On Wed, Mar 10, 2021 at 9:47 AM Hector Martin <marcan@xxxxxxxxx> wrote: > Remember that if the key is ever lost, the RPMB is now completely > useless forever. > > This is why, as far as I know, most sane platforms will use hard fused > values to derive this kind of thing, not any kind of key stored in > erasable storage. You're right. In the mobile phone world this is a given fact. If we are thinking devices are to be repurposed or reinstalled from scratch for example, like ordinary desktops or servers, RPMB does not make generic sense: it is not for "generic computing" but rather for protecting devices that you carry around and can be lost: mobile phones, chromebooks, maybe laptops. If and only if the user so desires, I would say, but sometimes the vendors decide policy... (+/- the fact that some recent supply chain attacks for server software may actually make cloud people start thinking like this about their servers integrity, what do I know.) > Also, newly provisioned keys are sent in plain text, which means that > any kind of "if the RPMB is blank, take it over" automation equates to > handing over your key who an attacker who removes the RPMB and replaces > it with a blank one, and then they can go access anything they want on > the old RPMB device (assuming the key hasn't changed; and if it has > changed that's conversely a recipe for data loss if something goes wrong). > > I really think trying to automate any kind of "default" usage of an RPMB > is a terrible idea. It needs to be a conscious decision on a > per-platform basis. OK sorry for my bad ideas, what was I thinking :D For a laptop or so, I would say, a user who is paranoid that their device gets stolen and used by someone else, should be able to set their device up, with some tool, such that a secret key from somewhere and RPMB is used to lock down the machine so that attackers cannot get into it and get the data out. Disk is encrypted, and RPMB is there to block any exhaustive password or other authentication token search. Ideally: the only way to make use of the hardware again would be to solder off the eMMC, if eMMC is used for RPMB. If we have RPMB on an NVME or UFS drive, the idea is to lock that thing such that it becomes useless and need to be replaced with a new part in this scenario. In practice: make it hard, because we know no such jail is perfect. Make it not worth the effort, make it cheaper for thieves to just buy a new harddrive to use a stolen laptop, locking the data that was in it away forever by making the drive useless for any practical attacks. Maybe it will be possible to blank the drive and use without RPMB since that is now locked with a key they can no longer acces: the end result is the same: RPMB protected the data of the original user. So a one-time user protection such as a seal, once broken this seal cannot be reused to seal anything again and that is OK. Yours, Linus Walleij