2

This post seems on point but I didn't understand the answer enough to answer this question.

Intel's vPro offers "Total Memory Encryption" (TME), which encrypts RAM and system bus data while the computer is on. Does TME encryption improve the security of a computer when its screen is locked? That is, if the computer has implemented Full Disc Encryption (e.g., Debian with Luks/dmcrypt), will a TME enabled computer (that is on with a locked screen) be harder to attack because the RAM is encrypted behind the locked screen? Does the RAM encryption improve the security of the FDE key being held in RAM?

user847
  • 21
  • 2

1 Answers1

2

To some extent

A relatively common physical attack against full disk encrypted computers is the cold boot attack, which focuses on copying the contents of the RAM of a running computer, from which FDE keys and other secrets can be extracted. Cold boot attacks are of two types:

  1. The attacker resets the system and boots onto another OS with a minimal memory footprint and copies as much data as possible from memory.

  2. The attacker cools the RAM, removes it from the computer and plugs it into another system to analyze its contents.

TME mitigates both of these. In case of 1, the encryption engine will discard the key used to encrypt the memory when the attacker resets and boots onto another OS, so the attacker will not be able to decrypt anything. In case of 2, the attacker will not have the encryption key since the key never leaves the encryption engine, so again, they cannot decrypt anything.

However, TME is not a panacea against all physical attacks. As the answer to the question you linked to mentions, it would still be possible to attach JTAG probe to the computer. Basically, JTAG is a hardware debugger that can be attached to the motherboard and used to gain control over the CPU. Once attached, it can halt the CPU, read or modify CPU registers and access memory. This would effectively allow you to bypass the memory encryption. However, this is not as easy as a cold boot attack, since you have to buy a somewhat expensive device and sign an NDA with Intel.

TL;DR: TME raises the bar for physical attacks against a running but locked computer. It mitigates the risk of cold-boot attacks, which are a common attack vector against FDE. However, further steps would have to be taken to prevent other, more expensive attacks.

nobody
  • 11,251
  • 1
  • 41
  • 60
  • Is it fair to assume that with a TME enabled computer, the attacker would have to be fairly sophisticated in knowledge and resources to be successful? i.e., state-sponsored, corporate espionage, or something like that? Or would someone employed in a computer profession or as a programmer be able to do it? – user847 Aug 30 '21 at 18:09
  • @user847 With TME enabled, the average programmer (or even the average pentester/hacker) almost definitely won't be successful in recovering FDE keys from a locked computer. A highly skilled security researcher might be, and a state-sponsored group will probably be successful, unless you've taken significant measures to harden your system. – nobody Aug 30 '21 at 18:57