Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington
Overview Motivation Trusted Computing and Trusted Platform Modules (TPM) Trusted Software Stacks Attestation Measurements Future Work and Conclusion
Motivation An End to the Middle ◦ Our ongoing research. ◦ Networked computers and trust. ◦ How can we validate a computer? ◦ Even with a password, can we trust they are who they say they are? Hardware offers a potential solution…
Trusted Computing and TPMs Trusted Computing Group ◦ Spec for TPM and trusted software stack. TPM - Hardware chip on most new business laptops and some other PCs. ◦ Dell Latitude, Lenovo ThinkPad, etc… Offers some help that software can’t. NOT protection against physical attacks.
TPM Functionality
Persistent memory ◦ Endorsement key (EK) Permanent private unique key ◦ Storage Root Key (SRK) Encrypts other keys, data with pub key out to disk. Volatile memory ◦ Platform Configuration Registers (PCR) ◦ Attestation identity keys ◦ Storage keys
TPM Functionality Crypto-processor ◦ RSA key generator ◦ Random number generator ◦ Encryption / decryption ◦ SHA-1 hash and append PCRs are append only. PCR[i] = SHA-1(PCR[i] | new value)
Trusted Software Stacks Core root of trust for measurement (CRTM). ◦ Boot block in BIOS. Never changes. Chain of trust. ◦ Each software component measures the next. ◦ Append measurements to PCRs. TrustedGRUB TrouSerS (TSS API)
Trusted Software Stacks
Attestation We have a snapshot of state which can be signed. How do we deliver it? We can’t just send it over… ◦ Replay attacks
Attestation We have a snapshot of state which can be signed. How do we deliver it? We can’t just send it over… ◦ Replay attacks
Attestation Use a nonce ◦ When request to join comes, challenge with a random number. ◦ Append to PCRs and sign. Funky fresh. Note: Measurements only represent state immediately after boot. ◦ No guarantees of events after boot! Still need to prove that the TPM is a TPM Certificate Authority ◦ Validate TPM
Attestation AIK EK AIK Privacy CA Trusted Nodes New Node Manf. Cert. PCA Cert.
Attestation AIK EK AIK Privacy CA Trusted Nodes New Node Manf. Cert. PCA Cert.
Attestation AIK EK AIK Privacy CA Trusted Nodes New Node Manf. Cert. PCA Cert.
Attestation AIK EK AIK Privacy CA Trusted Nodes New Node Manf. Cert. PCA Cert.
Attestation AIK EK AIK Privacy CA Trusted Nodes New Node Manf. Cert. PCA Cert.
Attestation ? AIK EK Challenge! AIK Privacy CA Trusted Nodes New Node Manf. Cert. PCA Cert.
Attestation 02895… AIK EK AIK Privacy CA Trusted Nodes New Node Manf. Cert. PCA Cert.
Attestation 10110… AIK EK AIK Append nonce and sign PCRs with priv_AIK Privacy CA Trusted Nodes New Node Manf. Cert. PCA Cert.
Attestation 10110… AIK EK AIK Privacy CA Trusted Nodes New Node Manf. Cert. PCA Cert.
Attestation AIK EK AIK 10110… AIK Privacy CA Trusted Nodes New Node Manf. Cert. PCA Cert.
Attestation AIK EK AIK 10110… AIK Privacy CA Trusted Nodes New Node Manf. Cert. PCA Cert.
Attestation AIK EK AIK 10110… AIK Verify bits match: SHA-1(expected PCRs | nonce) SUCCESS! Privacy CA Trusted Nodes New Node Manf. Cert. PCA Cert.
Measurements Verify PCR values change
Measurements Time in seconds Extends are fast Creating keys is very slow Load and sign, not too bad…
Future Work Create a privacy CA. Implement complete attestation process and benchmark major components. Put Xen in the middle of the chain of trust. Add trusted software stack to ETTM project.
Conclusion TPMs show promise. Building a trusted software stack is possible with open-source software. Time cost not negligible, but reasonable. Hardware should get better. Need more software support.
Other Thoughts Lots of laptops have TPMs, no one uses them. TrustedGRUB has extra lines of code. We didn’t write them. The Dell Latitude e5400 is garbage. ◦ Two thumbs down!