mirror of
https://github.com/tpm2dev/tpm.dev.tutorials.git
synced 2024-11-25 07:12:10 +00:00
WIP
This commit is contained in:
parent
90d9bc2619
commit
17ddd5b3df
1 changed files with 60 additions and 59 deletions
119
Intro/README.md
119
Intro/README.md
|
@ -23,16 +23,13 @@ much more detail.
|
||||||
|
|
||||||
# Core Concepts
|
# Core Concepts
|
||||||
|
|
||||||
Some core concepts in the world of TPMs
|
Some core concepts in the world of TPMs (not all of which we'll discuss
|
||||||
|
here):
|
||||||
|
|
||||||
- cryptography:
|
- cryptography
|
||||||
- digest functions
|
- hash extension
|
||||||
- hash extension
|
|
||||||
- HMAC
|
|
||||||
- symmetric encryption
|
|
||||||
- asymmetric encryption and/or signature algorithms
|
|
||||||
- platform configuration registers (PCRs)
|
|
||||||
- cryptographic object naming
|
- cryptographic object naming
|
||||||
|
- platform configuration registers (PCRs)
|
||||||
- immutability of object public areas
|
- immutability of object public areas
|
||||||
- key hierarchies
|
- key hierarchies
|
||||||
- key wrapping
|
- key wrapping
|
||||||
|
@ -62,49 +59,6 @@ other access.
|
||||||
Where to start? Let's start with hash extension, which may be the only
|
Where to start? Let's start with hash extension, which may be the only
|
||||||
trivial concept in the world of TPMs!
|
trivial concept in the world of TPMs!
|
||||||
|
|
||||||
## Important Notes
|
|
||||||
|
|
||||||
- Chained implications.
|
|
||||||
|
|
||||||
It is important to note the TPM ecosystem's critical dependence on
|
|
||||||
TPMs performing authorization as specified. A lot can be
|
|
||||||
accomplished by chaining cryptographic implications. Sending a
|
|
||||||
secret to a TPM-using application, with the secret encrypted in that
|
|
||||||
TPM's primary endorsement public key is safe when one knows that
|
|
||||||
public key truly is a legitimate hardware TPM's public key: the TPM
|
|
||||||
will not release the secret to the application unless the recipient
|
|
||||||
has some access specified by the sender. Complex chains of events
|
|
||||||
can be secure provided one knows that it involves legitimate hardware
|
|
||||||
TPMs that otherwise could not be secured. Therefore the legitimacy
|
|
||||||
of a TPM that one communicates with is essential.
|
|
||||||
|
|
||||||
- Limited resources.
|
|
||||||
|
|
||||||
Hardware TPMs are very resource-starved. The set of commands defined
|
|
||||||
by the TCG TPM specifications is specifically constructed to a) be
|
|
||||||
small and simple (simple-enough anyways), yet b) enable rich
|
|
||||||
semantics in spite of this.
|
|
||||||
|
|
||||||
These limited resources mean, among other things, that TPMs don't do
|
|
||||||
complex things like PKIX certificate validation path construction, or
|
|
||||||
even PKIX certificate path validation, nor do they implement complex
|
|
||||||
authentication protocols using PKIX, nor Kerberos, nor even simple
|
|
||||||
protocols like JWT. Hardware TPMs can be used to implement portions
|
|
||||||
of such complex protocols (e.g., certificate issuance), but they
|
|
||||||
cannot implement the entirety of such protocols.
|
|
||||||
|
|
||||||
- Hardware TPMs are _slow_.
|
|
||||||
|
|
||||||
- A *lot* of detail is left out here. Nothing is said about how TPMs
|
|
||||||
interface with the system or applications. Little is said about
|
|
||||||
specific commands, and nothing is said about most commands. Nothing
|
|
||||||
is said about TPM software stacks or APIs.
|
|
||||||
|
|
||||||
Our goal is only to help the lay reader understand TPMs well enough
|
|
||||||
at the conceptual level that they will be more comfortable
|
|
||||||
approaching mure more detailed TPM-related tutorials, documents,
|
|
||||||
books, or TCG specifications.
|
|
||||||
|
|
||||||
## Hash Extension
|
## Hash Extension
|
||||||
|
|
||||||
Hash extension is just appending some data to a current digest-sized
|
Hash extension is just appending some data to a current digest-sized
|
||||||
|
@ -130,20 +84,43 @@ value, hashing that, and then calling the output the new current value:
|
||||||
|
|
||||||
where `H()` is a cryptographic hash function.
|
where `H()` is a cryptographic hash function.
|
||||||
|
|
||||||
|
Each extension value can be arbitrarily large, and the TPM will use the
|
||||||
|
traditional `Init`/`Update`/`Final` approach to making digest
|
||||||
|
computation online.
|
||||||
|
|
||||||
|
Note that `H(e0 || e1 || e2) != Extend(Extend(Extend(0, e0), e1), e2)`.
|
||||||
|
Hash extension makes "message" boundaries strong.
|
||||||
|
|
||||||
Hash extension is most of what a PCR is, but hash extension is in other
|
Hash extension is most of what a PCR is, but hash extension is in other
|
||||||
TPM concepts besides PCRs, such as policy naming.
|
TPM concepts besides PCRs, such as policy naming.
|
||||||
|
|
||||||
## Platform Configuration Registers (PCRs)
|
## Platform Configuration Registers (PCRs)
|
||||||
|
|
||||||
A PCR, then, is just a hash output. The only operations on PCRs are:
|
A PCR, then, is just a hash extension output. The only operations on
|
||||||
read, extend, and reset. All richness of semantics of PCRs come from
|
PCRs are: read, extend, and reset. All richness of semantics of PCRs
|
||||||
how they are used:
|
come from how they are used:
|
||||||
|
|
||||||
- how they are extended and by what code
|
- how they are extended and by what code
|
||||||
- what purposes they are read for
|
- what purposes they are read for
|
||||||
- attestation
|
- attestation
|
||||||
- authorization
|
- authorization
|
||||||
|
|
||||||
|
Note that a PCR value by itself is devoid of meaning. To add meaning
|
||||||
|
one must have access to the list of discrete values extended into the
|
||||||
|
PCR, as well as the order in which they were extended into the PCR. And
|
||||||
|
one must know the meaning of each such value.
|
||||||
|
|
||||||
|
### Eventlogs
|
||||||
|
|
||||||
|
Any TPM-using platform has to provide a way to keep a log of PCR hash
|
||||||
|
extension values. Such a log is known as the "eventlog".
|
||||||
|
|
||||||
|
The TPM itself cannot hold this log for the TPM is resource-constrained.
|
||||||
|
|
||||||
|
Indeed, hash extension is used by TPMs as a sort of a compression
|
||||||
|
function that represents a larger state that may not fit on the TPM.
|
||||||
|
PCRs are one case, and authorization policies are another.
|
||||||
|
|
||||||
## Root of Trust Measurements (RTM)
|
## Root of Trust Measurements (RTM)
|
||||||
|
|
||||||
When a computer and its TPM start up, most PCRs are set to all-zeros,
|
When a computer and its TPM start up, most PCRs are set to all-zeros,
|
||||||
|
@ -154,9 +131,10 @@ ideally, perform RTMs. At the end of the boot process some set of PCRs
|
||||||
should reflect the totality of the code path taken to complete booting.
|
should reflect the totality of the code path taken to complete booting.
|
||||||
|
|
||||||
Some PCRs are used to measure the BIOS, others to measure option ROMs,
|
Some PCRs are used to measure the BIOS, others to measure option ROMs,
|
||||||
and others to measure the operating system. In principle one could
|
and others to measure the operating system. Each platform has a
|
||||||
measure the entirety of an operating system and all the code that is
|
specification for which PCRs are used or reserved for what purposes. In
|
||||||
installed on the system.
|
principle one could measure the entirety of an operating system and all
|
||||||
|
the code that is installed on the system.
|
||||||
|
|
||||||
RTM can be used to ensure that only known-trusted code is executed, and
|
RTM can be used to ensure that only known-trusted code is executed, and
|
||||||
that important resources are not unlocked unless the state of the system
|
that important resources are not unlocked unless the state of the system
|
||||||
|
@ -179,7 +157,9 @@ to unlock (unseal) the object.
|
||||||
|
|
||||||
On the "PC platform" (which includes x64 servers) the BIOS keeps a log
|
On the "PC platform" (which includes x64 servers) the BIOS keeps a log
|
||||||
of all the PCR extensions it has performed. The OS should keep its own
|
of all the PCR extensions it has performed. The OS should keep its own
|
||||||
log of extensions it performs.
|
log of extensions it performs of PCRs reserved to the OS. Each
|
||||||
|
application has to keep a log of the extensions of the PCRs allocated to
|
||||||
|
it. Again, the TPM itself cannot do this.
|
||||||
|
|
||||||
The eventlog documents how the PCRs evolved to their current state,
|
The eventlog documents how the PCRs evolved to their current state,
|
||||||
whatever it might be. Since PCR extension values are typically digests,
|
whatever it might be. Since PCR extension values are typically digests,
|
||||||
|
@ -228,6 +208,26 @@ area cannot be changed after creating it. One can delete and then
|
||||||
recreate an object in order to "change" its public area, but this
|
recreate an object in order to "change" its public area, but this
|
||||||
necessarily yields a new name (assuming no digest collisions).
|
necessarily yields a new name (assuming no digest collisions).
|
||||||
|
|
||||||
|
### Cryptographic Object Naming as a Binding
|
||||||
|
|
||||||
|
> This section comes too soon, since it relates to attestation and
|
||||||
|
> restricted keys. Still, it may be useful to illustrate cryptographic
|
||||||
|
> object naming with one particularly important use of it.
|
||||||
|
|
||||||
|
A pair of functions, `TPM2_MakeCredential()` and
|
||||||
|
`TPM2_ActivateCredential()`, illustrate the use of cryptographic object
|
||||||
|
naming as a binding or a sort of authorization function.
|
||||||
|
|
||||||
|
`TPM2_MakeCredential()` can be used to encrypt a datum (a "credential")
|
||||||
|
to a target TPM such that the target will _only be willing to decrypt
|
||||||
|
it_ if *and only if* the application calling `TPM2_ActivateCredential()`
|
||||||
|
to decrypt that credential has access to some key named by the sender,
|
||||||
|
and that name is a cryptographic name that the sender can and must
|
||||||
|
compute for itself.
|
||||||
|
|
||||||
|
The semantics of these two functions can be used to defeat a
|
||||||
|
cut-and-paste attack in attestation protocols.
|
||||||
|
|
||||||
## Key Hierarchies
|
## Key Hierarchies
|
||||||
|
|
||||||
TPMs have multiple key hierarchies, all rooted in a primary decrypt-only
|
TPMs have multiple key hierarchies, all rooted in a primary decrypt-only
|
||||||
|
@ -447,7 +447,8 @@ many TPM concepts can be used to great effect:
|
||||||
- using PCRs to attest to system state
|
- using PCRs to attest to system state
|
||||||
- using policies and sealed-to-PCRs objects to attest to authentication
|
- using policies and sealed-to-PCRs objects to attest to authentication
|
||||||
events on the system
|
events on the system
|
||||||
- using restricted keys to authenticate a TPM and bind it to its host
|
- using restricted keys and cryptographic object naming to authenticate
|
||||||
|
a TPM and bind it to its host
|
||||||
- delivering key material to authenticated systems via their TPMs
|
- delivering key material to authenticated systems via their TPMs
|
||||||
- unlocking resources following successful attestation
|
- unlocking resources following successful attestation
|
||||||
- authorization of devices onto a network
|
- authorization of devices onto a network
|
||||||
|
|
Loading…
Reference in a new issue