2

I have worked with TPM for a while, and I'm interested in some of its features. Especially sealing and the use of TPM's PCRs in the secure boot process.

My question is: What is stopping an attacker from disabling the TPM until after boot? Then extending the PCRs with whatever he wants, and even recording the input to the extend function of PRC in the authentic boot chain. Then use this as an input in order to get the same SHA1 digest in the PCRs?

Another question is whether an attacker can try using the TPM on another system which will also send fake inputs to the PCRs at boot time?

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
  • Because the hardware is designed so that disabling it requires physical access. And with full disk encryption via the TPM, you can't boot without it active. – Natanael Feb 03 '16 at 12:39

1 Answers1

3

Quite a few specific questions here, I'll break it down

  • What is stopping an attacker from disabling the TPM until after boot?

Nothing if the attacker controls both the FW (UEFI, BIOS, etc) and the boot code. I say the boot code because at some point near the end of the boot, the TPM would need to be initialized and put in the right run-level so the OS doesn't detect anything out of place. You can't just turn it off, because user/OS applications expect it to be in a certain state and that would blow your cover, if you are the hacker >:)

You have to trust your UEFI/BIOS. Did you accidently flash some hacker sh*t to your motherboard? That's the only way this would work. Don't do that.

  • Then extending the PCRs with whatever he wants

Because of how PCRs work, this is "impossible". You cannot update PCR's to arbitrary values, you have to hash things in the exact same order each time -> impossible to crack.

But you already know this, though, you mentioned the "extend" operation yourself. PCRs are not "written", they are "extended". For some good info on that, see here on http://opensecuritytraining.info/. A quote from that presentation:

Digging a Little Deeper: PCR Extend
....
Computationally infeasible to forge (must break SHA-1)
    Given PCR state N and desired state M, adversary would need to find
    X such that hash(X,N)=M; violates one-way assumption
  • and even recording the input to the extend function of PRC in the authentic boot chain

That's pretty darn smart, but how would this be done? Physical probes on the bus? Totally possible!! But now we've gone beyond the TCG TPM specification, which specifically does not protect against physical tampering, AFAIK. It does provide physical tampering evidence but does not protect against someone taking a trace on the pins.

an attacker can try using the TPM on another system which will also send fake inputs to the PCRs at boot time?

Can you elaborate on how this would work? But no, you couldn't remotely use another TPM without software to expose it to a service. Doable in the OS, but if you could forge PCRs on the remote machine you can forge them here.

Again, you can't just put "fake inputs" into the PCRs, it doesn't work like that.

Wilbur Whateley
  • 598
  • 7
  • 12