Remote Attestation in MicroOS with Keylime

Transcript

1. Remote Attestation in MicroOS A tale of TPMs, measurements and

   Keylime openSUSE Conference [email protected] oSC22 @openSUSE

2. The wonderful world of TPMs

3. Introduction to TPM • Trusted Platform Modules are here since

   2009, or on other forms since the 90s • Cryptographic co-processor – Already present in server, desktops, tables and phones in one version or another (v1.2, v2.0) – Algorithm independent (v2.0)

4. Introduction to TPM (2) • Super cheap (AKA slow) •

   Inside motherboard, CPU or firmware (UEFI) – Not a goal: Immune to physical attacks (leave to manufactures. Differentiation) – Goal: Safe from software attacks
5. None

6. TPM features • Identification of devices – Endorsement key (EK)

   generate multiple attestation keys (AK) – VPN / SSH authorization

7. TPM features (2) • Secure generation of keys (RSA /

   EC since v2.0) and RNG – File / disk encryption

8. TPM features (3) • Secure storage of keys – Private

   key never leaves the TPM (encrypted blobs)

9. TPM features (4) • NVRAM storage – Survives reboot (to

   use keys required early in the boot process) – Because TPM cannot access anything external, NVRAM can be used as a local storage for symmetric encryption

10. Main feature • Measured boot (device-health attestation) • [24 x

    N] Platform Configuration Registers (PCR) – Cleared after a reset cycle (or under demand) to a good known value (0x00...0, 0x11...1) – Cannot be written with a specific value, only extended: PCR ← Hash(PCR || Value)

11. Main feature (2) • One stage in the boot chain

    measure the next stage before delegating, and extend one PCR – TPM cannot access the system, so is the application who does the extension – It is registered in the event log

12. Main feature (3) • Request to the TPM a signed

    “quote” – Current values of the PCRs

13. PCR extension

14. Why is it safe? • If we know the final

    value of a PCR, we cannot calculate the hash that will replicate the final value after the extension • We cannot spoof the quote, as it is signed by a key (AK) where the private part never leaves the TPM (but can be removed)

15. Why is it safe? (2) • A nonce is required

    to avoid reuse of old quotes. • The only assumption done is that we must trust the TPM certificate (that is why the TPM is also known as a root of trust)

16. TPM Software Stack (TSS)

17. TPM tools in the secret API • tpm2 / tss

    binaries for almost 140 commands (a-la busybox) • Full PoC for remote attestation (check tpm2-software.github.com)

18. TPM tools in the secret API (2) • Under active

    development. Many changes, the current version (v5.2) is not backward compatible • Excellent for prototypes, and even full projects (Keylime)

19. Remote Attestation with Keylime

20. Keylime features • Remote attestation – Measured boot – Runtime

    execution (IMA / EVM) • Encrypted payload

21. Keylime features (2) • Revocation framework with user defined plugins

    • Rest API for different clients (Python, Rust) • Integrated in MicroOS (YaST role)

22. Keylime architecture

23. Keylime uses • Check if a set of PCRs have

    a golden value • Validate the measured boot event log (recreate and compare) • Use an user-defined policy to validate the event log (Python plugin)

24. Keylime uses (2) • Generate good hashes for binaries and

    use IMA + TPM to monitor them • Deliver encrypted payload to all the agents • Trigger actions (Python) when a node gets revoked

25. YaST system role

26. Demo

27. Next steps

28. Still in the TODO • Signed white list for IMA

    hashes – Patch in createrepo_c, maybe in OBS • IMA policy based on SELinux to filter what to track