On Thu, May 10, 2018 at 9:47 AM, James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > On Thu, 2018-05-10 at 09:25 -0500, David R. Bild wrote: >> The TPM holds access credentials for connecting to the Xaptum >> network. > > OK, so these are effectively DevId keys. However, what makes you think > knowing the platform auth allows you to duplicate the keys? It doesn't and we don't think that. > As long as > you created them correctly (as in without duplication authority) then > even knowing the platform authorization I can't get them out of your > TPM. Correct. No one can copy/duplicate/read them. But they can delete them, which is effectively a denial of service attack against the device. >> We provision the credentials (the DAA secret key, specifically) under >> the platform hierarchy. The key can be used without platform >> authorization, but not removed. If we disable the platform hierarchy >> entirely, I think the credentials will no longer be available for >> use. > > That's certainly true if you actually need to use the platform > hierarchy. Your initial emails on the subject did say you were > disabling it though ... Mea culpa. Lazy wording on my part. >> > Early boot means userspace. for a hot pluggable device, this would >> > probably be something in udev if you follow the no-daemon model and >> > the daemon could do it if you do follow the daemon model. >> >> Could you expand on the udev approach? I might not understand enough >> about udev (or the coming TPM resource manager changes) to follow the >> suggestion. >> This seems unsafe to me. There's a race between a malicious >> userspace program and the daemon to set the platform >> authorization. If the malicious program wins, it can reset the TPM, >> removing the credentials, and the device won't be able to connect to >> the Xaptum network. (This is a liveness concern, not safety. A >> denial-of-service attack, essentially.) > > OK, I'm getting confused by your threat model. I don't think knowing > the platform auth I can obtain your keys. However, I agree, I can > definitely remove them. Correct. Removal (not copying) is our concern. > However, setting platform auth doesn't solve > this: I can execute a TPM2_Clear to regain the platform auth and if you > disable this According to the spec (v1.38) TPM2_Clear - flushes the Storage and Endorsement hierarchies, not the Platform hierarchy. - resets the Storage, Endorsement, and Lockout auth, but not the Platform auth. > I can't re-own the TPM at all. You can execute TPM2_Clear (if you have lockout auth. We don't set lockout auth, so you will.) to regain control of the Storage and Endorsement hierarchies. We only control the platform hierarchy. Best, David