On Wed, 2023-04-05 at 13:39 -0500, William Roberts wrote: > On Mon, Apr 3, 2023 at 4:44 PM James Bottomley > <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: [...] > > The most insidious interposer attack of all is a reset attack: > > since the interposer has access to the TPM bus, it can assert the > > TPM reset line any time it wants. When a TPM resets it mostly > > comes back in the same state except that all the PCRs are reset to > > their initial values. > > Controlling the reset line allows the interposer to change the PCR > > state after the fact by resetting the TPM and then replaying PCR > > extends to get the PCRs into a valid state to release secrets, so > > even if an attack event was recorded, the record is erased. This > > reset attack violates the fundamental princible of non- > > repudiability of TPM logs. Defeating the reset attack involves > > tying all TPM operations within the kernel to a property which will > > change detectably if the TPM is reset. For that reason, we tie all > > TPM sessions to the null hierarchy we obtain at start of day and > > whose seed changes on every reset. > > Rather than doing this, wouldn't the session be flushed from the TPM > on reset and thus subsequent commands using the session and session > key fail? That would happen only if we kept a context saved session, which we can't because the current session manager doesn't do de-gapping. To get around this we start a new, short lived, session for most operations. There has been a thought that it would be faster if we did context save a session to keep re-using it, so adding de-gapping is on the list somewhere, it's just not near the top yet. > If that's true, couldn't we just pin the trust to an existing trusted > key that we have the name of and move on? The kernel would know that > something happened when session protections started failing without > the complexity and time of generating a key in the NULL hierarchy and > certifying it. If the goal is to check not only the kernel but also the boot components (like OVMF/EDK2), then we need a handoff protocol. The beauty of the NULL seed is the name is a nice short thing to handoff. If we relied on sessions, we'd have to hand off a whole context saved session and all its nonces, which is a bit of a security risk. James
