Re: Linux DRTM on UEFI platforms
From: Matthew Garrett
Date: Fri Aug 12 2022 - 01:54:56 EST
On Fri, Aug 12, 2022 at 12:52:58PM +0930, Brendan Trotter wrote:
> Hi,
>
> On Fri, Aug 12, 2022 at 3:55 AM Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote:
> > On Thu, Aug 11, 2022 at 07:25:58PM +0930, Brendan Trotter wrote:
> > > On Thu, Aug 11, 2022 at 3:16 AM Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote:
> > > > The kernel has no way to know this - *any* code you've run before
> > > > performing a measurement could tamper with the kernel such that it
> > > > believes it's fine. This is just as true in DRTM as it is in SRTM. But
> > > > you know what the expected measurements should be, so you're able to
> > > > either seal secrets to those PCR values or rely on remote attestation.
> > >
> > > In this scenario the kernel has no idea what the measurement should
> > > be, it only knows the measurement that a potentially malicious boot
> > > loader felt like giving the kernel previously (e.g. when the kernel
> > > was installed).
> >
> > Even if the kernel has an idea of what the measurement should be, it has
> > no way to verify that what it believes to be true is true - any
> > malicious code could simply have modified the kernel to believe that
> > anything it asks the TPM returns the "correct" answer.
>
> Right. To achieve the best possible security; you'd need Secure Boot
> to ensure that the kernel itself wasn't modified, and then the kernel
> establishes a dynamic root of trust itself.
You can't rely on Secure Boot because compromised firmware might fail to
implement it, so you're back to relying on dynamic trust.
> Anything involving a boot loader (e.g. Secure Boot ensure's boot
> loader wasn't modified, then boot loader ensure's kernel wasn't
> modified, then ....) increases the attack surface for no benefit.
I honestly feel like we're talking about different things. Can you
describe the attack vector you're concerned about here?
> I'm not convinced an external agent can detect "bad/forged
> measurement" either. E.g. if a MiTM boot loader always provided a
> bad/forged measurement the external agent won't detect it (as the
> measurement always matches the expected measurement), and then if the
> MiTM boot loader is replaced by a good/honest boot loader the external
> agent will decide that the good/honest boot loader is malicious
> because its measurement doesn't match the expected bad/forged
> measurement.
The point of DRTM is that the platform (in the form of an authenticated
code module running on the CPU, outside of the control of the OS)
performs a measreument of a specific point in time. The policy it's
provided with allows an external agent to identify which component of
the runtime system is being measured. If an external malicious agent has
been executed then the measurement will be different as a result.