SlideShare ist ein Scribd-Unternehmen logo

S-RTM for Qubes OS VMs

Piotr Król
Piotr Król

Static Root of Trust for Measurement is essential for establishing trust at boot time. There are many implementations from different vendors (Secure Boot, Intel Boot Guard, Hardware Validated Boot, Hardware Assured Boot etc.). S-RTM proved its use for hardware, but what about virtual machines? This presentation discuss S-RTM for VMs in context of Qubes OS.

Technologie
1 von 22
Downloaden Sie, um offline zu lesen
SRTM for Qubes OS VMs Qubes OS and 3mdeb mini-summit 2020 Piotr Król 1 / 22
whoami Presentation goal Terminology Practical use cases Where is S-RTM on real hardware? Qubes OS and S-RTM TPM support in QEMU swtpm Xen vTPMs Possible solutions Assumptions and future ideas Agenda 2 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
@pietrushnic piotr.krol@3mdeb.com linkedin.com/in/krolpiotr facebook.com/piotr.krol.756859 open-source firmware platform security trusted computing Piotr Król Founder & Embedded Systems Consultant whoami 3 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
To discuss feasibility and security of various S-RTM implementations for Qubes OS virtual machines Kudos for support Marek Marczykowski-Górecki (Qubes OS) Stefan Berger (swtpm) Andrew Cooper (Xen) Daniel Smith (TrenchBoot) Presentation goal 4 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
Root of Trust (RoT) RoT for Confidentiality (RTC) RoT for Update (RTU) RoT for Verification (RTV) Hardware RTM (HRTM) Static Code RTM (S-CRTM) RoT for Measurement (RTM) RoT for Reporting (RTR) RoT for Storage (RTS) RoT for Integrity (RTI) Static RTM (S-RTM) Dynamic RTM (D-RTM) Code RTM (CRTM) Dynamic Hardware RTM (D-HRTM)Static Hardware RTM (S-HRTM) In this presentation we will focus only on S-RTM and how to use it in virtual machines All those can be implemented with support of TCG complaint TPM Root of Trust family 5 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
S-RTM - Static Root of Trust for Measurement Root of Trust because it is unconditionally trusted component, for which misbehavior cannot be detected RoT for Measurement because it is responsible for initial integrity measurement Static because shielded location (PCR) initialization and initial integrity measurement occurs only on platform reset Static because it is done once for static/unchangeable components S-CRTM - Static Code Root of Trust for Measurement TCG changed glossary and despite many places use Core, correct is Code Typical example is part of firmware in read-only region of SPI flash or ROM We usually call this region SEC/bootblock/BootROM or Initial Boot Block On marketing level S-CRTM undistinguishable from S-HRTM Terminology 6 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
S-RTM Component 1 ... Component n M - Measure E - Extend X - eXecute M,E,X M,E,X M,E,X S-RTM builds foundation for transitive trust chain which establish chain of trust e.g. during boot process (aka measured boot) Real value came from verification of gathered measurements (aka Attestation) or unlocking secret when measurements are correct™ (aka Sealed Storage) Both attestation and sealed storage may have interesting use cases in virtual machine world hardened ChallengerVM that attest AppVMs measurement LUKS2 encrypted disk of AppVMs that decrypts only in light of correct PCR value Practical use cases 7 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
Mainboard SPI flash Read-only firmware boot block Read-write firmware CPU/SoC ROM S-CRTM PCH ROM S-CRTM S-CRTM TPM PCR0 PCR1..15 S-RTM After realizing where S-RTM is and how it is created on real hardware, how to move that to VMs? Where is S-RTM on real hardware? 8 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
Hardware Qubes OS dom0 sys-usb sys-net sys-usb-dm Create PVH Create HVM Create HVMI/O I/O I/O Emulation I/O Emulation Emulated Network interfaces Emulated USB devices sys-net-dm AppVM USB Controller Netowork Controller Xen stub domains 9 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
In reality most straight-forward way for enabling S-RTM and measured boot in Qubes OS VMs is adding TPM device to QEMU What options of enabling TPM in QEMU we have? It depends on amount and types of scenarios we consider valid™ Qubes OS R4.0 use QEMU 3.0.0 which may limit our options for TPM, but R4.1 will use QEMU 4.2.0, which should cover most the bases Boot firmware: Shall we limit ourselves to UEFI-aware guest OSes? "we shouldn't aim to prohibit non-UEFI, but plan to start with UEFI" Legacy lead to lot of issues including presence and support for TCG INT 1Ah Qubes OS by default use SeaBIOS as boot firmware What bootloaders and operating systems should be supported? Qubes OS is mostly Linux with some part of Windows VMs Xen version overall may also be important factor Qubes OS 10 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
TPM support consist of two pieces frontend and backend Frontend provide hardware interface to guest For x86 it can be: TCG TIS (TPM Interface Specification) compatible - MMIO 0xfed40000-0xfed44fff TCG CRB (Command Response Buffer) Interface - MMIO 0xfed40000-0xfed40fff fw_cfg interface - only for Physical Presence Interface (PPI) memory, TPM version, PPI version ACPI interface - only for base address obtaining, usage mode (polling vs IRQ), TCPA or adequate TPM2 table ACPI PPI Interface Only TCG TIS and CRB use make sense in case of measured boot Backend provide implementation of interaction with TPM device There are 2 types of backends pass-through - which means passing host device to VM emulator device - currently only SWTPM protocol is supported TPM support in QEMU 11 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
libtpm-based TPM emulator created by Stefan Berger (IBM) in 2015 it can use socket, character device or Linux CUSE (character devices in user space) interface for communication supports TPM1.2 and TPM2.0 Threat model: the same as for regular processes in hosting OS, hooking strace or gdb may reveal sensitive information process running in stubdomain expose limited protocol to QEMU, which use device model to expose device to OS in VM no protection against malicious hypervisor or administrator using hardware features like IOMMU, SGX or SEM/SEV Adoption: Packaged by most popular distros Keylime for testing OpenStack Nova Probably most mature OSS TPM emulation environment There are other TM emulators, but swtpm is the only integrated with QEMU swtpm 12 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
Qubes OS dom0 swtpm1 swtpmn TCG TIS/CRB driver TCG TIS/CRB driver AppVMnAppVM1 dom0 attack vector possibly increased by swtpm vulnerabilities there is need for some mechanism managing swtpms swtpm in dom0 13 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
Qubes OS dom0 AppVM (HVM) appvm-dm swtpm Create HVM TCG TIS/CRB driver Support only in HVM Key problem at this point is that stubdom use -machine xenfv which cause QEMU TPM device not being exposed to firmware and OS swtpm in stubdom 14 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
Hardware dTPM/fTPM Qubes OS dom0 vtpmmgr-dm sys-vtpm1 xen-tpmfront xen-tpmfront AppVMnAppVM1 sys-vtpmn Xen vTPMs 15 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
Created by NSA and John Hopkins University Applied Physics Laboratory around 2010 based on previous work made by Intel and IBM Based on source code archaeology vTPM design for Xen was created before swtpm, documents refer to Berlios TPM Emulator from ETH Zurich which supports only TPM 1.2 Natural evolution of Xen vTPM concept should use swtpm There are no public signs of using that design recently most probably because of its complexity some commercial products offer vTPMs 2.0 The goal of vTPM design was extending the chain of trust rooted in the hardware TPM to virtual machines in Xen vtpmmgr claim to support theoretically more then 20k vTPMs it securely stores encryption keys of sys-vtpms it provides a single controlled path to access physical TPM it provides evidence of current configuration via TPM Quote its data is secured by physical TPM seal operation Whole design seem to be outdated and complex Xen vTPMs 16 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
Hardware OpenTitan dTPM Qubes OS dom0 vtpmmgr-dm Rust unikernel sys-vtpm1 Rust unikernel TCG TIS/CRB driver TCG TIS/CRB driver AppVMn Rust unikernel AppVM1 sys-vtpmn 3mdeb's dream design 17 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
not everyone needs the same countermeasure, so either we assume recommended/feasible paranoia level or we implement environment flexible enough to satisfy various needs first approach seems to be better as first step, because of that we should limit our considerations to most popular solutions and assume some things Threat model 18 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
Legacy boot should be avoided to make S-RTM for VMs economically feasible Legacy means INT 1Ah interface implemented in BIOS and this is not well supported across the board Qubes OS should consider switching to OVMF as default firmware - this increase VM TCB and maybe against Qubes OS policy(?) Decision between vTPM and simpler (swtpm somewhere) architecture should be made it seems that vTPM consider more paranoid threat model, what probably implies its selection as target implementation maybe discussion should focus on improving vTPM model? Limited number of OSes should be supported Linux Windows Memory consumption and complexity unikernels satisfy memory consumption Reasonable target for S-RTM support could be Qubes OS R4.2 Assumptions 19 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
Availability of reasonably trusted TPM to VM enables additional use cases: VM identity - this enables various use cases including authentication, policy enforcement and remediation Shielded location for secret - public key certificate protection, VPN credentials storage PKCS#11 - standard and programming interface which can use TPM as smart card opening another universe of use cases (e.g. payment, telecom) all of those may sound like vault-vm or tpm-vm coreboot as default firmware for VMs why? Because we consider it simpler then UEFI/edk2 Qubes OS should have ability to choose, audit and attest VM boot firmware - it is not so easy right now Support for 802.1AR: Secure Device Identity which simplifies network devices authentication Carefully read TCG Virtualized Platform Architecture Specification Future ideas and discussion 20 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
Interesting point is that change to image/boot firmware can be introduced only in dom0, what implies that dom0 is in TCB and should be measured ergo should be stateless Existence of TCG Virtualized Platform Architecture Specification indicates that S-RTM topic was considered by gov and industry leaders, but maybe whole approach was too complex to make it wide spread solution:w Discussion 21 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
Q&A 22 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król

Empfohlen

D-RTM for Qubes OS VMs
D-RTM for Qubes OS VMsD-RTM for Qubes OS VMs
D-RTM for Qubes OS VMsPiotr Król
 
Qubes hardware certification
Qubes hardware certificationQubes hardware certification
Qubes hardware certificationPiotr Król
 
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixXPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixThe Linux Foundation
 
Wafl inside by rick
Wafl inside by rickWafl inside by rick
Wafl inside by rickAccenture
 
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsXPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsThe Linux Foundation
 
Attacking intel txt paper
Attacking intel txt paperAttacking intel txt paper
Attacking intel txt papermaojunjie
 
µ-Xen
µ-Xenµ-Xen
µ-XenLars Kurth
 
XPDS13: Dual-Android on Nexus 10 - Lovene Bhatia, Samsung
XPDS13: Dual-Android on Nexus 10 - Lovene Bhatia, SamsungXPDS13: Dual-Android on Nexus 10 - Lovene Bhatia, Samsung
XPDS13: Dual-Android on Nexus 10 - Lovene Bhatia, SamsungThe Linux Foundation
 

Empfohlen

D-RTM for Qubes OS VMs
D-RTM for Qubes OS VMsD-RTM for Qubes OS VMs
D-RTM for Qubes OS VMsPiotr Król
 
Qubes hardware certification
Qubes hardware certificationQubes hardware certification
Qubes hardware certificationPiotr Król
 
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixXPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixThe Linux Foundation
 
Wafl inside by rick
Wafl inside by rickWafl inside by rick
Wafl inside by rickAccenture
 
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsXPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsThe Linux Foundation
 
Attacking intel txt paper
Attacking intel txt paperAttacking intel txt paper
Attacking intel txt papermaojunjie
 
µ-Xen
µ-Xenµ-Xen
µ-XenLars Kurth
 
XPDS13: Dual-Android on Nexus 10 - Lovene Bhatia, Samsung
XPDS13: Dual-Android on Nexus 10 - Lovene Bhatia, SamsungXPDS13: Dual-Android on Nexus 10 - Lovene Bhatia, Samsung
XPDS13: Dual-Android on Nexus 10 - Lovene Bhatia, SamsungThe Linux Foundation
 
Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesPiotr Król
 
DYNAMIC ROOT OF TRUST AND CHALLENGES
DYNAMIC ROOT OF TRUST AND CHALLENGESDYNAMIC ROOT OF TRUST AND CHALLENGES
DYNAMIC ROOT OF TRUST AND CHALLENGESijsptm
 
Lightning talks - Qubes OS and 3mdeb "minisummit" 2019
Lightning talks - Qubes OS and 3mdeb "minisummit" 2019Lightning talks - Qubes OS and 3mdeb "minisummit" 2019
Lightning talks - Qubes OS and 3mdeb "minisummit" 2019Piotr Król
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN
 
CT
CTCT
CTYama Haku
 
Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Piotr Król
 
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems ToolboxEclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems ToolboxBrett Hackleman
 
What's New in IBM Messaging
What's New in IBM MessagingWhat's New in IBM Messaging
What's New in IBM MessagingMorag Hughson
 
Pushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to CloudPushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to CloudDMC, Inc.
 
LFCOLLAB15: Xen 4.5 and Beyond
LFCOLLAB15: Xen 4.5 and BeyondLFCOLLAB15: Xen 4.5 and Beyond
LFCOLLAB15: Xen 4.5 and BeyondThe Linux Foundation
 
MQ - India - KT - Session 1.pptx
MQ - India - KT - Session 1.pptxMQ - India - KT - Session 1.pptx
MQ - India - KT - Session 1.pptxssusereb54c9
 
An Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource PartitioningAn Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource PartitioningYoshitake Kobayashi
 
4 implementation
4 implementation4 implementation
4 implementationhanmya
 
RISC-V 30906 hex five multi_zone iot firmware
RISC-V 30906 hex five multi_zone iot firmwareRISC-V 30906 hex five multi_zone iot firmware
RISC-V 30906 hex five multi_zone iot firmwareRISC-V International
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
 
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CDWhats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CDDavid Ware
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSMatt Leming
 
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateHdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateMarc Seeger
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of ThingsPaul Fremantle
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 
Status of AEM for Intel and AMD
Status of AEM for Intel and AMDStatus of AEM for Intel and AMD
Status of AEM for Intel and AMDPiotr Król
 
RTE v1.0.0 specification
RTE v1.0.0 specificationRTE v1.0.0 specification
RTE v1.0.0 specificationPiotr Król
 

Weitere ähnliche Inhalte

Ähnlich wie S-RTM for Qubes OS VMs

Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesPiotr Król
 
DYNAMIC ROOT OF TRUST AND CHALLENGES
DYNAMIC ROOT OF TRUST AND CHALLENGESDYNAMIC ROOT OF TRUST AND CHALLENGES
DYNAMIC ROOT OF TRUST AND CHALLENGESijsptm
 
Lightning talks - Qubes OS and 3mdeb "minisummit" 2019
Lightning talks - Qubes OS and 3mdeb "minisummit" 2019Lightning talks - Qubes OS and 3mdeb "minisummit" 2019
Lightning talks - Qubes OS and 3mdeb "minisummit" 2019Piotr Król
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN
 
Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Piotr Król
 
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems ToolboxEclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems ToolboxBrett Hackleman
 
What's New in IBM Messaging
What's New in IBM MessagingWhat's New in IBM Messaging
What's New in IBM MessagingMorag Hughson
 
Pushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to CloudPushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to CloudDMC, Inc.
 
MQ - India - KT - Session 1.pptx
MQ - India - KT - Session 1.pptxMQ - India - KT - Session 1.pptx
MQ - India - KT - Session 1.pptxssusereb54c9
 
An Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource PartitioningAn Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource PartitioningYoshitake Kobayashi
 
4 implementation
4 implementation4 implementation
4 implementationhanmya
 
RISC-V 30906 hex five multi_zone iot firmware
RISC-V 30906 hex five multi_zone iot firmwareRISC-V 30906 hex five multi_zone iot firmware
RISC-V 30906 hex five multi_zone iot firmwareRISC-V International
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
 
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CDWhats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CDDavid Ware
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSMatt Leming
 
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateHdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateMarc Seeger
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of ThingsPaul Fremantle
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 

Ähnlich wie S-RTM for Qubes OS VMs (20)

Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devices
 
DYNAMIC ROOT OF TRUST AND CHALLENGES
DYNAMIC ROOT OF TRUST AND CHALLENGESDYNAMIC ROOT OF TRUST AND CHALLENGES
DYNAMIC ROOT OF TRUST AND CHALLENGES
 
Lightning talks - Qubes OS and 3mdeb "minisummit" 2019
Lightning talks - Qubes OS and 3mdeb "minisummit" 2019Lightning talks - Qubes OS and 3mdeb "minisummit" 2019
Lightning talks - Qubes OS and 3mdeb "minisummit" 2019
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
 
CT
CTCT
CT
 
Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Qubes OS and TPM 2.0
Qubes OS and TPM 2.0
 
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems ToolboxEclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
 
What's New in IBM Messaging
What's New in IBM MessagingWhat's New in IBM Messaging
What's New in IBM Messaging
 
Pushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to CloudPushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to Cloud
 
LFCOLLAB15: Xen 4.5 and Beyond
LFCOLLAB15: Xen 4.5 and BeyondLFCOLLAB15: Xen 4.5 and Beyond
LFCOLLAB15: Xen 4.5 and Beyond
 
MQ - India - KT - Session 1.pptx
MQ - India - KT - Session 1.pptxMQ - India - KT - Session 1.pptx
MQ - India - KT - Session 1.pptx
 
An Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource PartitioningAn Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource Partitioning
 
4 implementation
4 implementation4 implementation
4 implementation
 
RISC-V 30906 hex five multi_zone iot firmware
RISC-V 30906 hex five multi_zone iot firmwareRISC-V 30906 hex five multi_zone iot firmware
RISC-V 30906 hex five multi_zone iot firmware
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CDWhats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OS
 
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateHdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
 

Mehr von Piotr Król

Status of AEM for Intel and AMD
Status of AEM for Intel and AMDStatus of AEM for Intel and AMD
Status of AEM for Intel and AMDPiotr Król
 
RTE v1.0.0 specification
RTE v1.0.0 specificationRTE v1.0.0 specification
RTE v1.0.0 specificationPiotr Król
 
BITS and CHIPSEC as coreboot payloads
BITS and CHIPSEC as coreboot payloadsBITS and CHIPSEC as coreboot payloads
BITS and CHIPSEC as coreboot payloadsPiotr Król
 
How to enable AMD IOMMU in coreboot?
How to enable AMD IOMMU in coreboot?How to enable AMD IOMMU in coreboot?
How to enable AMD IOMMU in coreboot?Piotr Król
 
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"Piotr Król
 
How to build IoT solution using cloud infrastructure?
How to build IoT solution using cloud infrastructure?How to build IoT solution using cloud infrastructure?
How to build IoT solution using cloud infrastructure?Piotr Król
 

Mehr von Piotr Król (6)

Status of AEM for Intel and AMD
Status of AEM for Intel and AMDStatus of AEM for Intel and AMD
Status of AEM for Intel and AMD
 
RTE v1.0.0 specification
RTE v1.0.0 specificationRTE v1.0.0 specification
RTE v1.0.0 specification
 
BITS and CHIPSEC as coreboot payloads
BITS and CHIPSEC as coreboot payloadsBITS and CHIPSEC as coreboot payloads
BITS and CHIPSEC as coreboot payloads
 
How to enable AMD IOMMU in coreboot?
How to enable AMD IOMMU in coreboot?How to enable AMD IOMMU in coreboot?
How to enable AMD IOMMU in coreboot?
 
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
 
How to build IoT solution using cloud infrastructure?
How to build IoT solution using cloud infrastructure?How to build IoT solution using cloud infrastructure?
How to build IoT solution using cloud infrastructure?
 

Kürzlich hochgeladen

2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 

Kürzlich hochgeladen (20)

2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 

S-RTM for Qubes OS VMs

  • 1. SRTM for Qubes OS VMs Qubes OS and 3mdeb mini-summit 2020 Piotr Król 1 / 22
  • 2. whoami Presentation goal Terminology Practical use cases Where is S-RTM on real hardware? Qubes OS and S-RTM TPM support in QEMU swtpm Xen vTPMs Possible solutions Assumptions and future ideas Agenda 2 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 3. @pietrushnic piotr.krol@3mdeb.com linkedin.com/in/krolpiotr facebook.com/piotr.krol.756859 open-source firmware platform security trusted computing Piotr Król Founder & Embedded Systems Consultant whoami 3 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 4. To discuss feasibility and security of various S-RTM implementations for Qubes OS virtual machines Kudos for support Marek Marczykowski-Górecki (Qubes OS) Stefan Berger (swtpm) Andrew Cooper (Xen) Daniel Smith (TrenchBoot) Presentation goal 4 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 5. Root of Trust (RoT) RoT for Confidentiality (RTC) RoT for Update (RTU) RoT for Verification (RTV) Hardware RTM (HRTM) Static Code RTM (S-CRTM) RoT for Measurement (RTM) RoT for Reporting (RTR) RoT for Storage (RTS) RoT for Integrity (RTI) Static RTM (S-RTM) Dynamic RTM (D-RTM) Code RTM (CRTM) Dynamic Hardware RTM (D-HRTM)Static Hardware RTM (S-HRTM) In this presentation we will focus only on S-RTM and how to use it in virtual machines All those can be implemented with support of TCG complaint TPM Root of Trust family 5 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 6. S-RTM - Static Root of Trust for Measurement Root of Trust because it is unconditionally trusted component, for which misbehavior cannot be detected RoT for Measurement because it is responsible for initial integrity measurement Static because shielded location (PCR) initialization and initial integrity measurement occurs only on platform reset Static because it is done once for static/unchangeable components S-CRTM - Static Code Root of Trust for Measurement TCG changed glossary and despite many places use Core, correct is Code Typical example is part of firmware in read-only region of SPI flash or ROM We usually call this region SEC/bootblock/BootROM or Initial Boot Block On marketing level S-CRTM undistinguishable from S-HRTM Terminology 6 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 7. S-RTM Component 1 ... Component n M - Measure E - Extend X - eXecute M,E,X M,E,X M,E,X S-RTM builds foundation for transitive trust chain which establish chain of trust e.g. during boot process (aka measured boot) Real value came from verification of gathered measurements (aka Attestation) or unlocking secret when measurements are correct™ (aka Sealed Storage) Both attestation and sealed storage may have interesting use cases in virtual machine world hardened ChallengerVM that attest AppVMs measurement LUKS2 encrypted disk of AppVMs that decrypts only in light of correct PCR value Practical use cases 7 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 8. Mainboard SPI flash Read-only firmware boot block Read-write firmware CPU/SoC ROM S-CRTM PCH ROM S-CRTM S-CRTM TPM PCR0 PCR1..15 S-RTM After realizing where S-RTM is and how it is created on real hardware, how to move that to VMs? Where is S-RTM on real hardware? 8 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 9. Hardware Qubes OS dom0 sys-usb sys-net sys-usb-dm Create PVH Create HVM Create HVMI/O I/O I/O Emulation I/O Emulation Emulated Network interfaces Emulated USB devices sys-net-dm AppVM USB Controller Netowork Controller Xen stub domains 9 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 10. In reality most straight-forward way for enabling S-RTM and measured boot in Qubes OS VMs is adding TPM device to QEMU What options of enabling TPM in QEMU we have? It depends on amount and types of scenarios we consider valid™ Qubes OS R4.0 use QEMU 3.0.0 which may limit our options for TPM, but R4.1 will use QEMU 4.2.0, which should cover most the bases Boot firmware: Shall we limit ourselves to UEFI-aware guest OSes? "we shouldn't aim to prohibit non-UEFI, but plan to start with UEFI" Legacy lead to lot of issues including presence and support for TCG INT 1Ah Qubes OS by default use SeaBIOS as boot firmware What bootloaders and operating systems should be supported? Qubes OS is mostly Linux with some part of Windows VMs Xen version overall may also be important factor Qubes OS 10 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 11. TPM support consist of two pieces frontend and backend Frontend provide hardware interface to guest For x86 it can be: TCG TIS (TPM Interface Specification) compatible - MMIO 0xfed40000-0xfed44fff TCG CRB (Command Response Buffer) Interface - MMIO 0xfed40000-0xfed40fff fw_cfg interface - only for Physical Presence Interface (PPI) memory, TPM version, PPI version ACPI interface - only for base address obtaining, usage mode (polling vs IRQ), TCPA or adequate TPM2 table ACPI PPI Interface Only TCG TIS and CRB use make sense in case of measured boot Backend provide implementation of interaction with TPM device There are 2 types of backends pass-through - which means passing host device to VM emulator device - currently only SWTPM protocol is supported TPM support in QEMU 11 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 12. libtpm-based TPM emulator created by Stefan Berger (IBM) in 2015 it can use socket, character device or Linux CUSE (character devices in user space) interface for communication supports TPM1.2 and TPM2.0 Threat model: the same as for regular processes in hosting OS, hooking strace or gdb may reveal sensitive information process running in stubdomain expose limited protocol to QEMU, which use device model to expose device to OS in VM no protection against malicious hypervisor or administrator using hardware features like IOMMU, SGX or SEM/SEV Adoption: Packaged by most popular distros Keylime for testing OpenStack Nova Probably most mature OSS TPM emulation environment There are other TM emulators, but swtpm is the only integrated with QEMU swtpm 12 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 13. Qubes OS dom0 swtpm1 swtpmn TCG TIS/CRB driver TCG TIS/CRB driver AppVMnAppVM1 dom0 attack vector possibly increased by swtpm vulnerabilities there is need for some mechanism managing swtpms swtpm in dom0 13 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 14. Qubes OS dom0 AppVM (HVM) appvm-dm swtpm Create HVM TCG TIS/CRB driver Support only in HVM Key problem at this point is that stubdom use -machine xenfv which cause QEMU TPM device not being exposed to firmware and OS swtpm in stubdom 14 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 15. Hardware dTPM/fTPM Qubes OS dom0 vtpmmgr-dm sys-vtpm1 xen-tpmfront xen-tpmfront AppVMnAppVM1 sys-vtpmn Xen vTPMs 15 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 16. Created by NSA and John Hopkins University Applied Physics Laboratory around 2010 based on previous work made by Intel and IBM Based on source code archaeology vTPM design for Xen was created before swtpm, documents refer to Berlios TPM Emulator from ETH Zurich which supports only TPM 1.2 Natural evolution of Xen vTPM concept should use swtpm There are no public signs of using that design recently most probably because of its complexity some commercial products offer vTPMs 2.0 The goal of vTPM design was extending the chain of trust rooted in the hardware TPM to virtual machines in Xen vtpmmgr claim to support theoretically more then 20k vTPMs it securely stores encryption keys of sys-vtpms it provides a single controlled path to access physical TPM it provides evidence of current configuration via TPM Quote its data is secured by physical TPM seal operation Whole design seem to be outdated and complex Xen vTPMs 16 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 17. Hardware OpenTitan dTPM Qubes OS dom0 vtpmmgr-dm Rust unikernel sys-vtpm1 Rust unikernel TCG TIS/CRB driver TCG TIS/CRB driver AppVMn Rust unikernel AppVM1 sys-vtpmn 3mdeb's dream design 17 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 18. not everyone needs the same countermeasure, so either we assume recommended/feasible paranoia level or we implement environment flexible enough to satisfy various needs first approach seems to be better as first step, because of that we should limit our considerations to most popular solutions and assume some things Threat model 18 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 19. Legacy boot should be avoided to make S-RTM for VMs economically feasible Legacy means INT 1Ah interface implemented in BIOS and this is not well supported across the board Qubes OS should consider switching to OVMF as default firmware - this increase VM TCB and maybe against Qubes OS policy(?) Decision between vTPM and simpler (swtpm somewhere) architecture should be made it seems that vTPM consider more paranoid threat model, what probably implies its selection as target implementation maybe discussion should focus on improving vTPM model? Limited number of OSes should be supported Linux Windows Memory consumption and complexity unikernels satisfy memory consumption Reasonable target for S-RTM support could be Qubes OS R4.2 Assumptions 19 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 20. Availability of reasonably trusted TPM to VM enables additional use cases: VM identity - this enables various use cases including authentication, policy enforcement and remediation Shielded location for secret - public key certificate protection, VPN credentials storage PKCS#11 - standard and programming interface which can use TPM as smart card opening another universe of use cases (e.g. payment, telecom) all of those may sound like vault-vm or tpm-vm coreboot as default firmware for VMs why? Because we consider it simpler then UEFI/edk2 Qubes OS should have ability to choose, audit and attest VM boot firmware - it is not so easy right now Support for 802.1AR: Secure Device Identity which simplifies network devices authentication Carefully read TCG Virtualized Platform Architecture Specification Future ideas and discussion 20 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 21. Interesting point is that change to image/boot firmware can be introduced only in dom0, what implies that dom0 is in TCB and should be measured ergo should be stateless Existence of TCG Virtualized Platform Architecture Specification indicates that S-RTM topic was considered by gov and industry leaders, but maybe whole approach was too complex to make it wide spread solution:w Discussion 21 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król
  • 22. Q&A 22 / 22 Qubes OS and 3mdeb mini-summit 2020 CC BY | Piotr Król