git-history.diyao.me Git - systemd/.git/commit

tpm2: add support for a trusted SRK

Prevent attackers from spoofing the tpmKey portion of the AuthSession by
adding a trusted key to the LUKS header metadata. Also, use a persistent
object rather than a transient object.

This provides the following benifits:
1. No way to MITM the tpmKey portion of the session, see [1] for
details.

2. Strengthens the encrypted sessions, note that the bindKey could be
dropped now.

3. Speed, once it's created we just use it.

4. Owner Auth is needed to call create primary, so using the SRK
creates a scratch space for normal users.

This is a "first to set" model, in where the first person to set the key
in the LUKS header wins. Thus, setup should be done in a known good
state. If an SRK, which is a primary key at a special persistent
address, is found, it will use whatever is there. If not, it creates an
SRK. The SRK follows the convetions used through the tpm2-software
organization code on GitHub [2], however, a split has occured between
Windows and Linux with respect to SRK templates. The Linux SRK is
generated with the unique field size set to 0, in Windows, it properly
sets the size to key size in bytes and the unique data to all 0's of that
size. Note the proper templates for SRKs is covered in spec [3].
However, the most important thing, is that both SRKs are passwordless,
and thus they should be interchangable. If Windows is the first to make
the SRK, systemd will gladly accept it and vice-versa.

1. Without the bindKey being utilized, an attacker was able to intercept
this and fake a key, thus being able to decrypt and encrypt traffic as
needed. Introduction of the bindKey strengthened this, but allows for
the attacker to brute force AES128CFB using pin guesses. Introduction of
the salt increases the difficulty of this attack as well as DA attacks
on the TPM objects itself.

2. https://github.com/tpm2-software

3. https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf

Fixes: #20668
Fixes: #22637

Signed-off-by: William Roberts <william.c.roberts@intel.com>

author	William Roberts <william.c.roberts@intel.com>
	Fri, 24 Feb 2023 20:11:16 +0000 (14:11 -0600)
committer	Lennart Poettering <lennart@poettering.net>
	Mon, 3 Apr 2023 11:10:49 +0000 (13:10 +0200)
commit	acbb504eaf1be51572b1c0d0d490ac478bc41c64
tree	e0839663d475941cd5642924b69e97a7fba2aecf	tree \| snapshot
parent	6b868766eb60c4ab1764caf790c375ee31b4a9f6	commit \| diff

TODO		diff \| blob \| history
src/cryptenroll/cryptenroll-tpm2.c		diff \| blob \| history
src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c		diff \| blob \| history
src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c		diff \| blob \| history
src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h		diff \| blob \| history
src/cryptsetup/cryptsetup-tpm2.c		diff \| blob \| history
src/cryptsetup/cryptsetup-tpm2.h		diff \| blob \| history
src/cryptsetup/cryptsetup.c		diff \| blob \| history
src/partition/repart.c		diff \| blob \| history
src/shared/creds-util.c		diff \| blob \| history
src/shared/tpm2-util.c		diff \| blob \| history
src/shared/tpm2-util.h		diff \| blob \| history
src/test/test-tpm2.c		diff \| blob \| history