1

Among the things listed that a TPM chip can do I found something not like the others:

  • Remote Attestation: ... This allows a third party to verify that the software has not been changed.

But in a certain way we know that's not a feasible thing and but TPM claims it. If I wanted to tear away remote attestation normally I would patch programs in RAM so they're in a different state than they could normally be in, but the explanation given for how is "Creates a nearly unforgeable hash key summary of the hardware and software configuration. The software in charge of hashing the configuration data determines the extent of the summary."; but fundamentally if you can read bits you can clone them.

So the question; what's the feasiblity of making a chip that when asked for these things answers "it's this" where this is something put in at configuration time with no regard to what the chip should be doing?

Joshua
  • 1,090
  • 7
  • 11
  • I believe this post [TPM and Remote attestation](https://crypto.stackexchange.com/questions/59965/tpm-and-remote-attestation) may assist in better understanding possible side-channel attacks against remote attestation – safesploit Aug 04 '21 at 15:27
  • @safesploit: Does not that question have the unstated assumption that the administrator of the box on which the TPM is installed is trustworthy? – Joshua Aug 04 '21 at 15:39

1 Answers1

1

fundamentally if you can read bits you can clone them.

Yes. But remote attestation relies on a signature, not just a hash. The signature is made by a private key which is located in the TPM, and you can't read that.

A TPM is isolated from the main operating system to some extent. Being the administrator does not give you access to the TPM. Even having physical access is not enough. Discrete TPM chips are hardened; they're typically older-generation smartcard chips. Barring bugs in the TPM firmware (which is a possibility, no software is ever perfect), it takes some expensive hardware to breach those chips. Some computers have a TPM implemented as firmware running on the main chip, which is less protected against physical attacks, and potentially more vulnerable to side channel attacks conducted from the main operating system. Even in that case, if you want to fake a TPM signature, you have to find an exploitable bug.

what's the feasiblity of making a chip that when asked for these things answers "it's this" where this is something put in at configuration time with no regard to what the chip should be doing?

That part's easy. You don't need a special chip for that. Just run a TPM emulator.

It won't do you any good because you won't be able to sign with a key that is trusted by whoever cares about the remote attestation.

I would patch programs in RAM so they're in a different state than they could normally be in

You can try that, but then the difficulty is lying to the TPM. If you want to try this approach, a discrete TPM works best, because the bus between the TPM and the CPU is relatively exposed and generally not protected. In an integrated or firmware TPM, this is likely very difficult (again, barring bugs in the firmware).

Recommended background reading:

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • You know what, "Just use a TPM emulator" is a complete answer by itself. I was considering constructing a machine that never had a trustworthy TPM chip in the first place. – Joshua Aug 05 '21 at 21:09