Remote Attestation in MicroOS A tale of TPMs, measurements and Keylime openSUSE Conference [email protected] oSC22 @openSUSE 

The wonderful world of TPMs 

Introduction to TPM ● Trusted Platform Modules are here since 2009, or on other forms since the 90s ● Cryptographic co-processor – Already present in server, desktops, tables and phones in one version or another (v1.2, v2.0) – Algorithm independent (v2.0) 

Introduction to TPM (2) ● Super cheap (AKA slow) ● Inside motherboard, CPU or firmware (UEFI) – Not a goal: Immune to physical attacks (leave to manufactures. Differentiation) – Goal: Safe from software attacks 

No content

TPM features ● Identification of devices – Endorsement key (EK) generate multiple attestation keys (AK) – VPN / SSH authorization 

TPM features (2) ● Secure generation of keys (RSA / EC since v2.0) and RNG – File / disk encryption 

TPM features (3) ● Secure storage of keys – Private key never leaves the TPM (encrypted blobs) 

TPM features (4) ● NVRAM storage – Survives reboot (to use keys required early in the boot process) – Because TPM cannot access anything external, NVRAM can be used as a local storage for symmetric encryption 

Main feature ● Measured boot (device-health attestation) ● [24 x N] Platform Configuration Registers (PCR) – Cleared after a reset cycle (or under demand) to a good known value (0x00...0, 0x11...1) – Cannot be written with a specific value, only extended: PCR ← Hash(PCR || Value) 

Main feature (2) ● One stage in the boot chain measure the next stage before delegating, and extend one PCR – TPM cannot access the system, so is the application who does the extension – It is registered in the event log 

Main feature (3) ● Request to the TPM a signed “quote” – Current values of the PCRs 

PCR extension 

Why is it safe? ● If we know the final value of a PCR, we cannot calculate the hash that will replicate the final value after the extension ● We cannot spoof the quote, as it is signed by a key (AK) where the private part never leaves the TPM (but can be removed) 

Why is it safe? (2) ● A nonce is required to avoid reuse of old quotes. ● The only assumption done is that we must trust the TPM certificate (that is why the TPM is also known as a root of trust) 

TPM Software Stack (TSS) 

TPM tools in the secret API ● tpm2 / tss binaries for almost 140 commands (a-la busybox) ● Full PoC for remote attestation (check tpm2-software.github.com) 

TPM tools in the secret API (2) ● Under active development. Many changes, the current version (v5.2) is not backward compatible ● Excellent for prototypes, and even full projects (Keylime) 

Remote Attestation with Keylime 

Keylime features ● Remote attestation – Measured boot – Runtime execution (IMA / EVM) ● Encrypted payload 

Keylime features (2) ● Revocation framework with user defined plugins ● Rest API for different clients (Python, Rust) ● Integrated in MicroOS (YaST role) 

Keylime architecture 

Keylime uses ● Check if a set of PCRs have a golden value ● Validate the measured boot event log (recreate and compare) ● Use an user-defined policy to validate the event log (Python plugin) 

Keylime uses (2) ● Generate good hashes for binaries and use IMA + TPM to monitor them ● Deliver encrypted payload to all the agents ● Trigger actions (Python) when a node gets revoked 

YaST system role 

Demo 

Next steps 

Still in the TODO ● Signed white list for IMA hashes – Patch in createrepo_c, maybe in OBS ● IMA policy based on SELinux to filter what to track