top | item 39244718

(no title)

osy | 2 years ago

TPM is insecure against physical attacks by design: https://gist.github.com/osy/45e612345376a65c56d0678834535166

The only secure implementation is called D-RTM which requires a level of chip, OEM, and OS support that's not done in practice.

discuss

northern-lights|2 years ago

There is nothing that is safe against physical attacks practically. You can always find a point where you can do a MITM attack as the communication channels between the TPM and anything else is almost always insecure.

FirmwareBurner|2 years ago

>There is nothing that is safe against physical attacks practically.

This! If security is your prime directive in your line of work(government, highly sensitive data, etc), then as long as your device has been outside your physical possession and in the hands of an untrusted third party, then it's automatically considered compromised and gets wiped or discarded by your IT department.

Because no amount of marketing security fluff from Microsoft, Apple, Google can stand against targeted attacks of state actors or knowledgeable motivated well funded actors with freshly acquired zero days.

The security they provide is only good enough against the average thief off the street, which I guess covers 98% of Average Joe's threats.

Even CC security certifications never judge a device whether it's hackable or not, but only on how long it takes for it to be hacked by an accredited lab, because nothing with outside physical access is ever unbackable. With enough time and six figure equipment off the publicly available commercial market, everything reveals its secrets eventually. And that's without zero days off the black market.

qingcharles|2 years ago

I use to work in Microsoft DRM. I used to say: the key is on the machine! This is like leaving your house key under a rock in the garden. It just puts up a barrier of a certain level which puts off most villains.

If you want secure Bitlocker, use a password.

sweetjuly|2 years ago

Sure, but there are many shades of gray. Directly leaking the entire key on an external bus is very different than needing to find and somehow bond to individual traces (likely below the top metal layer) on the die itself.

badrabbit|2 years ago

Only a sith deals in absolutes (jk). Even with physical access, you can define restrictions that introduce some level of difficulty for a threat actor with limited capability. For example, you can just kick in most house doors to get past locks, but people still lock their doors. Cars are a better example, most car theft happens when people leave their doors unlocked.

shawnz|2 years ago

Having a non-zero attack surface doesn't mean your security system provides "zero practical security". This is at best equally as hyperbolic as the vendors' own marketing claims that you are arguing against.

mjg59|2 years ago

Not really? Encrypted sessions block the trivial attack of just watching the secret go across the bus. Pushing people to MITM attacks is already an improvement, and while generating initial trust in the TPM for that purpose isn't straightforward, it's not impossible. The almost universal implementation of TPM-backed secret management isn't secure against physical attack, but that's very different to "insecure by design". All the primitives to make this work reasonably are there, OS and firmware vendors just aren't using them.

osy|2 years ago

Yes really. The lack of any working implementation in production systems is an issue (D-RTM + encrypted sessions), something that Apple has done in an equivalent threat model since the iPhone 11. You can argue that "insecure by design" doesn't apply because there is a secure design in the abstract but the fact that nobody has adopted it in 20 years says something about the design itself.

It's _also_ insecure by design because in every deployed implementation (including with PIN), it is S-RTM meaning that _any_ UEFI driver vuln will compromise your TPM key. Yes, any UEFI vulnerability in its countless vendor drivers, USB stack, network stack, etc.

Arnavion|2 years ago

>All the primitives to make this work reasonably are there, OS and firmware vendors just aren't using them.

To be precise, both Windows (according to the article) and Linux+systemd (since systemd v251) support letting the user specify a TPM PIN and then use parameter encryption. But yes, both make it optional.

Avamander|2 years ago

DTRM is offered with some Secured-Core machines that support Firmware Protection, is it not?

mike_hock|2 years ago

I hope this attempt at shoving hardware DRM down our throats tanks just like the last one did.

p_l|2 years ago

It's not actually used for DRM, that's part of Intel ME and why AMD PSP is closed source. Both of those are involved in setting up "protected media path" which is all about setting up encrypted channel between display and media player to prevent sniffing.

TPM could be used for DRM in the sense that DRM software could refuse to run on system that isn't approved, but it's not going to stop you from enjoying a DRM free system - in fact it can help by explicitly supporting clearing of TPM state by owner.