lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c466ed57-35a8-41c0-9647-c70e588ad1d3@apertussolutions.com>
Date: Sat, 21 Sep 2024 14:36:58 -0400
From: "Daniel P. Smith" <dpsmith@...rtussolutions.com>
To: Andy Lutomirski <luto@...capital.net>
Cc: Thomas Gleixner <tglx@...utronix.de>,
 "Eric W. Biederman" <ebiederm@...ssion.com>,
 Eric Biggers <ebiggers@...nel.org>,
 Ross Philipson <ross.philipson@...cle.com>, linux-kernel@...r.kernel.org,
 x86@...nel.org, linux-integrity@...r.kernel.org, linux-doc@...r.kernel.org,
 linux-crypto@...r.kernel.org, kexec@...ts.infradead.org,
 linux-efi@...r.kernel.org, iommu@...ts.linux-foundation.org,
 mingo@...hat.com, bp@...en8.de, hpa@...or.com, dave.hansen@...ux.intel.com,
 ardb@...nel.org, mjg59@...f.ucam.org, James.Bottomley@...senpartnership.com,
 peterhuewe@....de, jarkko@...nel.org, jgg@...pe.ca, nivedita@...m.mit.edu,
 herbert@...dor.apana.org.au, davem@...emloft.net, corbet@....net,
 dwmw2@...radead.org, baolu.lu@...ux.intel.com, kanth.ghatraju@...cle.com,
 andrew.cooper3@...rix.com, trenchboot-devel@...glegroups.com
Subject: Re: [PATCH v9 06/19] x86: Add early SHA-1 support for Secure Launch
 early measurements

On 9/13/24 23:57, Andy Lutomirski wrote:
> On Thu, Sep 12, 2024 at 5:34 PM Daniel P. Smith
> <dpsmith@...rtussolutions.com> wrote:
>>
>> Hey again,
>>
>> On 9/4/24 21:01, Daniel P. Smith wrote:
>>> Hi Luto.
>>>
>>> On 8/28/24 23:17, Andy Lutomirski wrote:
>>>> On Thu, Aug 15, 2024 at 12:10 PM Thomas Gleixner <tglx@...utronix.de>
>>>> wrote:
>>>>>
>>>>> On Thu, Aug 15 2024 at 13:38, Daniel P. Smith wrote:
>>>>>> On 5/31/24 09:54, Eric W. Biederman wrote:
>>>>>>> Eric Biggers <ebiggers@...nel.org> writes:
>>>>>>>> That paragraph is also phrased as a hypothetical, "Even if we'd
>>>>>>>> prefer to use
>>>>>>>> SHA-256-only".  That implies that you do not, in fact, prefer
>>>>>>>> SHA-256 only.  Is
>>>>>>>> that the case?  Sure, maybe there are situations where you *have*
>>>>>>>> to use SHA-1,
>>>>>>>> but why would you not at least *prefer* SHA-256?
>>>>>>>
>>>>>>> Yes.  Please prefer to use SHA-256.
>>>>>>>
>>>>>>> Have you considered implementing I think it is SHA1-DC (as git has)
>>>>>>> that
>>>>>>> is compatible with SHA1 but blocks the known class of attacks where
>>>>>>> sha1 is actively broken at this point?
>>>>>>
>>>>>> We are using the kernel's implementation, addressing what the kernel
>>>>>> provides is beyond our efforts. Perhaps someone who is interested in
>>>>>> improving the kernel's SHA1 could submit a patch implementing/replacing
>>>>>> it with SHA1-DC, as I am sure the maintainers would welcome the help.
>>>>>
>>>>> Well, someone who is interested to get his "secure" code merged should
>>>>> have a vested interested to have a non-broken SHA1 implementation if
>>>>> there is a sensible requirement to use SHA1 in that new "secure" code,
>>>>> no?
>>>>>
>>>>> Just for the record. The related maintainers can rightfully decide to
>>>>> reject known broken "secure" code on a purely technical argument.
>>>>>
>>>>
>>>> Wait, hold on a second.
>>>>
>>>> SHA1-DC isn't SHA1.  It's a different hash function that is mostly
>>>> compatible with SHA1, is different on some inputs, and is maybe more
>>>> secure.  But the _whole point_ of using SHA1 in the TPM code (well,
>>>> this really should be the whole point for new applications) is to
>>>> correctly cap the SHA1 PCRs so we can correctly _turn them off_ in the
>>>> best way without breaking compatibility with everything that might
>>>> read the event log.  I think that anyone suggesting using SHA1-DC for
>>>> this purpose should give some actual analysis as to why they think
>>>> it's an improvement, let alone even valid.
>>>
>>> I would say at a minimum it is to provide a means to cap the PCRs.
>>> Devices with TPM1.2 are still prevalent in the wild for which members of
>>> the TrenchBoot community support, and there are still valid (and secure)
>>> verification uses for SHA1 that I outlined in my previous response.
>>>
>>>> Ross et al, can you confirm that your code actually, at least by
>>>> default and with a monstrous warning to anyone who tries to change the
>>>> default, caps SHA1 PCRs if SHA256 is available?  And then can we maybe
>>>> all stop hassling the people trying to develop this series about the
>>>> fact that they're doing their best with the obnoxious system that the
>>>> TPM designers gave them?
>>>
>>> Our goal is to keep control in the hands of the user, not making
>>> unilateral decisions on their behalf. In the currently deployed
>>> solutions it is left to the initrd (user) to cap the PCRs. After some
>>> thinking, we can still ensure user control and give an option to cap the
>>> PCRs earlier. We hope to post a v11 later this week or early next week
>>> that introduces a new policy field to the existing measurement policy
>>> framework. Will add/update the kernel docs with respect to the policy
>>> expansion. We are also looking the best way we might add a warning to
>>> the kernel log if the SHA1 bank is used beyond capping the PCRs.
>>
>> As the attempt was made to lay in the policy logic, it started to become
>> convoluted and unnecessarily complicated. Thus creating more risk with
>> all the bookkeeping and yet sha1 hashes still have to be sent, the null
>> hash in this case, since the TPM driver will reject extends that do not
>> have hashes for all active banks. At this point, we have opted to keep
>> the logic simple and add a section to our documentation advising of the
>> potential risk should one choose to incorporate SHA1 in their
>> attestations of the platform.
>>
> 
> I've read the TPM standard a bit, but it's been awhile, and it's too
> complicated anyway.  So, can you remind me (and probably 3/4 of the
> other people on this thread, too):

Sure, but honestly if you were to ask me in person, I would have given 
you the explanation as provided in the Secure Launch Overview in the 
documentation patch.

> What, exactly, is your patchset doing that requires hashing at all?
> (I assume it's extending a PCR and generating an event log entry.).
> What, exactly, does it mean to "cap" a PCR?  How is this different
> from what your patchset does?


The SINIT ACM is provided a structure that basically says, here is an 
address and size of what it will execute next. It will use that 
information to take its transitive trust measurement of the kernel 
before handing control to the Linux kernel. The Secure Launch code is 
responsible for ensuring everything that can influences its execution to 
be measured and stored into the TPM for attestations to be made at a 
latter time. The most important part is the transitive trust measurement 
of the next part to be executed, the initramfs. Specifically, the Secure 
Launch code must be able to handle the situation where the initramfs 
independent of the kernel and loaded separately. Additionally, the 
policy function provided for optional system state to also be measured 
and recorded, as the attestation evaluator might want them.

At the end of the day, this capability is strictly a passive (mostly, 
see note [1] below) solution with the responsibility to maintain the 
DRTM trust chain by taking meaningful measurements. This includes the 
next component in the trust chain and then hand execution to that next 
component.

The TCG specs and good practices provide that a component in either SRTM 
or DRTM trust chains should extend a non-event record to the tpm and/or 
its log. This is to indicate the transition point from one component in 
the trust chain to the next component. Under the client profile, 
firmware is required to do this by extending an event of type 
EV_SEPARATOR before "Ready to Boot".

I did not see the term actually defined in the client profile, but the 
term "cap" refers to the specific action of hashing a value across a set 
of PCRs. This is to reflect that certain events have occurred and will 
result in a different but predictable change to the PCR value. Often 
times this is to ensure that if there are TPM objects sealed to the 
system with either that event having or have not occurred, they cannot 
be unsealed. Thus, one has "capped" the PCRs as a means to close access 
to the “acceptable” system state.

To close and reiterate, Secure Launch only responsibility is to send 
measurements to the TPM. The TPM and TPM driver has an expectation that 
every PCR extend event contains a hash for every active algorithm bank. 
For Secure Launch, to send SHA1 measurements has zero impact on the 
security of the system. Whether those measurements are used for TPM 
integrity reporting and security policy enforcement by user space or an 
enterprise is outside the scope of the Secure Launch capability and the 
kernel.

[1] A future expansion of Secure Launch will be to enable usage of 
Intel's Hardware Shield, link below, to provide runtime trustworthy 
determination of SMM. The full extent of this capability can only be 
achieved under a DRTM launch of the system with Intel TXT. When enabled,
this can be used to verify the SMM protections are in place and inform 
the kernel's memory management which regions of memory are safe from SMM 
tampering.

https://www.intel.com/content/dam/www/central-libraries/us/en/documents/drtm-based-computing-whitepaper.pdf

> With that answered, it will hopefully be easy to see that you're
> making the right call :)
> 
> --Andy
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ