zlacker

[parent] [thread] 9 comments
1. nouser+(OP)[view] [source] 2022-07-30 00:45:02
"Attestation" of a VM is such a fraught concept... Isn't whole idea of virtualization, to outright lie to the "guest" operating system?

Yes, dear Windows, you're running on a dual-core Xeon Gold 6326 with i440BX chipset. Don't ask how this is possible, just trust me...

replies(2): >>Wowfun+X >>wmf+A1
2. Wowfun+X[view] [source] 2022-07-30 00:57:42
>>nouser+(OP)
And so isn't this basically the flaw in the whole idea? You can always emulate a TPM. You can always boot with a stock kernel and have the host patch the memory afterwards. Software can try to detect whether it's running in a VM, but the VM can lie. Last I heard, blocking VMs didn't go so well when nVidia tried it.

Am I wrong about the effectiveness of this? I'll readily admit I don't understand most of the underlying tech here.

replies(2): >>no_tim+G1 >>taco99+M1
3. wmf+A1[view] [source] 2022-07-30 01:04:10
>>nouser+(OP)
The hardware attests the hypervisor, the hypervisor attests the OS, the OS attests the app, etc. It all works as long as you chain down to the unique key in hardware.
◧◩
4. no_tim+G1[view] [source] [discussion] 2022-07-30 01:05:03
>>Wowfun+X
>Am I wrong about the effectiveness of this?

Partially. For online attestation you'd be missing the most important part. The vendor signed keypair that is insanely hard to extract from the device.

replies(1): >>traver+Y2
◧◩
5. taco99+M1[view] [source] [discussion] 2022-07-30 01:05:51
>>Wowfun+X
The emulated TPM will not contain the TPM manufacturer's private key that is used to sign responses.
replies(2): >>cesarb+Ya >>mindsl+s41
◧◩◪
6. traver+Y2[view] [source] [discussion] 2022-07-30 01:17:34
>>no_tim+G1
I'll extract them for 40k a pop all day long. I've got the hardware in storage from an old contract. Side channel power analysis is fun.
replies(1): >>no_tim+o4
◧◩◪◨
7. no_tim+o4[view] [source] [discussion] 2022-07-30 01:32:34
>>traver+Y2
lol If I had USA money I'd go for it for 40k.

I've read once about the hardware tricks DRM dongles use in the silicon itself. Doesn't sound like a 40 job :^)

◧◩◪
8. cesarb+Ya[view] [source] [discussion] 2022-07-30 03:08:58
>>taco99+M1
Which is why the comment which started this sub-thread mentioned buying extra physical TPM 2.0 chips. They contain the correct keys, and since they're external devices, it's trivial to lie to them, pretending to be the physical CPU doing a normal boot.

Of course, that only works until they start rejecting external TPM chips, and accepting only the built-in "firmware" TPMs found in more recent CPUs.

replies(1): >>wmf+5j
◧◩◪◨
9. wmf+5j[view] [source] [discussion] 2022-07-30 05:18:30
>>cesarb+Ya
Yeah, Pluton "fixes" this because it's inside the CPU.
◧◩◪
10. mindsl+s41[view] [source] [discussion] 2022-07-30 15:11:26
>>taco99+M1
nit: the TPM contains its own internally-generated private key. That private key never leaves the TPM, and has nothing intrinsic to the manufacturer.

The manufacturer then signs the public portion of that TPM key, creating the ability for everyone to assert that said key was generated internal to their hardware (and thus couldn't be used by an emulator).

You yourself could also sign the public portion of the TPM key, or even generate a new one and sign it, but that wouldn't affect the perverse incentive generated by the manufacturer's assertion. It would just enable you to assert that you trust the TPM key is internal to the TPM without trusting the manufacturer's records.

We're dealing with something like the dual of software signing here.

[go to top]