zlacker

[parent] [thread] 6 comments
1. fleven+(OP)[view] [source] 2022-07-30 00:52:36
Implemented properly, the idea is that you have a chain of certificates (rooted by the CPU vendor's public key) that can identify all the different bits of software that have executed on the machine, along with a ephemeral public key. The hardware guarantees that the associated private key can only be wielded by the software versions that the chain attested to. So when you initiate your TLS connection with this machine, you can validate the cert chain and understand exactly what software the machine is running, assuming that you trust the CPU vendor and all the versions of the software that were attested to.
replies(1): >>teaket+I
2. teaket+I[view] [source] 2022-07-30 01:02:24
>>fleven+(OP)
> … assuming that you trust the CPU vendor and all the versions of the software that were attested to.

That’s a huge caveat.

You also cannot verify your trust is deserved, and that it will continue to be deserved, because such a system by its very nature must be opaque to untrusted parties (which means you).

replies(1): >>wmf+g1
◧◩
3. wmf+g1[view] [source] [discussion] 2022-07-30 01:06:49
>>teaket+I
such a system by its very nature must be opaque to untrusted parties

No, you can attest to a completely open source system. Nobody's actually doing that, but it's possible. The private keys have to be secret and non-extractable, but that's it.

replies(3): >>teaket+C1 >>blkfnw+92 >>salawa+p11
◧◩◪
4. teaket+C1[view] [source] [discussion] 2022-07-30 01:10:03
>>wmf+g1
The fundamental security mechanism upon which the entire system hinges is opaque.
◧◩◪
5. blkfnw+92[view] [source] [discussion] 2022-07-30 01:15:27
>>wmf+g1
Plenty of people do it. I use tpm2-totp for it. There is a key sealed in my TPM, that will only unseal for known boot stacks (firmware/bootloader/kernel). I have the same key stored in my Yubikey's TOTP application. After boot I can verify my stack by comparing a TOTP code generated by my Yubikey with one generated by the TPM.

Caveat is that security only extends into the kernel image, so for my use case I embed the initrd in the kernel image and have all the filesystems and swap on a dm-crypt volume.

I also have to unseal and reseal when performing upgrades of the initramfs and above, but I'm fine with that.

replies(1): >>jstanl+Sn
◧◩◪◨
6. jstanl+Sn[view] [source] [discussion] 2022-07-30 06:31:08
>>blkfnw+92
> After boot I can verify my stack by comparing a TOTP code generated by my Yubikey with one generated by the TPM.

But if you're not sure whether the system booted cleanly, then it might be compromised. If it's compromised couldn't your tools simply lie about the codes generated by both the TPM and the Yubikey so that they always match?

◧◩◪
7. salawa+p11[view] [source] [discussion] 2022-07-30 14:52:42
>>wmf+g1
Yes. Intel is willing to lend me all the equipment and logic analyzers I need to analyze their products, access to their internal design docs, access to their engineering team to answer my questions, etc, etc...

Do you realize how daft and unrealistic your assertion is?

Tell ya what. You get Broadcom, Intel, AMD, Nvidia, etc... to go full transparent, and we'll talk.

[go to top]