Enhancing Systemd Security Using TPM 2.0 - Bill Roberts, ARM
TPM 2.0 devices are a cryptographic device used for storing cryptographic keys and secrets as well as the root of trust for reporting in attestation. In version 248 of systemd, initial integration to protect LUKS volumes with a TPM protected disk encryption key was added. The actual bytes of the disk encryption keys (dek) are retrieved from the TPM device as this allows systemd to pass the key to LUKS for unlocking. The initial implementation used the clear text protocol to retrieve the dek from the TPM and thus a man-in-the-middle attack (MiTM) on the communication channel, perhaps an I2C bus, is possible and has been demonstrated in the "TPM Genie" attacks. in version 251, session integrity and encryption support was enabled to protect the dek over the communication channel, however it was enabled incorrectly and still subject to MiTM attacks. This presentation will cover how incorrect usages of TPM 2.0 session protections can still result in security issues and how to properly enable sessions, the types of sessions and other supporting features of the TPM 2.0 device with API examples.
Негізгі бет Ғылым және технология Enhancing Systemd Security Using TPM 2.0 - Bill Roberts, ARM
Пікірлер