of branches created by a user git for-each-ref --format=' %(authorname) %09 %(refname)' --sort=authorname | grep <username> Obtain branch hash git show-ref branch_name Delete a local/remote branch Assume that a branch "bugfix/114355" is created to fix a bug. To delete the local branch: git branch -d bugfix/114355 git branch -D bugfix/114355 '-D' is same as specifying "--delete --force" . To remove the remote branch as well: git push origin --delete bugfix/114355 Undo last commit git reset --soft HEAD~1 Roll back repo to a commit To roll-back the repository to a particular commit, follow these steps. find the hash corresponding to the particular commit by checking the commit logs: git log --oneline roll back the repository by resetting the HEAD pointer: git reset --hard <commit_hash> Remove the latest co
Read more