Trusted Boot in Fedora

[夜神 岩男]

On Fri, 2011-06-24 at 11:11 +0200, Till Maas wrote:
> On Fri, Jun 24, 2011 at 10:01:45AM +0100, Camilo Mesias wrote:
> > I am still struggling to see real applications for this. I don't know
> > how a networked system using the technology could be differentiated
> > from an (insecure) software simulation of the same from a remote
> > viewer's perspective. Also I don't see how it would be used in the
> 
> Afaik it would allow to securely enter hard disk encryption passwords
> via network on a Fedora system, because one can ensure that the correct
> (untampered) initrd / kernel is loaded.
> You cannot simulate this afaik because the used cryptographic keys are
> only stored in the TPM module and cannot be accessed from the outside.
> Therefore one needs to tamper with the TPM module instead of only with
> the unencrypted /boot partition, which is a lot harder from my point of
> view.
> 
And as time passes and weaknesses are exposed in the encryption scheme
hard-wired into the TPM component, what do we do then other than buy new
hardware in a panic? (Assuming this becomes a technology we all come to
depend on in some way and doesn't just sort of die off in the commercial
space as I expect it will.)

There is nothing preventing smart people from being smart and this is
why hard-wired crypto solutions are always of both extremely short
usefulness (you have to buy a new $device to either change compromised
keys or upgrade to higher security) and under enhanced threat due to
their value as slow-moving security targets for attackers. The best
middle-ground solution I've seen is to involve a hardware device such as
an IC Card/SmartCard/dongle that is easily expendable/removable/cheap in
the solution so the major components do not themselves become
expendable.

This is the direction the government and military are coming from --
viewing crypto components as expendable -- because they are always
subject to attack. Either the TPM and stored hashes are removable or the
entire computing system has an extremely short lifecycle duration. They
are interested in the technology, but the flavor of their interest is
different than the commercial DRM vendor space -- and I don't see any
other driving interest in the commercial space than this. The commercial
space has a significantly different take on things and also an
overwhelming underestimation of how effective the wild unwashed masses
are at producing circumvention to such technologies when given
sufficient reason (and anything is a good reason to some people).

But we already have SmartCard, dongle, etc. solutions and their
usefulness extends to where they are used today. How is TPM any
different other than it is inextricably tied to the rest of my computer
and now my computer can be regulated? Simply guaranteeing that a certain
kernel was booted guarantees nothing -- a proper kernel can still be the
platform for sinister activity. And anyway, hashing and verifying the
hash of the kernel can be done in other, removable (and device
independent) ways than hardwiring the solution into the computer.

If I want to use the same computer for 5 years, but someone either
cracks the algorythm behind the encryption used or finds a repository of
generated keys (or even just a slight weakness in the randomness of
generated keys, thus massively reducing the set of actual vs theoretical
keys) what am I to do? I like netflix and want to keep watching, but the
chipset I have is no longer acceptable under their EUA, so I have to buy
new hardware that I don't want or otherwise need. Currently this happens
with forced Windows upgrades and we all rail against that. Now it can
happen on a different level because we are introducing a new layer of
"hardware requirements" and one that can be as strictly enforced as it
can be arbitrary.

Those are my concrete concerns and I don't see how hardwiring what is
essentially a mathematical solution to a problem is the right direction
from a technical standpoint in the consumer space. In fact, historically
speaking this is a direct step back away from fully programmable
information processing systems, because we are hardwiring security
components into the system now. This sounds like a 1950's solution in
need of a 2010's problem.

The dream (or rather the public sales pitch) is that with TPM we can
leave laptops unattended for extended periods in hotel rooms and not be
subject to evil maid attacks because the system will verify itself in a
way that can't be overwritten by the maid. But this is silly. If you
lose control of the device what is to prevent said evil maid from simply
swapping your processor or tampering in other ways with the hardware
(after all, the tboot protocol is already described as skipping the
check if a non-TXT enabled device is present)?

It didn't take long for iPhone hackers to find nifty solutions to their
perceived problems, I can't imagine professional security crackers will
not come up with similar solutions in a jiffy. We will never escape the
cardinal rule of security that if an attacker has physical access then
you do not have security. There is a reason that is beaten into the
heads of new security students. Imagining otherwise is a pipe dream, and
has been so proven since the 40's. In fact, this sounds a lot to me like
one of the scenarios where a hardware promise winds up delivering an
even worse vulnerability from an unexpected angle later.

The technology will be cracked. Each generation of TPM will be cracked.
All encryption is based on decaying standards. The consortium required
to make a decision on an awkward false standard like trusted computing
will never be able to react fast enough to the reality that somewhere
out there there is always someone smarter than whoever made the TPM (and
considering that comittee logic tends to produce
lowest-common-denominator tecnology/decisions anyway, this is likely),
so the TPM producers will always be engaged in a losing race.

Consider the state of hardware hacking in the gaming console gaming
community -- and that is just for video games. The game console hackers
are not very numerous, and yet have met with great success (and great
litigation from time to time -- but suing your own best customers is
another issue altogether). Consider how many more people will have a
vested interest in crushing $current_tpm_standard if it is a core
component of general purpose computers and how many more people will
beleive the story they are sold about how secure it makes everything
(and the inveitable slew of terrible security mistakes that will ensue
as a result of the droves of tech-ignorant masses relying on just one
layer of hardwired security).

DRM only really prevents fair-use copies, as there is always a
workaround for human-use media and there is nothing that can be done
about it. Market models have to change, not my computer's boot cycle,
because of the new realities of the consumer space.

All that being said -- aside from:

     1. Government/military use in environments where 1 year is a long
        time to be using the same device
     2. DRM schemes which open the door to regulation of the sale of
        non-TPM devices [1]

what are the uses of this technology that do not already have well
understood solutions? Secure login has a hundred schemes, many of the
quite good. Is TPM so groundbreaking that it stands a shot at
permanently replacing such mechanisms? If not, then I do not think it is
reasonable to permanently install TPM components in my computer.

These are the things we should be discussing in a general sense, in my
view, not just the technicals of implementation. Software is wonderful
at making boolean determinations, and so tboot naturally can be made to
not interfere with people who don't have a TPM. This is not a hard
question. The problems are societal and practical in nature. Societally
speaking the FOSS community stands pretty resolutely against patent
encumberance and DRM. As a practical measure it simply does not make
sense to hardwire a cryptographic solution into a long-term general use
piece of hardware.

-Iwao

[1] This opens the door to regulating the sale or possession of non-DRM
devices such as cameras, phones, computers, whatever -- and before you
think this is preposterous, consider that there are already laws against
disabling, say, region coding technology on an old DVD player despite
the fact that you own the device (which begs the question: Can it be
made illegal to change your own oil filter?)