KEMBAR78
Practical Trusted Platform Module (TPM2) Programming | PDF
Practical Trusted
Platform Module
(TPM2) Programming
Brandon Arvanaghi
Who am I?
● Security Engineer at Gemini
● Gemini dollar, smart contract auditing
● Work closely with HSMs, smart cards, TPMs
● “A Practical Guide to TPM 2.0”
● Google’s TPM-JS
○ https://google.github.io/tpm-js/#pg_welcome
○ All images and GIFs created from here
Helpful resources
TPM Hierarchies
1. Owner/Storage hierarchy
2. Platform hierarchy
3. Endorsement hierarchy
4. Null hierarchy
● Logical collections of keys
TPM Hierarchies
1. Owner/Storage hierarchy
2. Platform hierarchy
3. Endorsement hierarchy
4. Null hierarchy
● Logical collections of keys
● Each hierarchy has a different seed at its root that is used
to generate keys within that hierarchy
Key points:
● These seeds never leave the TPM, and serve as secret inputs into KDFs
● Seeds never change on reboots, except for in Null hierarchy
○ Other seeds can be manually changed
● Key derivation for primary key is fixed + repeatable
○ Providing the same template generates the same primary key every time!
Key points:
● Any key you create can also seal a small amount of arbitrary data
○ A secret message
● You can create authorization policies that restrict when that sealed can
be read
○ When the OS is in a known state
○ When a password is provided as an input
○ Etc.
Seeds
From Google’s TPM-JS
TPM Hierarchies
1. Owner/Storage hierarchy
a. Used by end users of TPM
b. Seed changes with TPM2_CC_CLEAR -- reprovisioning a laptop, for
example
2. Platform hierarchy
a. Used by BIOS, not end users.
b. Seed can be changed
3. Endorsement hierarchy
a. Used for attesting TPM
b. Seed never changes. Primary key can be used to identify device.
4. Null hierarchy
a. Used for ephemeral keys
b. Seed changes at reboot
From Google’s TPM-JS
● Decrypt
○ General encryption/decryption key
○ Can’t have children
● Sign
○ Signing key
● Restricted
○ Can only sign and encrypt internal TPM data
○ Can’t be used for general decryption -- this could leak a child key!
Key attributes
Creating child keys
● Keys in the TPM are parents and children
● Any time you create a new key in the TPM, that key must
point to a parent key
○ Except the primary key, which is the first key in the hierarchy
● The parent key protects the child key
○ The child key is wrapped to the parent key
● Only when the parent key is loaded into the TPM can the
child key be unwrapped in the TPM and used!
From Google’s TPM-JS
Output:
From Google’s TPM-JS
tpm2_create
● When you generate a key in the TPM, the key (both
private and public keys) get spit out as a file on your
filesystem
○ Not usable in the TPM yet!
● These files can only be understood by the TPM.
● To use that key on the TPM, you must first load those files
into the TPM, so the key is usable by the TPM
From Google’s TPM-JS
Problems Solved by TPMs
Problems Solved by TPMs
1. Identification of device
a. Prior to TPMs, this was done with MAC addresses
Examples from A Practical Guide to TPM2
1. Identification of device
a. Prior to TPMs, this was done with MAC addresses
2. Secure key generation
a. Hardware RNG > arbitrary software RNG (often a point of failure)
Problems Solved by TPMs
Examples from A Practical Guide to TPM2
1. Identification of device
a. Prior to TPMs, this was done with MAC addresses
2. Secure key generation
a. Hardware RNG > arbitrary software RNG (often a point of failure)
3. Secure key storage
4. NVRAM storage
a. When device wiped by IT, NVRAM can keep a certificate store
5. Device health attestation via PCRs
a. Used to use software to attest health of device. Spoofable!
Problems Solved by TPMs
Examples from A Practical Guide to TPM2
1. Identification of device
a. Prior to TPMs, this was done with MAC addresses
2. Secure key generation
a. Hardware RNG > arbitrary software RNG (often a point of failure)
3. Secure key storage
4. NVRAM storage
a. When device wiped by IT, NVRAM can keep a certificate store
5. Device health attestation via PCRs
a. Used to use software to attest health of device. Spoofable!
6. Algorithm agility
Problems Solved by TPMs
Examples from A Practical Guide to TPM2
1. Non-Volatile RAM
2. Can store, read keys from here early in the boot cycle
before the PC has access to disk
NVRAM
Platform Configuration Registers
(PCRs)
● TPMs are different from smart cards in that they are on
the motherboard, and available when the machine boots
● TPMs can thus be used to take measurements of machine
state during the boot process
● PCRs store hashes of measurements taken by external
software, and the TPM can later attest to these
measurements by signing them
● TPM initializes all PCRs at boot time (typically all 0s or
1s)
● Caller can’t directly write to PCRs, but can do an extend
operation
● Takes old PCR value, concatenates with new data you
want to measure, stores the result in that same PCR slot
tpm2_tools
TPM2 Simulator
● https://sourceforge.net/projects/ibmswtpm2/
Thanks!
Brandon Arvanaghi
@arvanaghi

Practical Trusted Platform Module (TPM2) Programming

  • 1.
    Practical Trusted Platform Module (TPM2)Programming Brandon Arvanaghi
  • 2.
    Who am I? ●Security Engineer at Gemini ● Gemini dollar, smart contract auditing ● Work closely with HSMs, smart cards, TPMs
  • 3.
    ● “A PracticalGuide to TPM 2.0” ● Google’s TPM-JS ○ https://google.github.io/tpm-js/#pg_welcome ○ All images and GIFs created from here Helpful resources
  • 4.
    TPM Hierarchies 1. Owner/Storagehierarchy 2. Platform hierarchy 3. Endorsement hierarchy 4. Null hierarchy ● Logical collections of keys
  • 5.
    TPM Hierarchies 1. Owner/Storagehierarchy 2. Platform hierarchy 3. Endorsement hierarchy 4. Null hierarchy ● Logical collections of keys ● Each hierarchy has a different seed at its root that is used to generate keys within that hierarchy
  • 7.
    Key points: ● Theseseeds never leave the TPM, and serve as secret inputs into KDFs ● Seeds never change on reboots, except for in Null hierarchy ○ Other seeds can be manually changed ● Key derivation for primary key is fixed + repeatable ○ Providing the same template generates the same primary key every time!
  • 8.
    Key points: ● Anykey you create can also seal a small amount of arbitrary data ○ A secret message ● You can create authorization policies that restrict when that sealed can be read ○ When the OS is in a known state ○ When a password is provided as an input ○ Etc.
  • 9.
  • 10.
    TPM Hierarchies 1. Owner/Storagehierarchy a. Used by end users of TPM b. Seed changes with TPM2_CC_CLEAR -- reprovisioning a laptop, for example 2. Platform hierarchy a. Used by BIOS, not end users. b. Seed can be changed 3. Endorsement hierarchy a. Used for attesting TPM b. Seed never changes. Primary key can be used to identify device. 4. Null hierarchy a. Used for ephemeral keys b. Seed changes at reboot
  • 11.
  • 12.
    ● Decrypt ○ Generalencryption/decryption key ○ Can’t have children ● Sign ○ Signing key ● Restricted ○ Can only sign and encrypt internal TPM data ○ Can’t be used for general decryption -- this could leak a child key! Key attributes
  • 14.
    Creating child keys ●Keys in the TPM are parents and children ● Any time you create a new key in the TPM, that key must point to a parent key ○ Except the primary key, which is the first key in the hierarchy ● The parent key protects the child key ○ The child key is wrapped to the parent key ● Only when the parent key is loaded into the TPM can the child key be unwrapped in the TPM and used!
  • 15.
  • 16.
  • 17.
    tpm2_create ● When yougenerate a key in the TPM, the key (both private and public keys) get spit out as a file on your filesystem ○ Not usable in the TPM yet! ● These files can only be understood by the TPM. ● To use that key on the TPM, you must first load those files into the TPM, so the key is usable by the TPM
  • 18.
  • 19.
  • 20.
    Problems Solved byTPMs 1. Identification of device a. Prior to TPMs, this was done with MAC addresses Examples from A Practical Guide to TPM2
  • 21.
    1. Identification ofdevice a. Prior to TPMs, this was done with MAC addresses 2. Secure key generation a. Hardware RNG > arbitrary software RNG (often a point of failure) Problems Solved by TPMs Examples from A Practical Guide to TPM2
  • 22.
    1. Identification ofdevice a. Prior to TPMs, this was done with MAC addresses 2. Secure key generation a. Hardware RNG > arbitrary software RNG (often a point of failure) 3. Secure key storage 4. NVRAM storage a. When device wiped by IT, NVRAM can keep a certificate store 5. Device health attestation via PCRs a. Used to use software to attest health of device. Spoofable! Problems Solved by TPMs Examples from A Practical Guide to TPM2
  • 23.
    1. Identification ofdevice a. Prior to TPMs, this was done with MAC addresses 2. Secure key generation a. Hardware RNG > arbitrary software RNG (often a point of failure) 3. Secure key storage 4. NVRAM storage a. When device wiped by IT, NVRAM can keep a certificate store 5. Device health attestation via PCRs a. Used to use software to attest health of device. Spoofable! 6. Algorithm agility Problems Solved by TPMs Examples from A Practical Guide to TPM2
  • 24.
    1. Non-Volatile RAM 2.Can store, read keys from here early in the boot cycle before the PC has access to disk NVRAM
  • 25.
    Platform Configuration Registers (PCRs) ●TPMs are different from smart cards in that they are on the motherboard, and available when the machine boots ● TPMs can thus be used to take measurements of machine state during the boot process ● PCRs store hashes of measurements taken by external software, and the TPM can later attest to these measurements by signing them
  • 26.
    ● TPM initializesall PCRs at boot time (typically all 0s or 1s) ● Caller can’t directly write to PCRs, but can do an extend operation ● Takes old PCR value, concatenates with new data you want to measure, stores the result in that same PCR slot
  • 27.
  • 30.
  • 31.