Re: A _good_ and valid use for TPM

[phcoder]

Alex Besogonov wrote:
> > First of all your system is still totally vulnerable to emanation and
> > power analysis or hw tampering.
> Yes, but that's way too hard.

Sure? There was a demonstration when rsa key was recovered just by 
plotting variations on powerline of usb port
And what about cache attack?

> > By reflashing bios one can bypass all
> > tpm protections (don't say it's difficult because it's closed source and
> > so on. Look at all closed source obfuscations/pseudo-protections that
> > get cracked every day)
> That's possible, but again I consider this not critical. BIOS itself
> is checksummed and checked by the root of trust.
Isn't bios (or part of it) the root of "trust"
> > Personally if tpm support is merged into mainline grub2 I'll stop using
> > it.
> Why?
Because I don't want support this technology. 
TPM=obfuscation=unsecurity. And as an opensource and open security fan I 
can't claim to have solved an impossible problem. But if you want to use 
obfuscation schemes it's your right
> Won't work.
>
> For example, attacker can run everything inside a hypervisor and then
> just dump memory and extract decryption keys. You have no reliable
> ways to detect hypervisor from inside the running OS. You can pile
> layers upon layers of integrity checks, but they are useless if
> hardware itself is not trusted.  TPM allows me to establish this
> trust.
You assume that noone will develop hypervisor able to fool tpm bios. One 
could powercut the tpm chip (similar to how a resistor is remove to 
avoid burning efuses in xbox) then power would be reestablished to it 
and bios would be executed on hypervisor which will retrieve the keys. 
Actually you can trust tpm only as much as you trust in obfuscation 
power of bios. Only obfuscation prevents attacker from disconnecting tpm 
and reading keys from it. And there are only few types of tpm. Sooner or 
later someone will figure their interface. Then it can be read by 
special usb adapter
> Actually, I can probably even formally prove this assumption.
I really don't see you point. With my proposition mbr still can be 
verified by tpm but grub2 needs to know nothing about tpm as long as it 
ensures it doesn't load any unsigned modules. This approach is more 
versatile. It can be used also for e.g. checking that debian install is 
really from debian. And having experience with manufacturers supplying 
buggy hw and sw  tend to avoid solutions directly relying on hardware 
when another implementation is possible
Which collaboration other than not loading anything unchecked does your 
scheme need from grub?
From readme of trustedgrub the only thing it does is checking integrity
> > First advantage is that you can override it manually supplying grub password
> Administrator can manually override TPM by supplying the decryption
> key directly instead of fetching them from my key server.
>
> [skipped because this scheme just won't work]
>
> > I personally would be interested in implementing security features in
> > grub2 as long as tpm stays away
> Then that's a religion, not engineering.
Tell it what you want but I don't trust code that I can't verify. And 
tpm is root of obfuscation.
> PS: please, can you CC me when you answer my posts?
Could you come to irc channel or meet me at jabber/gtalk?
Regards
Vladimir 'phcoder' Serbinenko