0

I read about TPM2 with PCR locking full-disk encryption from different sources. For example [1]. What I can't understand is how much does this protect from full server theft.

If we assume that TPM2 module is secure (attacker can't read it), proper PCR locking is implemented and direct reading RAM of the system is not a concern either, then can encryption key be obtained and disk read by attacker?

Does secure boot and/or bootloader locking affect the above question?

Update: I would like to see a list of things that need to be setup so that full disk encryption with TPM (without pin) protects against getting hands on decrypted data and/or encryption key. e.g. is secure boot required, should grub be locked for editing options, etc.

[1] http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

akostadinov
  • 555
  • 3
  • 8

4 Answers4

2

TPM2 should be seen as a security device (smarcard or key) that physically resides on the machine. If the full server is theft, the result is the same as if the attacker could steal both the disk and the FIDO key or smartcard containing the decrypting credentials:

  • it is not possible to extract a private key from the TPM2 module exactly the same it cannot be extracted from a FIDO key or smartcard
  • unless the private key is protected with a password it can be used as soon as you have the security device

That means that a TPM2 module will offer a strong security against any at rest attack consisting of stealing backups or any other offline copy until the attacker also takes the server hardware and the TMP2 module.

IT worlds seems to contain a good deal of magic, but if you go deep enough no true magic remains and everything boils down to where is the final key. If the final key is the TPM2 module and the attacker could steal the hardware, then they can decrypt anything. And if the final key is not the TPM2 but is a pass phrase used to decrypt the key, no unattented reboot is possible because someone has to give that damned pass phrase.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • My understanding is that this is exactly the purpose of PCR locking - to unlock the protected key only if boot process is not modified. Would you address that? – akostadinov Mar 08 '22 at 13:25
1

Using a a full disk encryption that incorporated a TPM protected the boot process form changes.

As we are talking about a server unattended boot can be expected to be a requirement, hence TPM has been set-up without PIN. So anybody can boot up the machine but not modify the boot process.

So the problems start when the system is booted up. At that time the master encryption key has been loaded into memory and if you have physical access to the server there are a number of attacks that might reveal the master key in memory. Which of those attacks are really feasibly depends on the security measures used by the system:

  1. With physical access to the server you can cool down the RAM modules remove power. Then remove the RAM modules and transfer them into a second server and read out the content. Some server CPUs provide functions to encrypt RAM, if that measure is available and used at least for the disk encryption key(s) then this attack should not succeed.

  2. Several bus systems in a server allow direct memory access (DMA). Even is the bus type is not hot-pluggable in reality you can succeed e.g. inserting a hardware component at run-time. This components then can make use of DMA and try to read-out the master encryption key from RAM. Since a few years CPUs have features to limit DMA access but I don't know any details how to test if this feature is used or not for a disk encryption. Also memory encryption should prevent this attack, too.

  3. The TPM chip is usually connected using a LPC bus system to the chipset/CPU. This bus is pretty simply by default uses plaintext communication which allows sniffing the transmitted master encryption key when it is transferred from TPM to the CPU/RAM. Such an attack is feasible in reality as described by Pulse Security. Furthermore they explain that TPM 2.0 would support transport encryption but Windows Bitlocker in Windows 10 at that time did not made use transport encryption measures. Not sure if this is now still the case and if Bitlocker was improved for Windows 11.

Robert
  • 1,373
  • 2
  • 12
  • 13
  • I specifically say in question that I m not inretested in cold-boot attacks. Also other sophisticated attacks like unsoldering and reading TPM or USB/whatever DMA devices that can read memory. Information you provide is good though. In my particular case this is a personal server so I want to protect from script kiddie trying to read my disk after a full server theft. I believe the more sophisticated attacks would be more expensive than a wrench attack thus making little sense to try protecting from them :) – akostadinov Mar 08 '22 at 19:14
  • You write that TPM should protect in my situation. But what are the steps on the high level that need to be done for this? I don't find good explanation **how** things should work on the internet. Only that they should work if properly implemented (again how?). – akostadinov Mar 08 '22 at 19:15
  • @akostadinov In your question you wrote that you want to know the consequences of a full server theft and this are the consequences. Or is this a misunderstanding? A full server theft is in my interpretation where someone steals your physical server. This is also the scenario a TPM can help very well. Against software attacks a TPM is next to useless as you can simply disable it and the encryption once you got root. – Robert Mar 08 '22 at 19:43
  • yes, it is correct. So you say that provided the protection setup I listed in my question, the only way to crack the disk is by reading RAM, exploit DMA or SPI bus and such. No way to override bootloader config or initrd which are *not* encrypted to get to the key? – akostadinov Mar 14 '22 at 15:27
  • @akostadinov If everything is implemented correctly then any modification changes the TPM state and thus the master encryption key is not released by the TPM. As you mentioned SPI I remembered the attack on the TPM bus -> see 3rd option I added in my question. – Robert Mar 14 '22 at 16:53
  • Cool. I will upvote your question as it is an answer. What I wanted to see is the list of things that need to be `implemented correctly`. I'll try to make this more clear in my question. – akostadinov Mar 14 '22 at 17:09
0

The TPM by itself does not protect the system.

To gain real protection you need to:

  • involve the TPM in the boot sequence
  • make sure every part of the boot loader is verified by the previous part and uses the TPM
  • encrypt the disk (and as much of the boot loader as possible) with a key from the TPM, with that key locked to the hashes in the PCR for all the previous parts
  • make sure every part of the boot loader and subsequent operating system is secure, including administrative access and passwords

If any part of this chain fails, it may be possible to break into the system.

It is also possible to tie the disk encryption to not just the TPM but also some network resource that would be unavailable after the machine is stolen. This would further increase security and make it harder to crack.

user10489
  • 1,217
  • 1
  • 3
  • 13
  • Would you address PCR locking? Shouldn't it protect from UEFI or bootloader or other early program/configuration modifications? – akostadinov Mar 08 '22 at 13:23
  • 1
    TPM + encryption key tied to PCR only protects the boot loader from being modified before the machine boots. After the machine boots, if you have admin access, you can grab the encryption key out of memory and update the boot loader all you want and even update TPM with hashes for the modified boot loader. Otherwise, updates wouldn't work. – user10489 Mar 08 '22 at 23:15
0

Considering full sever-theft means physical theft. TPM2.0 with certain configuration can keep the data inside HDD secure even after the physical theft.

Configure the system with secure and trusted boot. Hard disk encryption key should be locked with PCR (known as sealing) and encryption key have a PIN set for unlocking.

Now, with this configuration, an attacker must enter the unlocking PIN to release the key. TPM2.0 has protection measure for this such as locking period (default is 24hr AFAIK) in case of Dictionary attack etc. There are some other measures as well, such as cpHash and rpHash store for command parameters and response parameters, and physical tempering measures as well.

Whereas, without a PIN set up, an attacker can boot up the system without changing the boot process and only has to work on cracking the system login. Once an attacker is logged in the system with an Admin/Root account, TPM can be modified to store the new hashes in PCR. System boot-loader can also be modified. There are some known attacks on TPM2.0 where the unlocking PIN was not setup and researchers were able to extract the key. (Sniffing data through SPI BUS)

But even the above-mentioned secure configuration will only buy more time since once the attacker has the physical possession all the bets are off. Because at some point an attacker will be able to crack the system with enough resources and time (technological advancement, guessing of PIN, vulnerabilities etc.)

saurabh
  • 723
  • 1
  • 4
  • 12
  • `cracking the system login` is not so trivial. If pin is to be entered, then point is missed - to have unattended boot. My treat model is to prevent script kiddies, not state actors that can more easily get my data through other channels. `enough resources and time` is very vague and can apply to any problem and security level. There is no absolute security that `enough resources and time` will not be able to break. The point of security setup is more to make obtaining the data more expensive than the gain from the data itself :) – akostadinov Mar 14 '22 at 15:20
  • Since you are talking about full server theft, "time and resources" are absolutely relevant over here since even with any configuration in TPM or OS data will be protected until a particular period of time even if an attacker is a script kiddie. Whether TPM can help with increasing the security, yes if, TPM is configured with unlocking PIN. But with TPM in unattended boot, all the protection measure relies on system login protection.Once it is broken, TPM can be modified or key can be extracted, depending on capabilities of so-called script kiddie. – saurabh Mar 14 '22 at 17:34
  • So you consider system login trivial? How would you break it? – akostadinov Mar 14 '22 at 17:35
  • It depends on the system configuration whether it is trivial or not. But again, your question is whether TPM with PCR locking can provide the protection against full server theft or not, isn't it? If the system is in unattended boot mode, so-called script kiddie will directly jump to system login and there is nothing TPM can help you with. Your system is protected until system login is not cracked. – saurabh Mar 14 '22 at 18:03
  • Well, this is obvious that after boot the system has to be secure. The point is whether normal boot can be modified to gain root access by means of `init=/bin/bash` or changing initrd or something that doesn't require lots of resources and time. – akostadinov Mar 15 '22 at 19:03