Re: Broken dream of mine :(

[Michal Suchanek]

2009/9/22 Sam Mason <address@hidden>:
> On Tue, Sep 22, 2009 at 12:42:17AM +0200, Michal Suchanek wrote:
>> Yes, the trivial attack is to replace the boot medium but that's local
>> access attack, not remote attack.  The remote attacker cannot overwrite
>> it, and the boot loader and initial environment can enforce any policy
>> you wish (get the list of valid checksums from your server using SSL
>> for example).
>
> But where does the trust in the boot sequence come from?  That's what
> TPM gives you.  Retrieving checksums from servers using SSL does nothing
> as far as I can see.

Write-protecting the BIOS flash does the same for you and you can
verify it's working.

>
>> So decide against which attack you are trying to defend.
>
> I want something upon which to bootstrap my trust in the code that a
> server is running.  This is a difficult problem and I'm not aware of
> anything outside of TPM that allows me to do this.  I trust the physical
> security of the machines, but I'm unsure how far down the stack my trust
> in the software goes.  TPM allows me to include the BIOS, but I'm not
> sure about CPU microcode.
>
>> > Physical security does nothing about remote/software attacks though.
>>
>> Yes, and TPM does no more for remote attacks than a boot CD and a BIOS
>> with flash protection.
>
> Hum, fun.  I'll have to think on that.  You obviously can't check the
> BIOS, but I'm not sure how much that matters.
>
>> >> You have to rely on the TPM
>> >> manufacturer quite a bit because the devices come as blackboxes with
>> >> unknown internals.
>> >
>> > Yes, but they're implementing a public spec and the economic incentives
>> > all seem to be pointing the right way with this.  If the manufacturer
>> > screws up their implementation they're going to look bad to the people
>> > who matter.
>>
>> But it will break your system.
>
> No it effing will not and stop being so silly.  You choose whether your
> computer is going to run an OS that's going to surrender its authority
> to somebody else.  If not then anything we do won't matter anyway.

I don't get the first sentence of the above paragraph. However, it
seems you are getting the wrong impression here. The TPM chip will not
break your system because you use it to lock yourself out. In that
case you break your system.

However, if you rely on TPM for security and the module is in fact
broken you lose any security and can throw away your system. If you
rely on simple hardware measures (like flash write protection) and
write the rest in software then it's more likely that if anything
breaks it's the software and you can replace that. You can also verify
that a write protected flash is really write protected. Good luck with
testing a TPM really adheres to specification under all possible
conditions.

>
>> >> Then netboot the machines. No need for reimaging and users staring at
>> >> broken machines.
>> >
>> > An attacker can modify the bios so that it points to somewhere it
>> > controls.  Again, this isn't for normal PCs.
>>
>> Attacker from where? If it's the user you cannot allow users near the
>> PC.
>
> Bugs are fact of life.  Confinement allows you to put a reasonable upper
> bound on how far its going to go, but if the worst does come to the
> worst you need some trusted path to bring it all back up again.

Yes, and that's the readonly media you use for booting.

Thanks

Michal