As the title sugegsts, I'm trying to figure out when the TPM chip in a computer begins the decryption process to be able to boot a drive encrypted with BitLocker. Or, where could I find more information about it?
In case of UEFI:
UEFI loads and starts the Microsoft bootloader from the (plain) EFI partition
The bootloader reads the Bitlocker meta data sectors from the encrypted partition
If a TPM+Pin protector exists the bootloader shows the pin dialog
The sealed key and a value derived from the pin are sent to the TPM
The TPM unseals the key and sends it back to the bootloader
The bootloader can now access the encrypted partition
The drive is not decrypted as a whole, every sector is decrypted/encrypted when it is accessed.
You can find information about the meta data here and the tpm specification here.
Related
The company I work with requires me to login by entering my biometric fingerprint with a fingerprint scanner.
It is good but I have to borrow a device from my coworkers every time. And can't afford a new one right now.
I don't always have a scanner with me at home all the time.
Is there a way that I can virtually save my fingerprint in computer and emulate a fingerprint input at any time without having the physical device with me?
ThunderBolt firmware is stored in its own SPI flash and is updatable from the OS. The system's UEFI firmware is also able to access its configuration data in the flash - users are able to change the ThunderBolt Security Level (SL) from the firmware setup menu during pre-boot. This means there is definitely some way to access the ThunderBolt firmware via some UEFI protocol, but nothing I've tried seems to work.
What I've Tried
I'm able to successfully identify the ThunderBolt device based on its vendor ID and device ID using the EFI_PCI_IO_PROTOCOL.
I initially thought the firmware is an option ROM, so it should be accessible via EFI_PCI_IO_PROTOCOL.RomImage. However the value is 0. I then thought the Expansion ROM Base Address Register (XROMBAR) that's inside the PCI Configuration Space may have it. But the XROMBAR is also 0. Extracting the firmware by reading the SPI flash using a hardware programmer, I found that it doesn't have the option ROM's signatures of 0xAA55 and "PCIR" anywhere. So it seems like the firmware is not an option ROM.
I then thought it could be stored in a firmware volume and thus should be accessible via the EFI_FIRMWARE_VOLUME2_PROTOCOL. I searched through all the firmware volumes and found a few option ROM, but none of them belong to ThunderBolt (as seen from their vendor ID and device ID).
Background
I was looking at the ThunderSpy exploit and the report states that the ThunderBolt firmware is not verified during boot. I thought this was unusual since my thinking then was that the firmware should be an option ROM, and option ROMs must be signed and verified by Secure Boot during every boot. From my findings so far, it seems like the firmware isn't an option ROM and is most likely executed directly on the ThunderBolt controller chip and not on the CPU, hence it is outside the purview of Secure Boot. I'm trying to programmatically access the firmware so as to see if there are ways to defend against ThunderSpy-like attacks where malicious modifications were made to the firmware.
I'm working on an embedded system running linux for embedded.
The HW has TPM chip. I've made some preparations, I installed the tpm2-tss and tpm2-tools sw libs and I've test them by hashing some data with the TPM. Its worked.
The system is implementing some RF protocol and transmit messages.
The messages are encrypted using AES128 with a secret key that each device have.
I want to use the TPM capabilities to store the key securely on the device and to encrypt the messages before I send them.
I know that the TPM HW is limited, but the data traffic is very low, so I don't see any issue with encrypting the data with the TPM.
There is a lot of information about the TPM, but all this information made me more confused. I need some guidelines and a simple explanation to help me with my needs.
From what I've read the TPM uses a secret internal key to encrypt data and store it on the system external memory. So i'm guess I need to use this feature to encrypt the device key and store it.
I didn't understand how I address my key after that and how I "tell" the TPM to encrypt some data with this key.
I am same problems with TPM2. O TPM2 is so much confused to use tpm2-tools. I recommend use clevis-encrypt tpm2 to abstract complexity of encrypt and decrypt.
If u have news with use TPM2 to sealing boot. I thank if u share here
I'm currently doing some research about ARM's TrustZone, e.g. here: ARM information center. As far as I understand, with TrustZone a secure environment based on the AMBA AXI bus can be created.
On ARM website it says: "This concept of secure and non-secure worlds extends beyond the processor to encompass memory, software, bus transactions, interrupts and peripherals within an SoC." I read that peripherals can be connected to TrustZone via the NonSecure-bit of the AMBA AXI bus (The extra signal is used to differentiate between trusted and non-trusted requests).
1) What, except the extra pin of AMBA AXI bus, is the TrustZone specific hardware in a SoC with TrustZone?
2) Is it possible to connect an external non-volatile memory (e.g. Flash) or a partition of it to TrustZone with access to secure world (via external memory interface and -then internal- the AXI bus)? If no, how are secrets (as keys) stored to be used in the secure world (with help of fuses??)? If yes, how is it prevented that a Flash including malicious code is connected?
3) Is it possible to implement code to the secure world as a customer of a chip vendor (e.g. TI or NXP), either before or after the chip left the factory?
Thank you for your answers.
TrustZone is a set of standards released by ARM. It gives OEM (embedded software programmers) and SOC vendors some tools to make a secure solution. These have different needs depending on what needs to be secured. So each SOC will be different. Some SOC manufacturers will try to compete on the same security application, but they will still differentiate.
1) What, except the extra pin of AMBA AXI bus, is the TrustZone specific hardware in a SoC with TrustZone?
Anything that the vendor wants. The GIC (ARMv7-A) interrupt controller, the L1 and L2 controllers, and MMU are all TrustZone aware peripherals in most Cortex-A CPUs. These are designed by ARM and implemented in the SOC. As well, there are various memory partitioning/exclusion devices which can be placed in between a peripheral and the SOC. Examples are the NIC301 and various proprietary BUS interconnect technology.
Other hardware may include physical tampers, voltage and temperature monitoring, clock monitoring and cryptography accelerators.
2) Is it possible to connect an external non-volatile memory (e.g. Flash) or a partition of it to TrustZone with access to secure world (via external memory interface and -then internal- the AXI bus)? If no, how are secrets (as keys) stored to be used in the secure world (with help of fuses??)? If yes, how is it prevented that a Flash including malicious code is connected?
As the above alludes, chips like the NIC301 can physically partition AXI peripherals.See image below Part of any TrustZone solution is some secure boot mechanism. All CPU will boot in the secure world. The secure boot mechanism may vary. For instance, a one time programmable ROM might be appropriate for some applications. Many have programmable fuses with a public/private key mechanism implemented in SOC ROM. The SOC ROM boot software will verify that the image in flash is properly signed by whoever burned the one time fuses.
This OEM image can set-up many TrustZone peripherals, most of which will have a lock bit. Once set, registers in the peripherals can not be changed until the next hard boot.
3) Is it possible to implement code to the secure world as a customer of a chip vendor (e.g. TI or NXP), either before or after the chip left the factory?
Yes, this is the secure boot mechanism. It is not specified in the ARM TrustZone documents on how code will be secured. If you manufacture the chip and have on-chip ROM with a MESH layer protecting it maybe sufficient for secure boot. However, TI and NXP will implement a public/private key mechanism and verify that only software signed by an OEM can be loaded. This OEM software can have bugs (and possibly the ROM loader by the SOC vendor), but at least it is possible to create a secure boot chain.
With public key, even complete access to the chip will only allow an attacker to load previously released software from the OEM. Some solutions may have revocation mechanisms as well to prevent previously released software from being used.
See: trust-zone
Typical ARM bus
ARM partition checker
Handling ARM TrustZone
I have a problem. My system is an embedded Linux plaform. I am connecting to my board using serial port and I can access U-Boot.
I need to extract the complete firmware residing in flash through the console or through Ethernet. It looks like downloading is easy using TFTP or serial (Kermit, etc), but uploading it to the host PC for backup isn't obvious.
Does anyone know how this can be done?
Assuming that you are using NAND flash and U-Boot 2013.07 or similar:
Use the nand info command to see the NAND device names, sizes and erase block sizes for each NAND device that U-Boot detects
Use the nand read command to read from the NAND into RAM. How much NAND to read into RAM depends on the RAM size
If you have an SD (MMC) drive you can write from RAM to SD using the mmc write command
If you have a USB device you can use start usb to scan the USB for a mass storage or "ethernet" (i.e. OTG) device
If start usb detects a mass storage device, you can write from RAM to the mass storage device using the usb write command
There is no way to transfer from RAM to a USB or Ethernet network connection
Use the md command to hex dump arbitrary size block of memory to the serial line, then use some program to translate the ASCII hex back into binary
If you're willing to rebuild uboot and reflash your board, you can enable the tftpput command with the CONFIG_CMD_TFTPPUT option. (Assuming a recent version of uboot.)
Assuming not, within the embedded Linux, you can access your flash through /dev/mtd* (cat /proc/mtd to see the partitions). You can use dd to copy a partition to a ramdisk file, then use cat to combine the files into a single image, and the use ftpput to send it to your host. (This assumes that your embedded busybox has been built with these commands.)