Previously, Matthew Garrett and I came up with an new idea for a method of local attestation. Local attestation here means: authenticating the computer that the user possesses a valid hardware token and authenticating to the user that the computer is executing the intended code, and that said code has not been tampered with. The idea is to use some NFC-enabled “smart” wearable device, something trivially hideable on (or inside¹) one’s person in order to authenticate to the TPM, which then validates that the next stage of code to be executed, e.g. usually the kernel (ring 0) or the hypervisor (ring “-1”), has verifiable integrity. Matthew has a great 32c3 talk on TPM-based local attestation, and even breifly, towards the end of the video, mentions the NFC ideas.
As an example use case, this would allow journalists² greater safety when crossing borders. Your laptop got taken away by the TLA at a border? Not such a problem; it simply doesn’t boot without you present. The TLA took your laptop into the back room to try to install some malware on it? No worries, because your laptop will refuse to boot the next time you try to do so (or it could signal in some other way that the system was compromised… however, refusing to decrypt the user’s harddrive is probably a bare minimum safety requirement, and refusing to boot at all is probably the safest).
However, all of this places a great deal of trust in both the TPM device and its manufacturer…
Despite Joanna Rutkowska’s concerns over untrusted user input/output, it would be interesting to see a system, built upon the above local attestation method, which uses an Intel SGX enclave (see the Intel Instruction Set Extensions Programming Reference for architectural details) to execute code whose integrity has been previously verified through two-factor authenticated TPM local attestation. This doesn’t require user I/O, and it doesn’t require anything to be displayed to the user. What it would provide, however, is a way for the code whose integrity is verified by the TPM to remain safely isolated from:
- the BIOS, or tampering thereof,
- System Management Mode (SMM), and,
- (possibly) Intel Active Management Technology (AMT) — modulo Intel’s SGX implementation (and how much you trust said implementation to protect you from their AMT backdoor).
This protects against tampering of the BIOS itself, which, otherwise, could possibly subvert the initialisation of the TPM hardware and cause the integrity verification checks to falsely pass. Without SGX, SMM (ring “-2”) would have the capability to emulate and/or forward calls to and from the TPM device, and as such any SMM-based attack would completely subvert the local attestation.
Additionally, in my and Matthew’s NFC-TPM-based local attestation method, the cryptographic code for verification would need to be partially executed on the “smart” device. In Matthew’s 32c3 talk, the laptop uses a pre-shared key, stored in the TPM, to generate …
read more
