On Fr, 01.12.23 15:23, James Bottomley (James.Bottomley@xxxxxxxxxxxxxxxxxxxxx) wrote: > At Linux Plumbers Conference (https://lpc.events) there were several > discussions about some of the problems with TPMs in modern laptops, > like localities are very useful for key sealing policies (so they could > only be unwrapped by the kernel), but most laptops/servers can't use > them and also that 24 is too small a number of PCRs. For the former, > instead of making the kernel operate in a different locality from the > user and using a TPM2_PolicyLocality, we could get the kernel to create > a well known NV PIN index with a random authorization only it knew and > seal policies to it with TPM2_PolicySecret, so that only the kernel > could construct the authorization to satisfy the policy. The PCR > problem can be partly solved by using NV Extend indexes, which behave > very much like PCRs. > > The flaw in both the above is that absent the ability to create > platform NV indexes (which is impossible in modern firmware because the > platform hierarchy gets locked out), anyone possessing the owner > password (which is defined to be empty) can delete and recreate the > index, causing the authorization to change for NV PIN and resetting the > PCR for NV Extend. To mitigate this, we could block out a range of NV > indexes to be only accessible with the kernel (say 256 with handles of > the form 010f0ffXX - I chose this so as not to be too close to either > the beginning or end, but obviously the exact prefix is up for > discussion). The kernel would then snoop TPM2_NV_DefineSpace and > TPM2_NV_UndefineSpace commands and trap and report an error for any > attempt to add or delete an index in this range. We could then get the > kernel to create its PIN NV and say 127 NV Extend indexes, which > userspace would be able to extend, query and make policies on but not > delete. > > I'm bringing this up for discussion now, in case anyone has a better > idea or wants to add nuances (like measuring the creation to a real PCR > and adding an event log to measured boot) before I (or someone else) > look into coding it up. Why would that be necessary though? The "name" of an nvindex pins the access policy of the nvindex. And nvindexes are always created uninitialized, thus to to initialize one you just created (i.e. execute the first write to it) you must be able to fulfill the write policy set for it. But if you can do that, then why bother with deleting/recreating them in the first place? And if you set a different access policy on them then the "name" of the nvindex would change, and it would become useless in all references from other objects/quotes/… This logic is explicitly mentioned in that tpm book btw, it took me a while to grok how great that concept is, since it basically means you don't have to be concerned about removed/readded nvindexes at all. Lennart -- Lennart Poettering, Berlin
