Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

XPDDS17: Supporting TPM 2.0 In The Dynamic Root of Trust Model on OpenXT - Chris Rogers, AIS


Published on

OpenXT is a Xen-based client virtualization platform that provides a DRTM environment using the TPM, Tboot, and Intel TXT. Within the past few years, the TPM 2.0 specification has been finalized enough such that the majority of new hardware ships with a 2.0 module. Therefore, it was imperative that the OpenXT project leverage the significant improvements to security and features that TPM 2.0 provides. This presentation seeks to detail and examine the implementation challenges we faced during the course of development, including the integration of a new set of TPM tools from Intel, modifications to Tboot, 'layered' sealing, and handling the many nuances of the TPM 2.0 spec as it applies to OpenXT. It is our hope that this knowledge may contribute to the adoption of TPM 2.0 in a wider variety of security-focused projects.

Published in: Technology
  • Be the first to comment

XPDDS17: Supporting TPM 2.0 In The Dynamic Root of Trust Model on OpenXT - Chris Rogers, AIS

  1. 1. Supporting TPM 2.0 In The DRTM on OpenXT Chris Rogers, Research Software Engineer, AIS
  2. 2. Agenda • Background • TPM 2.0 Development • Future Work
  3. 3. TPM 2.0 (Background) • Secure cryptoprocessor standard • Discrete hardware • Used to establish a “root of trust”
  4. 4. OpenXT (Background) • Xen-based client virtualization platform • Intel TXT, Tboot, TPM for DRTM
  5. 5. OpenXT – Measured Launch (Background) TPM Firmware PCR 0-7 PCR 17-19 PCR 15 Unseal Boot into platform Fail Boot, Measurement fail action Success Fail Tboot Initramfs
  6. 6. Agenda • Background • TPM 2.0 Development • Future Work
  7. 7. Why? (TPM 2.0) • TPM 1.2 is outdated • SHA-1 has known collisions • Limited options for encryption algs (RSA, optional AES) • Prime factorization’s days are numbered • Unable to adapt to changing security landscape • TrouSerS • OpenXT’s TSS for 1.2, no plans to support 2.0
  8. 8. Focus Areas (TPM 2.0) • Tboot • TSS/Toolstack • Dom0 management scripts
  9. 9. Tboot (TPM 2.0) • Tb_polgen, policy generation tool • Policy tells tboot which PCR num and bank for extend • Hardcoded to use SHA-1 for hashing ops • Patched to make hash alg configurable
  10. 10. Tboot (TPM 2.0) • First up, last down • Tboot needs to perform an “Orderly shutdown” • On reboot, halt, or S4 • S3 is a special case • See TCG Spec: Part 1, Section 19.8.6 • Hardware solution to specific Dictionary Attack vector • Once in lockout, authenticated ops fail • Either tpm_clear, reset lockout with hierarchy, wait for TPM_PT_LOCKOUT_COUNTER
  11. 11. TSS/Toolstack (TPM 2.0) • Currently using Intel’s TPM 2.0 projects • TPM2.0-TSS ( • tpm2.0-tools ( v2.0.0 • Several patches against tpm2.0-tools • Tpm2_extendpcr, tpm2_sealdata, tpm2_unsealdata • Various lib modifications
  12. 12. TSS/Toolstack (TPM 2.0) • Tpm2_extendpcr • Basic tool to extend pcr values • Dom0 extends PCR-15 with hash of rootfs • Tpm2_sealdata • Builds PCR policy, creates sealed data blob against provided set of PCRs. • Tpm2_unsealdata • Builds PCR policy, loads sealed blob into TPM with (tpm2_load) and unseals with tpm2_unseal.
  13. 13. TSS/Toolstack (TPM 2.0) • Current implementation doesn’t use resource manager • Use Tss2_Sys_FlushContext() to manage loaded handles. • Avoid limit of max transient handles with simple operations.
  14. 14. Dom0 (TPM 2.0) • New Selinux rules • Measured Launch scripts • Support new hash algs, new tools syntax • Implement framework for “layered sealing” • Logic changes to handle 2.0 vs 1.2 (we support both, TPM version determined at runtime)
  15. 15. Agenda • Background • TPM 2.0 Development • Future Work
  16. 16. Layered Sealing (Future Work) • Manufacturers sometimes have inconsistencies with TPM hardware. • Certain bios measurements are inconsistent • When hash bank is disabled, PCRs are still extended • Solve this problem in software with Layered Sealing
  17. 17. Layered Sealing (Future Work) • Normally, we seal against a single bank. • seal_sha256(priv_key) • With a layered approach, we can protect the key and verify platform integrity. • For all available PCR banks, layer the seal operations • seal_sha512(seal_sha384(seal_sha256(seal_sha1(priv_key)))) • Unseal in the opposite direction to retrieve key.
  18. 18. Layered Sealing (Future Work) • Implementation challenges: • Max private data size is 128 bytes (MAX_SYM_DATA) • Output of single seal operation is a TPM2B_Private struct, much larger than 128 bytes. • Read and seal 128 byte segments • Seal ops are cheap, though input/output files will become large after 2+ seals. • In progress, targeted for next OpenXT release
  19. 19. Future Work • OpenXT uses TPM for specific use case, but TPM 2.0 has many new features. • Remote attestation • Use TPM to assure remote management server that platform integrity is sound • Crypto • Dedicated Key Storage
  20. 20. Questions?