1. 8

    1. 3

      If the attacker exploits one vulnerability in the boot chain, they can get your keys and be able to decrypt your data forever (until the key is changed). This is no more secure than not having full disk encryption enabled at all because in either case, one exploit means the attacker has access to the data.

      I’m not a fan of TPM since it seems to be a transparent ploy to push corporate attestation interests clothed in the guise of improved security, but this claim seems trivially false. If you don’t have full disk encryption an attacker can remove your disk and plug it into another system to get whatever data they want out of it. The post talks a lot about threat modeling but then it doesn’t actually specify what threats they’re analyzing; does this mean they don’t consider “your laptop got stolen” to count as a valid threat?

      My very first question upon reading the description of how it worked was “how does it protect against replay attacks” and then after reading the Appendix, apparently the answer is “it just doesn’t lol”.

      1. 3

        I gave up half way down for similar reasons. Yes, you have to trust everything in your boot chain, but you also get attestation for it. If I replace GRUB with EvilLoader, the PCR values change and so my OS image will not be able to access the disk.

        The biggest problem with TPM (which Caliptra mostly addresses) is that the CPU can lie to it. You have two choices for most TPM implementations (unless you have an AMD chip with Pluton):

        • An external TPM that is connected via a serial interface. This can’t inspect CPU state and has to trust that the CPU is in the correct state. You can interpose on this and just straight-up lie to the TPM, if you have a recording of a valid boot sequence.
        • A firmware TPM. This runs on the main CPU in a special privilege mode and so has a secure path to the CPU but is vulnerable to side channels.

        The correct solution is to have the TPM as a separate block in package (ideally on die) but that’s rare. Xbox and Macs do this and have much better security as a result. A few Windows laptops with AMD chips use Pluton to run the TPM stack and get similar guarantees.

        There isn’t a threat model in the TPM spec because the TPM is not a complete system. The use of the TPM for full disk encryption, Windows Hello, or SSH key storage need threat models. The hardware provides a set of properties that you can then use to evaluate these threat models.

        In most cases the threat model is that an attacker able to execute arbitrary code in ring 0 aims to exfiltrate the keys. The TPM does quite well here, if used correctly (keys held in the TPM and derived from the combination of PCR values and data provided by the kernel, such as a user’s password hash). The TPM isn’t the only part of such a system and a threat analysis needs to cover all of it.