| Message ID | 1604419306-26105-4-git-send-email-sumit.garg@linaro.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Introduce TEE based Trusted Keys support | expand |
Hi Sumit, Thank you for the detailed descriptions and examples of trust sources for Trusted Keys. A group of us in IBM (Stefan Berger, Ken Goldman, Zhongshu Gu, Nayna Jain, Elaine Palmer, George Wilson, Mimi Zohar) have been doing related work for quite some time, and we have one primary concern and some suggested changes to the document. Our primary concern is that describing a TEE as a Trust Source needs to be more specific. For example, "ARM TrustZone" is not sufficient, but "wolfSSL embedded SSL/TLS library with ARM TrustZone CryptoCell-310" is. Just because a key is protected by software running in a TEE is not enough to establish trust. Just like cryptographic modules, a Trust Source should be defined as a specific implementation on specific hardware with well-documented environmental assumptions, dependencies, and threats. In addition to the above concern, our suggested changes are inline below. > Begin forwarded message: > > From: Sumit Garg <sumit.garg@linaro.org> > Subject: [PATCH v8 3/4] doc: trusted-encrypted: updates with TEE as a new trust source > Date: November 3, 2020 at 11:01:45 AM EST > To: jarkko.sakkinen@linux.intel.com, zohar@linux.ibm.com, jejb@linux.ibm.com > Cc: dhowells@redhat.com, jens.wiklander@linaro.org, corbet@lwn.net, jmorris@namei.org, serge@hallyn.com, casey@schaufler-ca.com, janne.karhunen@gmail.com, daniel.thompson@linaro.org, Markus.Wamser@mixed-mode.de, lhinds@redhat.com, keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, op-tee@lists.trustedfirmware.org, Sumit Garg <sumit.garg@linaro.org> > > Update documentation for Trusted and Encrypted Keys with TEE as a new > trust source. Following is brief description of updates: > > - Add a section to demostrate a list of supported devices along with > their security properties/guarantees. > - Add a key generation section. > - Updates for usage section including differences specific to a trust > source. > > Signed-off-by: Sumit Garg <sumit.garg@linaro.org> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > --- > Documentation/security/keys/trusted-encrypted.rst | 203 ++++++++++++++++++---- > 1 file changed, 171 insertions(+), 32 deletions(-) > > diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst > index 1da879a..16042c8 100644 > --- a/Documentation/security/keys/trusted-encrypted.rst > +++ b/Documentation/security/keys/trusted-encrypted.rst > @@ -6,30 +6,161 @@ Trusted and Encrypted Keys are two new key types added to the existing kernel > key ring service. Both of these new types are variable length symmetric keys, > and in both cases all keys are created in the kernel, and user space sees, > stores, and loads only encrypted blobs. Trusted Keys require the availability > -of a Trusted Platform Module (TPM) chip for greater security, while Encrypted > -Keys can be used on any system. All user level blobs, are displayed and loaded > -in hex ascii for convenience, and are integrity verified. > +of a Trust Source for greater security, while Encrypted Keys can be used on any > +system. All user level blobs, are displayed and loaded in hex ascii for > +convenience, and are integrity verified. > > -Trusted Keys use a TPM both to generate and to seal the keys. Keys are sealed > -under a 2048 bit RSA key in the TPM, and optionally sealed to specified PCR > -(integrity measurement) values, and only unsealed by the TPM, if PCRs and blob > -integrity verifications match. A loaded Trusted Key can be updated with new > -(future) PCR values, so keys are easily migrated to new pcr values, such as > -when the kernel and initramfs are updated. The same key can have many saved > -blobs under different PCR values, so multiple boots are easily supported. > > -TPM 1.2 > -------- > +Trust Source > +============ > > -By default, trusted keys are sealed under the SRK, which has the default > -authorization value (20 zeros). This can be set at takeownership time with the > -trouser's utility: "tpm_takeownership -u -z". > +Trust Source provides the source of security for the Trusted Keys, on which > +basis Trusted Keys establishes a Trust model with its user. A Trust Source could > +differ from one system to another depending on its security requirements. It > +could be either an off-chip device or an on-chip device. Following section > +demostrates a list of supported devices along with their security properties/ > +guarantees: Please change the following "Trust Source provides the source of security for the Trusted Keys, on which basis Trusted Keys establishes a Trust model with its user." to "A trust source provides the source of security for the Trusted Keys. Whether or not a trust source is sufficiently safe depends on the strength and correctness of its implementation, as well as the threat environment for a specific use case. Since the kernel doesn't know what the environment is, and there is no metric of trust, it is dependent on the consumer of the Trusted Keys to determine if the trust source is sufficiently safe." > > -TPM 2.0 > -------- > + * Root of trust for storage > > -The user must first create a storage key and make it persistent, so the key is > -available after reboot. This can be done using the following commands. > + (1) TPM (Trusted Platform Module: hardware device) > + > + Rooted to Storage Root Key (SRK) which never leaves the TPM that > + provides crypto operation to establish root of trust for storage. > + > + (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone) > + > + Rooted to Hardware Unique Key (HUK) which is generally burnt in on-chip > + fuses and is accessible to TEE only. > + > + * Execution isolation > + > + (1) TPM > + > + Fixed set of operations running in isolated execution environment. > + > + (2) TEE > + > + Customizable set of operations running in isolated execution > + environment verified via Secure/Trusted boot process. > + > + * Optional binding to platform integrity state > + > + (1) TPM > + > + Keys can be optionally sealed to specified PCR (integrity measurement) > + values, and only unsealed by the TPM, if PCRs and blob integrity > + verifications match. A loaded Trusted Key can be updated with new > + (future) PCR values, so keys are easily migrated to new PCR values, > + such as when the kernel and initramfs are updated. The same key can > + have many saved blobs under different PCR values, so multiple boots are > + easily supported. > + > + (2) TEE > + > + Relies on Secure/Trusted boot process for platform integrity. It can > + be extended with TEE based measured boot process. > + > + * On-chip versus off-chip > + > + (1) TPM > + > + Off-chip device connected via serial bus (like I2C, SPI etc.) exposing > + physical access which represents an attack surface that can be > + mitigated via tamper detection. > + > + (2) TEE > + > + On-chip functionality, immune to this attack surface. > + > + * Memory attacks (DRAM based like attaching a bus monitor etc.) > + > + (1) TPM > + > + Immune to these attacks as it doesn’t make use of system DRAM. > + > + (2) TEE > + > + An implementation based on TrustZone protected DRAM is susceptible to > + such attacks. In order to mitigate these attacks one needs to rely on > + on-chip secure RAM to store secrets or have the entire TEE > + implementation based on on-chip secure RAM. An alternative mitigation > + would be to use encrypted DRAM. > + > + * Side-channel attacks (cache, memory, CPU or time based) > + > + (1) TPM > + > + Immune to side-channel attacks as its resources are isolated from the > + main OS. > + > + (2) TEE > + > + A careful implementation is required to mitigate against these attacks > + for resources which are shared (eg. shared memory) with the main OS. > + Cache and CPU based side-channel attacks can be mitigated via > + invalidating caches and CPU registers during context switch to and from > + the secure world. > + To mitigate against time based attacks, one needs to have time > + invariant implementations (like crypto algorithms etc.). > + > + * Resistance to physical attacks (power analysis, electromagnetic emanation, > + probes etc.) > + > + (1) TPM > + > + Provides limited protection utilizing tamper resistance. > + > + (2) TEE > + > + Provides no protection by itself, relies on the underlying platform for > + features such as tamper resistance. > + > + please add the following: * Provisioning - the trust source's unique and verifiable cryptographic identity is provisioned during manufacturing (1) TPM The unique and verifiable cryptographic identity is the endorsement key (EK) or its primary seed. A review of the generation of the EK and its accompanying certificate is part of the Common Criteria evaluation of the product's lifecycle processes (ALC_*). See "TCG Protection Profile for PC Client Specific TPM 2" (https://trustedcomputinggroup.org/resource/pc-client-protection-profile-for-tpm-2-0/). (2) TEE A protection profile for TEEs does not yet exist. Therefore, the provisioning process that generates the Hardware Unique Key is not evaluated by an independent third party and is highly dependent on the manufacturing environment. * Cryptography (1) TPM As part of the TPM's mandatory Common Criteria evaluation, the correctness of the TPM's implementation of cryptographic algorithms, the protection of keys, and the generation of random numbers, and other security-relevant functions must be documented, reviewed, and tested by an independent third party evaluation agency. It must meet the requirements of FIPS 140-2, FIPS 140-3, or ISO/IEC 19790:2012. (2) TEE Evaluations of cryptographic modules within TEEs are not required, but some are available for specific implementations within TEEs. * Interfaces and APIs (1) TPMs have well-documented, standardized interfaces and APIs. (2) Unless they implement functionality such as a virtual TPM, TEEs have custom interfaces and APIs. * Threat model The strength and appropriateness of TPMs and TEEs for a given purpose must be assessed when using them to protect security-relevant data. We suggest documenting environmental assumptions and dependencies in a high-level threat model for each additional trust source. Just as each new LSM needs to comply with Documentation/security/lsm-development.rst, each new Trusted Key source should provide a high-level threat model. An example of a high-level threat model is "Common Security Threats v1.0” (https://www.opencompute.org/documents/common-security-threats-notes-1-pdf ). The original Trusted Keys implementation assumed discrete physical TPMs for key protection. However, even physical TPMs themselves vary based on the manufacturer and systems in which they are placed. The embedded chipset, firmware load, algorithms, packaging, pins, and countermeasures vary. (Threats and mitigations on physical TPMs are well documented, e.g., "Threat Model of a Scenario Based on Trusted Platform Module 2.0 Specification” (http://ceur-ws.org/Vol-1011/6.pdf). Specific to Trusted Keys and TPMs, there is some discussion of threats and mitigations in the Integrity_overview.pdf on the IMA wiki: • The trusted key component does two things to help with secure key management on Linux. First, it provides a kernel key ring service in which the symmetric encryption keys are never visible in plain text to userspace. The keys are created in the kernel, and sealed by a hardware device such as a TPM, with userspace seeing only the sealed blobs. Malicious or compromised applications cannot steal a trusted key, since only the kernel can see the unsealed blobs. Secondly, the trusted keys can tie key unsealing to the integrity measurements, so that keys cannot be stolen in an offline attack, such as by booting an unlocked Linux image from CD or USB. As the measurements will be different, the TPM chip will refuse to unseal the keys, even for the kernel. Consumers of Trusted Keys in different environments need enough information so that they can create their own threat models tailored to their use cases. For the present submission, a high-level security model of ARM TrustZone and how Trusted Keys key protection is implemented along with an enumeration of security considerations for end-use threat models would be appropriate. An excellent and related paper describes the strengths, weaknesses, and countermeasures of a firmware TPM implemented within a TEE. See "fTPM: A Software-only Implementation of a TPM Chip” (https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/raj) > +Key Generation > +============== > + > +Trusted Keys > +------------ > + > +New keys are created from trust source generated random numbers, and are > +encrypted/decrypted using trust source storage root key. Please change the following "New keys are created from trust source generated random numbers, and are encrypted/decrypted using trust source storage root key." to "New keys are created from random numbers generated in the trust source. They are encrypted/decrypted using a child key in the storage key hierarchy. Encryption and decryption of the child key must be protected by a strong access control policy within the trust source. “ Thank you. Elaine
On Wed, Dec 02, 2020 at 02:34:07PM -0500, gmail Elaine Palmer wrote: > Hi Sumit, > > Thank you for the detailed descriptions and examples of trust sources > for Trusted Keys. A group of us in IBM (Stefan Berger, Ken Goldman, > Zhongshu Gu, Nayna Jain, Elaine Palmer, George Wilson, Mimi Zohar) > have been doing related work for quite some time, and we have one > primary concern and some suggested changes to the document. > > Our primary concern is that describing a TEE as a Trust Source needs > to be more specific. For example, "ARM TrustZone" is not sufficient, > but "wolfSSL embedded SSL/TLS library with ARM TrustZone > CryptoCell-310" is. Just because a key is protected by software > running in a TEE is not enough to establish trust. Just like > cryptographic modules, a Trust Source should be defined as a specific > implementation on specific hardware with well-documented environmental > assumptions, dependencies, and threats. > > In addition to the above concern, our suggested changes are inline > below. In order to give a decent review comment it should have two ingredients: - Where the existing line of code / text / whatever goes wrong. - How it should modified and why that makes sense. And use as plain English and non-academic terms as possible, if it is documentation. Further, scope is only the kernel implementation, no more or no less. "do this" is not unfortunately an argument. Feedback is welcome when it is supported by something common sensse. Some meta suggestion of related to email: Please also use a proper email client and split your paragraphs into at most 80 character lines with new line characters when writing email. I prefer to use 72 character line length so that there's some space for longer email threads. /Jarkko
Hi-- Please see doc. comments below. On 11/3/20 8:01 AM, Sumit Garg wrote: > Update documentation for Trusted and Encrypted Keys with TEE as a new > trust source. Following is brief description of updates: > > - Add a section to demostrate a list of supported devices along with demonstrate > their security properties/guarantees. > - Add a key generation section. > - Updates for usage section including differences specific to a trust > source. > > Signed-off-by: Sumit Garg <sumit.garg@linaro.org> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > --- > Documentation/security/keys/trusted-encrypted.rst | 203 ++++++++++++++++++---- > 1 file changed, 171 insertions(+), 32 deletions(-) > > diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst > index 1da879a..16042c8 100644 > --- a/Documentation/security/keys/trusted-encrypted.rst > +++ b/Documentation/security/keys/trusted-encrypted.rst > @@ -6,30 +6,161 @@ Trusted and Encrypted Keys are two new key types added to the existing kernel > key ring service. Both of these new types are variable length symmetric keys, > and in both cases all keys are created in the kernel, and user space sees, > stores, and loads only encrypted blobs. Trusted Keys require the availability > -of a Trusted Platform Module (TPM) chip for greater security, while Encrypted > -Keys can be used on any system. All user level blobs, are displayed and loaded > -in hex ascii for convenience, and are integrity verified. > +of a Trust Source for greater security, while Encrypted Keys can be used on any > +system. All user level blobs, are displayed and loaded in hex ascii for s/ascii/ASCII/ please. Yes, I know that it was already there in lower case. > +convenience, and are integrity verified. > > -Trusted Keys use a TPM both to generate and to seal the keys. Keys are sealed > -under a 2048 bit RSA key in the TPM, and optionally sealed to specified PCR > -(integrity measurement) values, and only unsealed by the TPM, if PCRs and blob > -integrity verifications match. A loaded Trusted Key can be updated with new > -(future) PCR values, so keys are easily migrated to new pcr values, such as > -when the kernel and initramfs are updated. The same key can have many saved > -blobs under different PCR values, so multiple boots are easily supported. > > -TPM 1.2 > -------- > +Trust Source > +============ > > -By default, trusted keys are sealed under the SRK, which has the default > -authorization value (20 zeros). This can be set at takeownership time with the > -trouser's utility: "tpm_takeownership -u -z". > +Trust Source provides the source of security for the Trusted Keys, on which > +basis Trusted Keys establishes a Trust model with its user. A Trust Source could > +differ from one system to another depending on its security requirements. It > +could be either an off-chip device or an on-chip device. Following section > +demostrates a list of supported devices along with their security properties/ demonstrates > +guarantees: > > -TPM 2.0 > -------- > + * Root of trust for storage > > -The user must first create a storage key and make it persistent, so the key is > -available after reboot. This can be done using the following commands. > + (1) TPM (Trusted Platform Module: hardware device) > + > + Rooted to Storage Root Key (SRK) which never leaves the TPM that > + provides crypto operation to establish root of trust for storage. > + > + (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone) > + > + Rooted to Hardware Unique Key (HUK) which is generally burnt in on-chip > + fuses and is accessible to TEE only. > + > + * Execution isolation > + > + (1) TPM > + > + Fixed set of operations running in isolated execution environment. > + > + (2) TEE > + > + Customizable set of operations running in isolated execution > + environment verified via Secure/Trusted boot process. > + > + * Optional binding to platform integrity state > + > + (1) TPM > + > + Keys can be optionally sealed to specified PCR (integrity measurement) > + values, and only unsealed by the TPM, if PCRs and blob integrity > + verifications match. A loaded Trusted Key can be updated with new > + (future) PCR values, so keys are easily migrated to new PCR values, > + such as when the kernel and initramfs are updated. The same key can > + have many saved blobs under different PCR values, so multiple boots are > + easily supported. > + > + (2) TEE > + > + Relies on Secure/Trusted boot process for platform integrity. It can > + be extended with TEE based measured boot process. > + > + * On-chip versus off-chip > + > + (1) TPM > + > + Off-chip device connected via serial bus (like I2C, SPI etc.) exposing > + physical access which represents an attack surface that can be > + mitigated via tamper detection. > + > + (2) TEE > + > + On-chip functionality, immune to this attack surface. > + > + * Memory attacks (DRAM based like attaching a bus monitor etc.) DRAM-based > + > + (1) TPM > + > + Immune to these attacks as it doesn’t make use of system DRAM. > + > + (2) TEE > + > + An implementation based on TrustZone protected DRAM is susceptible to > + such attacks. In order to mitigate these attacks one needs to rely on > + on-chip secure RAM to store secrets or have the entire TEE > + implementation based on on-chip secure RAM. An alternative mitigation > + would be to use encrypted DRAM. > + > + * Side-channel attacks (cache, memory, CPU or time based) > + > + (1) TPM > + > + Immune to side-channel attacks as its resources are isolated from the > + main OS. > + > + (2) TEE > + > + A careful implementation is required to mitigate against these attacks > + for resources which are shared (eg. shared memory) with the main OS. e.g. > + Cache and CPU based side-channel attacks can be mitigated via > + invalidating caches and CPU registers during context switch to and from > + the secure world. > + To mitigate against time based attacks, one needs to have time > + invariant implementations (like crypto algorithms etc.). > + > + * Resistance to physical attacks (power analysis, electromagnetic emanation, > + probes etc.) > + > + (1) TPM > + > + Provides limited protection utilizing tamper resistance. > + > + (2) TEE > + > + Provides no protection by itself, relies on the underlying platform for > + features such as tamper resistance. > + > + > +Key Generation > +============== > + > +Trusted Keys > +------------ > + > +New keys are created from trust source generated random numbers, and are > +encrypted/decrypted using trust source storage root key. > + > + * TPM (hardware device) based RNG > + > + Strength of random numbers may vary from one device manufacturer to > + another. > + > + * TEE (OP-TEE based on Arm TrustZone) based RNG > + > + RNG is customizable as per platform needs. It can either be direct output > + from platform specific hardware RNG or a software based Fortuna CSPRNG > + which can be seeded via multiple entropy sources. > + > +Encrypted Keys > +-------------- > + > +Encrypted keys do not depend on a trust source, and are faster, as they use AES > +for encryption/decryption. New keys are created from kernel generated random kernel-generated > +numbers, and are encrypted/decrypted using a specified ‘master’ key. The > +‘master’ key can either be a trusted-key or user-key type. The main disadvantage > +of encrypted keys is that if they are not rooted in a trusted key, they are only > +as secure as the user key encrypting them. The master user key should therefore > +be loaded in as secure a way as possible, preferably early in boot. > + > + > +Usage > +===== > + > +Trusted Keys usage: TPM > +----------------------- > + > +TPM 1.2: By default, trusted keys are sealed under the SRK, which has the > +default authorization value (20 zeros). This can be set at takeownership time Does "20 zeros" mean 20 bytes of 0s or 20 bits of 0s or something else? > +with the TrouSerS utility: "tpm_takeownership -u -z". > + > +TPM 2.0: The user must first create a storage key and make it persistent, so the > +key is available after reboot. This can be done using the following commands. > > With the IBM TSS 2 stack:: > > @@ -78,14 +209,21 @@ TPM_STORED_DATA format. The key length for new keys are always in bytes. > Trusted Keys can be 32 - 128 bytes (256 - 1024 bits), the upper limit is to fit > within the 2048 bit SRK (RSA) keylength, with all necessary structure/padding. > > -Encrypted keys do not depend on a TPM, and are faster, as they use AES for > -encryption/decryption. New keys are created from kernel generated random > -numbers, and are encrypted/decrypted using a specified 'master' key. The > -'master' key can either be a trusted-key or user-key type. The main > -disadvantage of encrypted keys is that if they are not rooted in a trusted key, > -they are only as secure as the user key encrypting them. The master user key > -should therefore be loaded in as secure a way as possible, preferably early in > -boot. > +Trusted Keys usage: TEE > +----------------------- > + > +Usage:: > + > + keyctl add trusted name "new keylen" ring > + keyctl add trusted name "load hex_blob" ring > + keyctl print keyid > + > +"keyctl print" returns an ascii hex copy of the sealed key, which is in format ASCII > +specific to TEE device implementation. The key length for new keys are always is always > +in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). > + > +Encrypted Keys usage > +-------------------- > > The decrypted portion of encrypted keys can contain either a simple symmetric > key or a more complex structure. The format of the more complex structure is > @@ -103,8 +241,8 @@ Where:: > format:= 'default | ecryptfs | enc32' > key-type:= 'trusted' | 'user' > > - > Examples of trusted and encrypted key usage: > +-------------------------------------------- No colon at end of heading, please. > > Create and save a trusted key named "kmk" of length 32 bytes. > > @@ -150,7 +288,7 @@ Load a trusted key from the saved blob:: > f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b > e4a8aea2b607ec96931e6f4d4fe563ba > > -Reseal a trusted key under new pcr values:: > +Reseal (TPM specific) a trusted key under new PCR values:: > > $ keyctl update 268728824 "update pcrinfo=`cat pcr.blob`" > $ keyctl print 268728824 > @@ -164,11 +302,12 @@ Reseal a trusted key under new pcr values:: > 7ef6a24defe4846104209bf0c3eced7fa1a672ed5b125fc9d8cd88b476a658a4434644ef > df8ae9a178e9f83ba9f08d10fa47e4226b98b0702f06b3b8 > > + > The initial consumer of trusted keys is EVM, which at boot time needs a high > -quality symmetric key for HMAC protection of file metadata. The use of a > +quality symmetric key for HMAC protection of file metadata. The use of a > trusted key provides strong guarantees that the EVM key has not been > -compromised by a user level problem, and when sealed to specific boot PCR > -values, protects against boot and offline attacks. Create and save an > +compromised by a user level problem, and when sealed to a platform integrity > +state, protects against boot and offline attacks. Create and save an > encrypted key "evm" using the above trusted key "kmk": > > option 1: omitting 'format':: > thanks.
Hi Jarkko, On Fri, 2020-12-04 at 17:30 +0200, Jarkko Sakkinen wrote: > On Wed, Dec 02, 2020 at 02:34:07PM -0500, gmail Elaine Palmer wrote: > > Hi Sumit, > > > > Thank you for the detailed descriptions and examples of trust sources > > for Trusted Keys. A group of us in IBM (Stefan Berger, Ken Goldman, > > Zhongshu Gu, Nayna Jain, Elaine Palmer, George Wilson, Mimi Zohar) > > have been doing related work for quite some time, and we have one > > primary concern and some suggested changes to the document. > > > > Our primary concern is that describing a TEE as a Trust Source needs > > to be more specific. For example, "ARM TrustZone" is not sufficient, > > but "wolfSSL embedded SSL/TLS library with ARM TrustZone > > CryptoCell-310" is. Just because a key is protected by software > > running in a TEE is not enough to establish trust. Just like > > cryptographic modules, a Trust Source should be defined as a specific > > implementation on specific hardware with well-documented environmental > > assumptions, dependencies, and threats. > > > > In addition to the above concern, our suggested changes are inline > > below. > > In order to give a decent review comment it should have two ingredients: > > - Where the existing line of code / text / whatever goes wrong. > - How it should modified and why that makes sense. And use as plain > English and non-academic terms as possible, if it is documentation. > Further, scope is only the kernel implementation, no more or no > less. > > "do this" is not unfortunately an argument. Feedback is welcome when > it is supported by something common sensse. Even after the code is fully debugged, reviewed and tested, our concern is that people will assume the security guarantees of TEE based trusted keys to be equivalent to that of a discrete TPM. > > Some meta suggestion of related to email: > > Please also use a proper email client and split your paragraphs into > at most 80 character lines with new line characters when writing email. > I prefer to use 72 character line length so that there's some space > for longer email threads. Sure, we'll re-post the suggested documentation changes/additions. Mimi
Hi Sumit, Jarkko, Re-posting Elaine Palmer's comments, inline below, trimmed and properly formatted. On Tue, 2020-11-03 at 21:31 +0530, Sumit Garg wrote: > Update documentation for Trusted and Encrypted Keys with TEE as a new > trust source. Following is brief description of updates: > > - Add a section to demostrate a list of supported devices along with > their security properties/guarantees. > - Add a key generation section. > - Updates for usage section including differences specific to a trust > source. > > Signed-off-by: Sumit Garg <sumit.garg@linaro.org> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > --- > Documentation/security/keys/trusted-encrypted.rst | 203 ++++++++++++++++++---- > 1 file changed, 171 insertions(+), 32 deletions(-) > > diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst > index 1da879a..16042c8 100644 > --- a/Documentation/security/keys/trusted-encrypted.rst > +++ b/Documentation/security/keys/trusted-encrypted.rst > @@ -6,30 +6,161 @@ Trusted and Encrypted Keys are two new key types added to the existing kernel > key ring service. Both of these new types are variable length symmetric keys, > and in both cases all keys are created in the kernel, and user space sees, > stores, and loads only encrypted blobs. Trusted Keys require the availability > -of a Trusted Platform Module (TPM) chip for greater security, while Encrypted > -Keys can be used on any system. All user level blobs, are displayed and loaded > -in hex ascii for convenience, and are integrity verified. > +of a Trust Source for greater security, while Encrypted Keys can be used on any > +system. All user level blobs, are displayed and loaded in hex ascii for > +convenience, and are integrity verified. > > -Trusted Keys use a TPM both to generate and to seal the keys. Keys are sealed > -under a 2048 bit RSA key in the TPM, and optionally sealed to specified PCR > -(integrity measurement) values, and only unsealed by the TPM, if PCRs and blob > -integrity verifications match. A loaded Trusted Key can be updated with new > -(future) PCR values, so keys are easily migrated to new pcr values, such as > -when the kernel and initramfs are updated. The same key can have many saved > -blobs under different PCR values, so multiple boots are easily supported. > > -TPM 1.2 > -------- > +Trust Source > +============ > > -By default, trusted keys are sealed under the SRK, which has the default > -authorization value (20 zeros). This can be set at takeownership time with the > -trouser's utility: "tpm_takeownership -u -z". > +Trust Source provides the source of security for the Trusted Keys, on which > +basis Trusted Keys establishes a Trust model with its user. A trust source provides the source of security for the Trusted Keys. Whether or not a trust source is sufficiently safe depends on the strength and correctness of its implementation, as well as the threat environment for a specific use case. Since the kernel doesn't know what the environment is, and there is no metric of trust, it is dependent on the consumer of the Trusted Keys to determine if the trust source is sufficiently safe. > A Trust Source could > +differ from one system to another depending on its security requirements. It > +could be either an off-chip device or an on-chip device. Following section > +demostrates a list of supported devices along with their security properties/ > +guarantees: > > -TPM 2.0 > -------- > + * Root of trust for storage > > -The user must first create a storage key and make it persistent, so the key is > -available after reboot. This can be done using the following commands. > + (1) TPM (Trusted Platform Module: hardware device) > + > + Rooted to Storage Root Key (SRK) which never leaves the TPM that > + provides crypto operation to establish root of trust for storage. > + > + (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone) > + > + Rooted to Hardware Unique Key (HUK) which is generally burnt in on-chip > + fuses and is accessible to TEE only. > + > + * Execution isolation > + > + (1) TPM > + > + Fixed set of operations running in isolated execution environment. > + > + (2) TEE > + > + Customizable set of operations running in isolated execution > + environment verified via Secure/Trusted boot process. > + > + * Optional binding to platform integrity state > + > + (1) TPM > + > + Keys can be optionally sealed to specified PCR (integrity measurement) > + values, and only unsealed by the TPM, if PCRs and blob integrity > + verifications match. A loaded Trusted Key can be updated with new > + (future) PCR values, so keys are easily migrated to new PCR values, > + such as when the kernel and initramfs are updated. The same key can > + have many saved blobs under different PCR values, so multiple boots are > + easily supported. > + > + (2) TEE > + > + Relies on Secure/Trusted boot process for platform integrity. It can > + be extended with TEE based measured boot process. > + > + * On-chip versus off-chip > + > + (1) TPM > + > + Off-chip device connected via serial bus (like I2C, SPI etc.) exposing > + physical access which represents an attack surface that can be > + mitigated via tamper detection. > + > + (2) TEE > + > + On-chip functionality, immune to this attack surface. > + > + * Memory attacks (DRAM based like attaching a bus monitor etc.) > + > + (1) TPM > + > + Immune to these attacks as it doesn’t make use of system DRAM. > + > + (2) TEE > + > + An implementation based on TrustZone protected DRAM is susceptible to > + such attacks. In order to mitigate these attacks one needs to rely on > + on-chip secure RAM to store secrets or have the entire TEE > + implementation based on on-chip secure RAM. An alternative mitigation > + would be to use encrypted DRAM. > + > + * Side-channel attacks (cache, memory, CPU or time based) > + > + (1) TPM > + > + Immune to side-channel attacks as its resources are isolated from the > + main OS. > + > + (2) TEE > + > + A careful implementation is required to mitigate against these attacks > + for resources which are shared (eg. shared memory) with the main OS. > + Cache and CPU based side-channel attacks can be mitigated via > + invalidating caches and CPU registers during context switch to and from > + the secure world. > + To mitigate against time based attacks, one needs to have time > + invariant implementations (like crypto algorithms etc.). > + > + * Resistance to physical attacks (power analysis, electromagnetic emanation, > + probes etc.) > + > + (1) TPM > + > + Provides limited protection utilizing tamper resistance. > + > + (2) TEE > + > + Provides no protection by itself, relies on the underlying platform for > + features such as tamper resistance. > + Please add the following topics: * Provisioning - the trust source's unique and verifiable cryptographic identity is provisioned during manufacturing (1) TPM The unique and verifiable cryptographic identity is the endorsement key (EK) or its primary seed. A review of the generation of the EK and its accompanying certificate is part of the Common Criteria evaluation of the product's lifecycle processes (ALC_*). See "TCG Protection Profile for PC Client Specific TPM 2" ( https://trustedcomputinggroup.org/resource/pc-client-protection-profile-for-tpm-2-0/ ). (2) TEE A protection profile for TEEs does not yet exist. Therefore, the provisioning process that generates the Hardware Unique Key is not evaluated by an independent third party and is highly dependent on the manufacturing environment. * Cryptography (1) TPM As part of the TPM's mandatory Common Criteria evaluation, the correctness of the TPM's implementation of cryptographic algorithms, the protection of keys, and the generation of random numbers, and other security-relevant functions must be documented, reviewed, and tested by an independent third party evaluation agency. It must meet the requirements of FIPS 140-2, FIPS 140-3, or ISO/IEC 19790:2012. (2) TEE Evaluations of cryptographic modules within TEEs are not required, but some are available for specific implementations within TEEs. * Interfaces and APIs (1) TPM TPMs have well-documented, standardized interfaces and APIs. (2) TEE Unless TEEs implement functionality such as a virtual TPM, they have custom interfaces and APIs. * Threat model The strength and appropriateness of TPMs and TEEs for a given purpose must be assessed when using them to protect security-relevant data. > + > +Key Generation > +============== > + > +Trusted Keys > +------------ > + > +New keys are created from trust source generated random numbers, and are > +encrypted/decrypted using trust source storage root key. New keys are created from random numbers generated in the trust source. They are encrypted/decrypted using a child key in the storage key hierarchy. Encryption and decryption of the child key must be protected by a strong access control policy within the trust source. Thank you, Elaine (and Mimi)
Hi Sumit, Jarkko, On Tue, 2020-12-08 at 10:55 -0500, Mimi Zohar wrote: > Re-posting Elaine Palmer's comments, inline below, trimmed and properly > formatted. Continued ... Thank you for the detailed descriptions and examples of trust sources for Trusted Keys. A group of us in IBM (Stefan Berger, Ken Goldman, Zhongshu Gu, Nayna Jain, Elaine Palmer, George Wilson, Mimi Zohar) have some concerns with extending trusted keys to new sources without providing a threat model. The following is based on our internal discussions. > * Threat model > > The strength and appropriateness of TPMs and TEEs for a given purpose > must be assessed when using them to protect security-relevant data. The original Trusted Keys implementation assumed discrete physical TPMs for key protection[1]. However, even physical TPMs themselves vary based on the manufacturer and systems in which they are placed. The embedded chipset, firmware load, algorithms, packaging, pins, and countermeasures vary. (Threats and mitigations on physical TPMs are well documented, e.g., "Threat Model of a Scenario Based on Trusted Platform Module 2.0 Specification” (http://ceur-ws.org/Vol-1011/6.pdf). Extending Trusted Keys to support new trust sources needs to provide consumers of these new sources enough information so that they can create their own threat models tailored to their use cases. Just as each new LSM needs to comply with Documentation/security/lsm- development.rst, we recommend each new source should provide a high- level threat model. We suggest documenting environmental assumptions and dependencies in a high-level threat model for each additional trust source. An example of a high-level threat model is "Common Security Threats v1.0” ( https://www.opencompute.org/documents/common-security-threats-notes-1-pdf ). Thank you, Elaine (and Mimi) [1] Specific to Trusted Keys and TPMs, there is some discussion of threats and mitigations in the Integrity_overview.pdf on the IMA wiki: "The trusted key component does two things to help with secure key management on Linux. First, it provides a kernel key ring service in which the symmetric encryption keys are never visible in plain text to userspace. The keys are created in the kernel, and sealed by a hardware device such as a TPM, with userspace seeing only the sealed blobs. Malicious or compromised applications cannot steal a trusted key, since only the kernel can see the unsealed blobs. Secondly, the trusted keys can tie key unsealing to the integrity measurements, so that keys cannot be stolen in an offline attack, such as by booting an unlocked Linux image from CD or USB. As the measurements will be different, the TPM chip will refuse to unseal the keys, even for the kernel."
On Tue, Dec 08, 2020 at 10:02:57AM -0500, Mimi Zohar wrote: > Hi Jarkko, > > On Fri, 2020-12-04 at 17:30 +0200, Jarkko Sakkinen wrote: > > On Wed, Dec 02, 2020 at 02:34:07PM -0500, gmail Elaine Palmer wrote: > > > Hi Sumit, > > > > > > Thank you for the detailed descriptions and examples of trust sources > > > for Trusted Keys. A group of us in IBM (Stefan Berger, Ken Goldman, > > > Zhongshu Gu, Nayna Jain, Elaine Palmer, George Wilson, Mimi Zohar) > > > have been doing related work for quite some time, and we have one > > > primary concern and some suggested changes to the document. > > > > > > Our primary concern is that describing a TEE as a Trust Source needs > > > to be more specific. For example, "ARM TrustZone" is not sufficient, > > > but "wolfSSL embedded SSL/TLS library with ARM TrustZone > > > CryptoCell-310" is. Just because a key is protected by software > > > running in a TEE is not enough to establish trust. Just like > > > cryptographic modules, a Trust Source should be defined as a specific > > > implementation on specific hardware with well-documented environmental > > > assumptions, dependencies, and threats. > > > > > > In addition to the above concern, our suggested changes are inline > > > below. > > > > In order to give a decent review comment it should have two ingredients: > > > > - Where the existing line of code / text / whatever goes wrong. > > - How it should modified and why that makes sense. And use as plain > > English and non-academic terms as possible, if it is documentation. > > Further, scope is only the kernel implementation, no more or no > > less. > > > > "do this" is not unfortunately an argument. Feedback is welcome when > > it is supported by something common sensse. > > Even after the code is fully debugged, reviewed and tested, our concern > is that people will assume the security guarantees of TEE based trusted > keys to be equivalent to that of a discrete TPM. > > > > > Some meta suggestion of related to email: > > > > Please also use a proper email client and split your paragraphs into > > at most 80 character lines with new line characters when writing email. > > I prefer to use 72 character line length so that there's some space > > for longer email threads. > > Sure, we'll re-post the suggested documentation changes/additions. > > Mimi So. Wouldn't it be a better idea to post a patch that Sumit could squash to his (and add co-developed-by tag)? /Jarkko
On Tue, 2020-12-08 at 19:49 +0200, Jarkko Sakkinen wrote: > On Tue, Dec 08, 2020 at 10:02:57AM -0500, Mimi Zohar wrote: > > > Please also use a proper email client and split your paragraphs into > > > at most 80 character lines with new line characters when writing email. > > > I prefer to use 72 character line length so that there's some space > > > for longer email threads. > > > > Sure, we'll re-post the suggested documentation changes/additions. > > > > Mimi > > So. Wouldn't it be a better idea to post a patch that Sumit could > squash to his (and add co-developed-by tag)? I just posted it on Elaine's behalf. Mimi
On Wed, Dec 09, 2020 at 11:50:19AM -0500, Mimi Zohar wrote: > On Tue, 2020-12-08 at 19:49 +0200, Jarkko Sakkinen wrote: > > On Tue, Dec 08, 2020 at 10:02:57AM -0500, Mimi Zohar wrote: > > > > > Please also use a proper email client and split your paragraphs into > > > > at most 80 character lines with new line characters when writing email. > > > > I prefer to use 72 character line length so that there's some space > > > > for longer email threads. > > > > > > Sure, we'll re-post the suggested documentation changes/additions. > > > > > > Mimi > > > > So. Wouldn't it be a better idea to post a patch that Sumit could > > squash to his (and add co-developed-by tag)? > > I just posted it on Elaine's behalf. > > Mimi I responded. It's good that this feedback came as I think the whole thing does not have the correct label for it. /Jarkko
On Fri, 2020-12-11 at 12:36 +0200, Jarkko Sakkinen wrote: > On Wed, Dec 09, 2020 at 11:50:19AM -0500, Mimi Zohar wrote: > > On Tue, 2020-12-08 at 19:49 +0200, Jarkko Sakkinen wrote: > > > On Tue, Dec 08, 2020 at 10:02:57AM -0500, Mimi Zohar wrote: > > > > > > > Please also use a proper email client and split your paragraphs into > > > > > at most 80 character lines with new line characters when writing email. > > > > > I prefer to use 72 character line length so that there's some space > > > > > for longer email threads. > > > > > > > > Sure, we'll re-post the suggested documentation changes/additions. > > > > > > > > > > So. Wouldn't it be a better idea to post a patch that Sumit could > > > squash to his (and add co-developed-by tag)? > > > > I just posted it on Elaine's behalf. > > > > I responded. It's good that this feedback came as I think the whole > thing does not have the correct label for it. Every HW is going to want to add "trusted keys" support. We've seen this with Udit Agarwal's "secure keys" proposal for NXP CAAM crypto HW accelerator. If we go down this route to extend "trusted keys" to support specific implementations like this one, I strongly recommend requiring an accompaying high-level threat model. This is similar to how new LSMs need to comply with Documentation/security/lsm- development.rst. Based on Elaine's work with OCP, an example of a high-level threat model is "Common Security Threats v1.0” ( https://www.opencompute.org/documents/common-security-threats-notes-1-pdf ). thanks, Mimi
diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst index 1da879a..16042c8 100644 --- a/Documentation/security/keys/trusted-encrypted.rst +++ b/Documentation/security/keys/trusted-encrypted.rst @@ -6,30 +6,161 @@ Trusted and Encrypted Keys are two new key types added to the existing kernel key ring service. Both of these new types are variable length symmetric keys, and in both cases all keys are created in the kernel, and user space sees, stores, and loads only encrypted blobs. Trusted Keys require the availability -of a Trusted Platform Module (TPM) chip for greater security, while Encrypted -Keys can be used on any system. All user level blobs, are displayed and loaded -in hex ascii for convenience, and are integrity verified. +of a Trust Source for greater security, while Encrypted Keys can be used on any +system. All user level blobs, are displayed and loaded in hex ascii for +convenience, and are integrity verified. -Trusted Keys use a TPM both to generate and to seal the keys. Keys are sealed -under a 2048 bit RSA key in the TPM, and optionally sealed to specified PCR -(integrity measurement) values, and only unsealed by the TPM, if PCRs and blob -integrity verifications match. A loaded Trusted Key can be updated with new -(future) PCR values, so keys are easily migrated to new pcr values, such as -when the kernel and initramfs are updated. The same key can have many saved -blobs under different PCR values, so multiple boots are easily supported. -TPM 1.2 -------- +Trust Source +============ -By default, trusted keys are sealed under the SRK, which has the default -authorization value (20 zeros). This can be set at takeownership time with the -trouser's utility: "tpm_takeownership -u -z". +Trust Source provides the source of security for the Trusted Keys, on which +basis Trusted Keys establishes a Trust model with its user. A Trust Source could +differ from one system to another depending on its security requirements. It +could be either an off-chip device or an on-chip device. Following section +demostrates a list of supported devices along with their security properties/ +guarantees: -TPM 2.0 -------- + * Root of trust for storage -The user must first create a storage key and make it persistent, so the key is -available after reboot. This can be done using the following commands. + (1) TPM (Trusted Platform Module: hardware device) + + Rooted to Storage Root Key (SRK) which never leaves the TPM that + provides crypto operation to establish root of trust for storage. + + (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone) + + Rooted to Hardware Unique Key (HUK) which is generally burnt in on-chip + fuses and is accessible to TEE only. + + * Execution isolation + + (1) TPM + + Fixed set of operations running in isolated execution environment. + + (2) TEE + + Customizable set of operations running in isolated execution + environment verified via Secure/Trusted boot process. + + * Optional binding to platform integrity state + + (1) TPM + + Keys can be optionally sealed to specified PCR (integrity measurement) + values, and only unsealed by the TPM, if PCRs and blob integrity + verifications match. A loaded Trusted Key can be updated with new + (future) PCR values, so keys are easily migrated to new PCR values, + such as when the kernel and initramfs are updated. The same key can + have many saved blobs under different PCR values, so multiple boots are + easily supported. + + (2) TEE + + Relies on Secure/Trusted boot process for platform integrity. It can + be extended with TEE based measured boot process. + + * On-chip versus off-chip + + (1) TPM + + Off-chip device connected via serial bus (like I2C, SPI etc.) exposing + physical access which represents an attack surface that can be + mitigated via tamper detection. + + (2) TEE + + On-chip functionality, immune to this attack surface. + + * Memory attacks (DRAM based like attaching a bus monitor etc.) + + (1) TPM + + Immune to these attacks as it doesn’t make use of system DRAM. + + (2) TEE + + An implementation based on TrustZone protected DRAM is susceptible to + such attacks. In order to mitigate these attacks one needs to rely on + on-chip secure RAM to store secrets or have the entire TEE + implementation based on on-chip secure RAM. An alternative mitigation + would be to use encrypted DRAM. + + * Side-channel attacks (cache, memory, CPU or time based) + + (1) TPM + + Immune to side-channel attacks as its resources are isolated from the + main OS. + + (2) TEE + + A careful implementation is required to mitigate against these attacks + for resources which are shared (eg. shared memory) with the main OS. + Cache and CPU based side-channel attacks can be mitigated via + invalidating caches and CPU registers during context switch to and from + the secure world. + To mitigate against time based attacks, one needs to have time + invariant implementations (like crypto algorithms etc.). + + * Resistance to physical attacks (power analysis, electromagnetic emanation, + probes etc.) + + (1) TPM + + Provides limited protection utilizing tamper resistance. + + (2) TEE + + Provides no protection by itself, relies on the underlying platform for + features such as tamper resistance. + + +Key Generation +============== + +Trusted Keys +------------ + +New keys are created from trust source generated random numbers, and are +encrypted/decrypted using trust source storage root key. + + * TPM (hardware device) based RNG + + Strength of random numbers may vary from one device manufacturer to + another. + + * TEE (OP-TEE based on Arm TrustZone) based RNG + + RNG is customizable as per platform needs. It can either be direct output + from platform specific hardware RNG or a software based Fortuna CSPRNG + which can be seeded via multiple entropy sources. + +Encrypted Keys +-------------- + +Encrypted keys do not depend on a trust source, and are faster, as they use AES +for encryption/decryption. New keys are created from kernel generated random +numbers, and are encrypted/decrypted using a specified ‘master’ key. The +‘master’ key can either be a trusted-key or user-key type. The main disadvantage +of encrypted keys is that if they are not rooted in a trusted key, they are only +as secure as the user key encrypting them. The master user key should therefore +be loaded in as secure a way as possible, preferably early in boot. + + +Usage +===== + +Trusted Keys usage: TPM +----------------------- + +TPM 1.2: By default, trusted keys are sealed under the SRK, which has the +default authorization value (20 zeros). This can be set at takeownership time +with the TrouSerS utility: "tpm_takeownership -u -z". + +TPM 2.0: The user must first create a storage key and make it persistent, so the +key is available after reboot. This can be done using the following commands. With the IBM TSS 2 stack:: @@ -78,14 +209,21 @@ TPM_STORED_DATA format. The key length for new keys are always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits), the upper limit is to fit within the 2048 bit SRK (RSA) keylength, with all necessary structure/padding. -Encrypted keys do not depend on a TPM, and are faster, as they use AES for -encryption/decryption. New keys are created from kernel generated random -numbers, and are encrypted/decrypted using a specified 'master' key. The -'master' key can either be a trusted-key or user-key type. The main -disadvantage of encrypted keys is that if they are not rooted in a trusted key, -they are only as secure as the user key encrypting them. The master user key -should therefore be loaded in as secure a way as possible, preferably early in -boot. +Trusted Keys usage: TEE +----------------------- + +Usage:: + + keyctl add trusted name "new keylen" ring + keyctl add trusted name "load hex_blob" ring + keyctl print keyid + +"keyctl print" returns an ascii hex copy of the sealed key, which is in format +specific to TEE device implementation. The key length for new keys are always +in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). + +Encrypted Keys usage +-------------------- The decrypted portion of encrypted keys can contain either a simple symmetric key or a more complex structure. The format of the more complex structure is @@ -103,8 +241,8 @@ Where:: format:= 'default | ecryptfs | enc32' key-type:= 'trusted' | 'user' - Examples of trusted and encrypted key usage: +-------------------------------------------- Create and save a trusted key named "kmk" of length 32 bytes. @@ -150,7 +288,7 @@ Load a trusted key from the saved blob:: f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b e4a8aea2b607ec96931e6f4d4fe563ba -Reseal a trusted key under new pcr values:: +Reseal (TPM specific) a trusted key under new PCR values:: $ keyctl update 268728824 "update pcrinfo=`cat pcr.blob`" $ keyctl print 268728824 @@ -164,11 +302,12 @@ Reseal a trusted key under new pcr values:: 7ef6a24defe4846104209bf0c3eced7fa1a672ed5b125fc9d8cd88b476a658a4434644ef df8ae9a178e9f83ba9f08d10fa47e4226b98b0702f06b3b8 + The initial consumer of trusted keys is EVM, which at boot time needs a high -quality symmetric key for HMAC protection of file metadata. The use of a +quality symmetric key for HMAC protection of file metadata. The use of a trusted key provides strong guarantees that the EVM key has not been -compromised by a user level problem, and when sealed to specific boot PCR -values, protects against boot and offline attacks. Create and save an +compromised by a user level problem, and when sealed to a platform integrity +state, protects against boot and offline attacks. Create and save an encrypted key "evm" using the above trusted key "kmk": option 1: omitting 'format'::