6

I have a work/gaming computer. The work side is a SSD with linux and the game side is a SSD with Win7 (all security turned off, planning to get viruses and rewipe every LAN). Only one of the drives is physically plugged in at a time. So long as the two drives are never both plugged in the only way I can see to get a virus from the Win7 to the Linux drive is if it infects the BIOS and then gets the other drive when I switch em. (If this is disputable please comment, and we can talk on another question.)

I have heard of this "TPM" thing, but only in so far as it will possibly allow manufacturers to stop me from installing a different OS, which is not what I am trying to protect myself from.

So the scenario is this: assuming the Win7 boot is compromised to the max, how can I protect my BIOS (or at least know if its been tampered). I have seen this question, and it leaves some ambiguity if TPM is sufficiently low-level to actually validate a compromised BIOS. How to check the integrity of my BIOS?

I am willing to buy a special motherboard for this purpose.

Community
  • 1
Mikey
  • 161
  • 1
  • 4
  • You say, "So long as the two drives are never both plugged in the only way I can see to get a virus from the Win7 to the Linux drive is if it infects the BIOS and then gets the other drive when I switch em. (If this is disputable please comment, and we can talk on another question.)" I'll take you up on that offer, because as explained [here](http://security.stackexchange.com/a/7213/10198), your premise ("the only way...") is unfortunately false. – sampablokuper Dec 16 '13 at 00:40

3 Answers3

9

You are mixing up two technologies here it seems.

First, there is UEFI and its Secure Boot feature. Secure Boot can be used to assure that your boot loader and your OS kernel are not tampered with. In order to do so, your boot loader and kernel need to be signed digitally and your UEFI configuration must contain the certificates/signatures needed to verify the signatures. Windows 8 on ARM platforms uses UEFI to effectively prevent other OSs from being installed. UEFI, however, does not offer any real protection against attacks on firmware level.

Now for the TPM: The TPM is a passive hardware chip that is (amongst other things) used to store measurements (hash values) of e.g. software in a tamper resistant manner and to make those measurements available for reporting. Mainboards that ship with a TPM have special requirements to their firmware. First, they have a tiny piece of special firmware called Core Root of Trust for Measurement (CRTM). The CRTM is executed first during boot and stores measurements of itself and of the next piece of firmware (BIOS or UEFI) before handing over control to it. The next piece of firmware would typically measure the boot loader which in turn would measure the OS kernel and so on up to application level (in detail the measurement process is more complicated of course). Most boot loaders and OSs, however, do not use the TPM this way. Anyway, if you have a TPM on your Mainboard, you can be sure it measures your firmware.

What can you do with those measurements? BitLocker e.g. uses Sealing to bind the keys needed to decrypt your HD to those measurements. That means, your HD keys can not be used, if malware corrupts your firmware. So, on Windows you can use BitLocker to protect against tampering of your firmware. I am not aware of something similar for Linux (though something might exist). You could however, use a Trusted Network Connect (TNC) enabled Radius server and a TNC enabled wpasupplicant to verify the measurements remotely.

rosso
  • 161
  • 1
  • 2
4

TPM can be used to check during boot if the kernel is unmodified (signed) as well it can perform Bitlocker full disk encryption. It doesnt prevent any remote attacks to your machine in practice except for remotely installing kernel or vt rootkits. The hardware root key you can use eventually to sign your requests, like to get into another secure LAN, or get secure resource over HTTPS. And yes, it protects the BIOS as well just by checking if it's loading the correct kernel.

Andrew Smith
  • 1
  • 1
  • 6
  • 19
  • I'm calling them "remote" attacks because the attacker doesn't have physical access to the box/mobo, but rather can just put whatever he wants on the disk that will boot. Also, I still don't understand HOW I would use TPM to do this... Also, I don't care about my kernel.. I want to protect my BIOS. Is TPM the wrong thing? – Mikey Jun 22 '12 at 18:47
  • TPM during boot is checking the signature of the kernel, which than loads all other things, so with TPM, you will not boot anything else, if you can configure the machine this way. This prevents the hidden rootkits. It's like a boot manager with hardware trusted root key. – Andrew Smith Jun 22 '12 at 18:49
  • Not sure if windows 7 kernel can be done this way, but with linux there are some motherboards with good support. Windows 8 and new hardware is supposed to have it out of the box, so I would look for these. – Andrew Smith Jun 22 '12 at 18:53
  • @Mikey One of the roles of a TPM is to verify the integrity of the boot process, including at least all BIOS components, and including the bootloader, the OS kernel and other OS components if they support it. For a detailed how-to on a particular motherboard, you should ask on [su]. – Gilles 'SO- stop being evil' Jun 23 '12 at 22:01
0

TPM does have the ability to check BIOS, its the chain of trust that propogates. Check both static and dynamic root of trust for protocols and see what suites you best. And again be sure why u want to protect the BIOS and what is it that you really want to protect.

zeroknowledge
  • 41
  • 2
  • 1
    It can only safely check the BIOS if the CRTM is read-only. I'm not sure if every implementation actually forces it to be read-only or just stuffs it in with the rest of the BIOS code. – forest Feb 20 '18 at 04:29