Comment by metalcrow
20 hours ago
>TPM-based measured boot, combined with UEFI Secure Boot, can generate a cryptographically signed attestation ... This is not a complete solution (a sufficiently sophisticated attacker can potentially manipulate attestation)
I was not aware that attackers could potentially manipulate attestation! How could that be done? That would seemingly defeat the point of remote attestation.
See this for example:
https://tee.fail/
Defeating remote attestation will be a key capability in the future. We should be able to fully own our computers without others being able to discriminate against us for it.
Sure, but the exploit presented doesn't really look practical for the everyman. And I'm not sure if it can be patched in HW/SW, and in any case this is just the first step to a fully fake secure boot.
Thank you for that link, that's super interesting! It looks like it's actually an architectural vulnerability in modern fTPMs, and considered out of scope by both Intel and AMD. So that's a reliable way to break attestation on even the most modern systems!
The comms between the motherboard and the TPM chip isn't secured, so an attacker can just do a MITM attack and substitute in the correct values.
That doesn't sound accurate. The T in TPM stands for trust, the whole standard is about verifying and establishing trust between entities. The standard is designed with the assumption that anyone can bring in their scope and probe the ports. This is one of several reasons why the standard defines endorsement keys(EK).
Actually, it is completely true. The TPM threat model has historically focused on software-based threats and physical attacks against the TPM chip itself - crucially NOT the communications between the chip and the CPU. In the over 20 year history of discrete TPMs, they are largely completely vulnerable to interposer (MITM) attacks and only within the last few years is it being addressed by vendors. Endorsement keys don’t matter because the TPM still has to trust the PCR commands sent to it by the CPU. An interposer can replace tampered PCR values with trusted values and the TPM would have no idea.
It is correct, the measurement command to the TPM is not encrypted. So with MITM you can record the boot measurements, then reset and replay to any step of the boot process. Secrets locked to particular stages of boot are then exposed.
There is guidance on "Active" attacks [1], which is to set up your TPM secrets so they additionally require a signature from a secret stored securely on the CPU. But that only addresses secret storage, and does nothing about the compromised measurements. I also don't know what would be capable of providing the CPU secret for x86 processors besides... an embedded/firmware TPM.
[1] https://trustedcomputinggroup.org/wp-content/uploads/TCG_-CP...
That's fair, although aren't most TPMs nowadays fTPMs? No interceptable communication that way.
Until they require fTPMs, an attacker can just choose to use a regular TPM.
A more sophisticated attacker could plausibly extract key material from the TPM itself via sidechannels, and sign their own attestations.
2 replies →
what about faulTPM? https://arxiv.org/abs/2304.14717
Can a TPM be faked in a QEMU VM?
3 replies →