11/4/2015
Open XT TPM Sealing
Open XT TPM Sealing David Quigley –
[email protected] ⋅ Daniel Smith –
[email protected]
As a virtual platform assurance in OpenXT is based from the bottom up. Without assuring the integrity of each previous component we can’t make any valid statements about the integrity of what we are trying to start. The measured boot process ensures that all resouces used to get the platform in a running state are what we placed on the system and expect them to be. As time moves on additional services like a Measurement & Attestation capability will ensure later components are correct and remeasurement components will ensure the running base system components match what has been placed on disk.
OpenXT Measured Boot Data In order to provide a solid foundation for future measurements and to assure the integrity of the boot platform measured launch performs measurements of key boot programs and files. As described in the OpenXT Architecture Guide [1] several measurements are taken of the system on boot. PCR[0]
Used to store the Core Root of Trust for Measurement (CRTM), POST BIOS, and Embedded Option ROMs
PCR[1]
Platform Configuration
PCR[2]
Option ROM Code
PCR[3]
Option ROM Configuration and Data
file:///home/drquigl/projects/open-xt/docs/openxt-measured-boot-reseal.html
1/8
11/4/2015
Open XT TPM Sealing
PCR[15]
OpenXT Engine root filesystem
PCR[17]
TXT data SHA-1 hash of BIOS ACM: SinitMleData.BiosAcmID (20 bytes) STM opt-in indicator: SinitMleData.MsegValid (8 bytes) SHA-1 hash of the STM (or all 0s if opt-out): SinitMleData.StmHash (20 bytes) LCP Control Field of used policy (PD or PO): SinitMleData.PolicyControl (4 bytes) SHA-1 hash of used policy (or all 0s if chosen not to be extended): SinitMleData.LcpPolicyHash (20 bytes) MLE-chosen Capabilities (or all 0s if chosen not to be extended): OsSinitData.Capabilities (4 bytes)
PCR[18]
SHA1 hash of the MLE
PCR[19]
SHA1 hash of Xen Hypervisor, Kernel and command line, LCP Policy, initramfs, tboot ACMs and XSM policy
Current Sealing Operations Seal Operation: 1. During install of DOM0 [2], a call is made to TPM scripts function configure_measured_launch [3] 2. configure_measured_launch a. creates a random 32 byte key and stores it unencrypted on the xenclient-config logical volume with path /config/keys/config.keys file:///home/drquigl/projects/open-xt/docs/openxt-measured-boot-reseal.html
2/8
11/4/2015
Open XT TPM Sealing
b. ensures LUKS slot 1 for xenclient-config logical volume is empty c. stores the random 32 byte key into LUKS slot 1 d. stores into /config/config.pcrs the PCRs that will be used to seal against e. creates filesystem flag files in /boot/system/tpm i. clear-config-key ii. setup iii. enabled 3. At the end of the install during the commit phase [4] , when dom0 is being finalized [5], the own_tpm [6] is called
4. own_tpm calls tpm_configure_gen_passwd [7] 5. tpm_configure_gen_passwd a. creates a random 15 printable character string b. encrypts the password using the recovery key’s(RSA) pub key and stores it in /boot/system/config/tpm-owner-passwd.ssl c. generates the TPM’s EK d. takes ownership of the TPM configured to use the well-known SRK 6. Install completes and system reboots into the new install 7. The initramfs init script checks for the /boot/system/tpm/enabled file, if found calls tpm_setup [8] 8. tpm_setup a. loads the tpm modules b. creates tpm char device c. calculates the sha1 of the root block device d. extends PCR 15 with the sha1 9. Then a pivot root is called with the init.root-ro script via the selinux-load.sh script [9]
file:///home/drquigl/projects/open-xt/docs/openxt-measured-boot-reseal.html
3/8
11/4/2015
Open XT TPM Sealing
10. The init.root-ro based on the setup flag [10] uses the get-config-key utility to unlock the xenclient-config logical volume 11. It then sets a variable that a reseal is required [11] 12. The reseal variable is matched and the /config/keys/config.key is sealed [12] against PCRs in /config/config.pcrs and stored in /boot/system/tpm/config.tss 13. The system is then rebooted 14. The clear-config-key is tripped [13] , and the sealed key is used to erase the get-configkey key from xenclient-config LUKS 15. Then PCR 15 is extended by 20 random bytes 16. The system init daemon is invoked Reseal Operation: 1. During OTA the current unsealed key is used to add the get-config-key key back into xenclient-config LUKS 2. The filesystem flags setup and clear-config-key are set 3. OTA finishes and system reboots to new install 4. steps 10 - 14 from the Seal Operation are triggered
Proposed Sealing Operations This process makes a few suggestions and assumptions. Provisioning should always be done on an isolated network/offline for security reasons. Also the answer file for provisioning must contain the recovery password and TPM owner password as they are used during installation. Seal Operation: (install, first boot, and potential failed upgrades) 1. During install of DOM0 [14], a call is made to TPM scripts function configure_measured_launch [15] 2. configure_measured_launch file:///home/drquigl/projects/open-xt/docs/openxt-measured-boot-reseal.html
4/8
11/4/2015
Open XT TPM Sealing
a. creates a random 32 byte key and stores it unencrypted on the xenclient-config logical volume with path /config/keys/config.keys b. ensures LUKS slot 1 for xenclient-config logical volume is empty c. stores the random 32 byte key into LUKS slot 1 d. creates filesystem flag files in /boot/system/tpm i. setup ii. enabled 3. At the end of the install during the commit phase [16] , when dom0 is being finalized [17], the own_tpm [18] is called
4. own_tpm calls tpm_configure_gen_passwd [19] 5. tpm_configure_gen_passwd a. generates the TPM’s EK b. takes ownership of the TPM with own-password from answer file configured to use the well-known SRK 6. Install completes and system reboots into the new install 7. The initramfs init script checks for the /boot/system/tpm/enabled file, if found calls tpm_setup [20] 8. tpm_setup a. loads the tpm modules b. creates tpm char device c. calculates the sha1 of the root block device d. extends PCR 15 with the sha1 9. Then a pivot root is called with the init.root-ro script via the selinux-load.sh script [21] 10. The init.root-ro based on the setup flag [22] uses an ncurses prompt to request the recovery key to unlock the xenclient-config logical volume
file:///home/drquigl/projects/open-xt/docs/openxt-measured-boot-reseal.html
5/8
11/4/2015
Open XT TPM Sealing
11. /config/keys/config.key is sealed [23] against PCRs on current running system and stored in /boot/system/tpm/config.tss 12. The system is then rebooted 13. Measured launch verifies the boot and unseals the key used to decrypt the /config partition and decrypts the partition. 14. Then PCR 15 is extended by 20 fixed bytes (ascii readable string to be determined) 15. The system init daemon is invoked Reseal Operation: (remote OTA update) 1. During OTA syncvm pulls down the new OTA package a. rootfs image b. service vms c. stage 2 installer 2. Installer lays down new system 3. Calculate PCRS a. Gather current PCR[0]-PCR[3] b. Calculate PCR[15] with the sha1 hash of the new rootfs image c. Calculate PRC[17] & PCR[18] & PCR[19] using pcr-calc 4. Move /boot/system/tpm/config.tss to /boot/system/tpm/config.tss.old 5. Forward Seal /config/keys/config.key against Calculated PCRs and stored in /boot/system/tpm/config.tss 6. reboot into new measured environment
Changes The two above configuration flows for sealing keys look very similar. The main difference in the sealing steps comes from the use of a hardware based key as the LUKS slot 0 encryption key. This is removed and replaced with a password that is specified in the answer file for provisioning along with the tpm owner key used in provisioning the file:///home/drquigl/projects/open-xt/docs/openxt-measured-boot-reseal.html
6/8
11/4/2015
Open XT TPM Sealing
TPM. Additionally extra reboots are removed from the install process and secret sealing is handled. The final change is that the extension to PCR[15] will use a known ascii readable string to allow the value of PCR[15] to be used for attestation. Finally the old sealed secret file config.ts is saved to enable roll back in the case of OTA updates. The use of pcr-calc in the reseal operation and not the initial seal operation is due to the boot not being under tboot at that point in the installation. Only if the system is booted using tboot and the appropriate modules can pcr-calc be used to generate the appropriate values.
Future Enhancements In addition to the changes made above other additions could make provisioning and measured launch more secure. Addition of a GRUB password will make it so the user cannot modify the boot and remove the measured boot modules or the ACM. Additionally storing the config partition key inside the VTPM Manager will provide a more secure location for it and additional protection. Finally to mitigate every machine having the same ownership keys a provisioning infrastructure should be created to make it easy for administrators to assign passwords to machine in a more efficient way,
1. https://github.com/OpenXT-Extras/docs/blob/master/XTArchitectureGuide.pdf?raw=true 2. https://github.com/OpenXT/installer/blob/master/part2/stages/Functions/install-main#L273 3. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/xenclient/xenclient-tpmscripts/tpm-functions#L231 4. https://github.com/OpenXT/installer/blob/master/part2/stages/Functions/install-main#L111 5. https://github.com/OpenXT/installer/blob/master/part2/stages/Functions/install-main#L333 6. https://github.com/OpenXT/installer/blob/master/part2/stages/Functions/install-main#L834 7. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/xenclient/xenclient-tpmscripts/tpm-functions#L269 8. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/initrdscripts/initramfsxenclient/init.sh#L172 9. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/initrdscripts/initramfsxenclient/init.sh#L163 10. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/xenclient/xenclient-rootro/init.root-ro#L227 11. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/xenclient/xenclient-rootro/init.root-ro#L233 12. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/xenclient/xenclient-rootro/init.root-ro#L329 13. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/xenclient/xenclient-rootro/init.root-ro#L354
file:///home/drquigl/projects/open-xt/docs/openxt-measured-boot-reseal.html
7/8
11/4/2015
Open XT TPM Sealing
ro/init.root-ro#L354 14. https://github.com/OpenXT/installer/blob/master/part2/stages/Functions/install-main#L273 15. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/xenclient/xenclient-tpmscripts/tpm-functions#L231 16. https://github.com/OpenXT/installer/blob/master/part2/stages/Functions/install-main#L111 17. https://github.com/OpenXT/installer/blob/master/part2/stages/Functions/install-main#L333 18. https://github.com/OpenXT/installer/blob/master/part2/stages/Functions/install-main#L834 19. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/xenclient/xenclient-tpmscripts/tpm-functions#L269 20. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/initrdscripts/initramfsxenclient/init.sh#L172 21. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/initrdscripts/initramfsxenclient/init.sh#L163 22. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/xenclient/xenclient-rootro/init.root-ro#L227 23. https://github.com/OpenXT/xenclient-oe/blob/master/recipes-openxt/xenclient/xenclient-rootro/init.root-ro#L329
Last updated 2015-11-04 09:04:30 EST
file:///home/drquigl/projects/open-xt/docs/openxt-measured-boot-reseal.html
8/8
