| 1 |
On Fri, Mar 6, 2020 at 3:55 PM Wols Lists <antlists@××××××××××××.uk> wrote: |
| 2 |
> |
| 3 |
> On 06/03/20 19:39, Rich Freeman wrote: |
| 4 |
> > |
| 5 |
> > They don't detail the effort required. If the firmware is patched it |
| 6 |
> > sounds like it still requires tinkering with hardware. |
| 7 |
> |
| 8 |
> By then it's TOO LATE. The firmware is signed for security, AND LOADED |
| 9 |
> AT BOOT. But if the boot process is compromised, the attacker simply |
| 10 |
> doesn't load the patched firmware. |
| 11 |
|
| 12 |
The patched firmware executes before any software you boot, assuming |
| 13 |
your device was patched before the hacker got his hands on it. |
| 14 |
|
| 15 |
Obviously if you lost your laptop last week and the hacker has it in |
| 16 |
their closet, then they're going to be able to attack the unpatched |
| 17 |
firmware with a software hack. |
| 18 |
|
| 19 |
From the descriptions I'm seeing it sounds like the attack against the |
| 20 |
hardware itself requires physical access to some of the busses. A |
| 21 |
proper TPM should resist this sort of attack, and that is why this is |
| 22 |
a vulnerability. However, you can't just stick a USB drive into a |
| 23 |
computer to hack it if the firmware is patched. |
| 24 |
|
| 25 |
> > |
| 26 |
> > Yes, but keep in mind the signing keys have nothing to do with disk |
| 27 |
> > encryption. It is for remote attestation. Hence my Netflix comment. |
| 28 |
> > |
| 29 |
> Signing keys have EVERYTHING to do with whether you can trust the CPU. |
| 30 |
> If you can't trust the CPU, then it can simply read the disk encryption |
| 31 |
> credentials without any reference to whether it SHOULD read them. |
| 32 |
|
| 33 |
So, I think you're conflating a few different things here. |
| 34 |
|
| 35 |
First, trust is a choice you make. Whether you trust the CPU or not |
| 36 |
makes no difference in whether somebody else can defeat the embedded |
| 37 |
TPM. |
| 38 |
|
| 39 |
Second, the signing keys we're talking about are keys embedded in the |
| 40 |
CPU used by the CPU to sign stuff. These keys aren't used for |
| 41 |
encrypting anything, and they aren't used for decrypting anything. |
| 42 |
They're also not used to verify firmware/etc. It would make no sense |
| 43 |
to put the firmware signing key in the CPU - that key would be locked |
| 44 |
up at the firmware vendor's HQ with the corresponding public key |
| 45 |
embedded in the CPUs. |
| 46 |
|
| 47 |
Don't get me wrong - encryption keys stored in the CPU are compromised |
| 48 |
by this vulnerability. However, this has nothing to do with the |
| 49 |
signing keys. |
| 50 |
|
| 51 |
I suspect that modifying the firmware might also be possible due to |
| 52 |
this vulnerability, by replacing the public key in the CPU with a new |
| 53 |
one that you generated. Again, that has nothing to do with the |
| 54 |
signing keys on the CPU. |
| 55 |
|
| 56 |
The signing keys should just be associated with remote attestation. |
| 57 |
|
| 58 |
> And it only takes ONE person to crack that master key ONCE, and |
| 59 |
> EVERYBODY is up shit creek. |
| 60 |
|
| 61 |
No - there isn't any master key stored inside an Intel CPU that can be |
| 62 |
used to compromise the encryption on other hosts. We're talking about |
| 63 |
the signing keys used for remote attestation. |
| 64 |
|
| 65 |
Again, Netflix and Intel and similar companies are going to be ticked |
| 66 |
if that master key is leaked, but it won't have any impact on disk |
| 67 |
encryption. |
| 68 |
|
| 69 |
Of course, disk encryption is still compromised by the vulnerability. |
| 70 |
It just has nothing to do with the master signing keys (which are also |
| 71 |
model-specific and not completely universal), and hacking any |
| 72 |
individual device, if patched, will probably still require a |
| 73 |
hardware-level attack against that specific device. |
| 74 |
|
| 75 |
> At the end of the day, it's a "tree of trust". And once the root key is |
| 76 |
> compromised, you can NOT trust ANY key that was secured by said root |
| 77 |
> key. |
| 78 |
|
| 79 |
Yup. Fortunately the disk encryption keys are unique to each device, |
| 80 |
and stored in the compromised TPM hardware. They aren't really |
| 81 |
secured by a root key in any meaningful way. |
| 82 |
|
| 83 |
-- |
| 84 |
Rich |
Archives