-
Notifications
You must be signed in to change notification settings - Fork 1
Finding possible use cases for DRTM payload #76
Copy link
Copy link
Open
Labels
P: defaultPriority: default. Default priority for new issues, to be replaced given sufficient information.Priority: default. Default priority for new issues, to be replaced given sufficient information.T: enhancementType: enhancement. An enhancement or improvement of existing functionality.Type: enhancement. An enhancement or improvement of existing functionality.W: todoWorkflow: todo. The issue is in the initial to do state.Workflow: todo. The issue is in the initial to do state.
Description
Metadata
Metadata
Assignees
Labels
P: defaultPriority: default. Default priority for new issues, to be replaced given sufficient information.Priority: default. Default priority for new issues, to be replaced given sufficient information.T: enhancementType: enhancement. An enhancement or improvement of existing functionality.Type: enhancement. An enhancement or improvement of existing functionality.W: todoWorkflow: todo. The issue is in the initial to do state.Workflow: todo. The issue is in the initial to do state.
Type
Fields
Give feedbackNo fields configured for issues without a type.
DRTM between coreboot and payload doesn't improve the security by itself. For dynamic launch to be useful, a later component must somehow depend on proof generated by this mechanism. This issue is made to gather the ideas for use cases.
1. Encrypted SMMSTORE
SMMSTORE is used as a backend for UEFI variables for edk2 on top of coreboot. As the name suggests, SMM is used to perform raw accesses to the flash device.
Instead of data written in plain form, it may be encrypted by a TPM using a key sealed with specific PCR values. If the payload is modified, it can no longer access the variables, because its measurement recorder in PCR will be different. This improves confidentiality, but not integrity nor availability properties.
Challenges:
2. Encrypted boot partition
While solutions like LUKS or BitLocker are called full disk encryption mechanisms, they only encrypt the system partition, and a smaller boot partition must remain unencrypted. Boot partition then contains either a small utility or whole kernel that decrypts the main partition.
It should be possible to implement a driver in UEFI that would read the sealed key from the TPM and use it to decrypt the boot partition, or even MBR/GPT (although this may require support in the operating system as well). By doing so, if the drive were stolen, the attacker would not only be stopped from accessing the root filesystem content, but he also wouldn't be able to detect the flavor of operating system that is installed on that disk. With encrypted MBR/GPT, this would provide plausibly deniable encryption - without the proper key, even the existence of partitions can't be proven.
Challenges:
3. Your use case
Additional ideas are welcomed.