One of the new features of Linux Plumbers Conference this year was the TPM Microconference, which facilitated great discussions both in the session itself and in the hallways. Quite a bit of discussion was generated by the Beginner’s Guide to the TPM talk I gave, mostly because I blamed the Trusted Computing Group for the abject failure to adopt TPMs for anything citing the incredible complexity of their stack.
The main thing that came out of this discussion was that a lot of this stack complexity can be hidden from users and we should concentrate on making the TPM “just work” for all cryptographic functions where we have parallels in the existing security layers (like the keystore). One of the great advantages of the TPM, instead of messing about with USB pkcs11 tokens, is that it has a file format for TPM keys (I’ll explain this later) which can be used directly in place of standard private key files. However, before we get there, lets discuss some of the basics of how your TPM works and how to make use of it.
Note that all of what I’m saying below applies to a 1.2 TPM (the type most people have in their laptops) 2.0 TPMs are now appearing on the market, but chances are you have a 1.2.
A TPM is traditionally delivered in your laptop in an uninitialised state. In older laptops, the TPM is traditionally disabled and you usually have to find an entry in the BIOS menu to enable it. In more modern laptops (thanks to Windows 10) the TPM is enabled in the bios and ready for the OS install to make use of it. All TPMs are delivered with one manufacturer set key called the Endorsement Key (EK). This key is unique to your TPM (like an identifying label) and is used as part of the attestation protocol. Because the EK is a unique label, the attestation protocol is rather complex involving a so called privacy CA to protect your identity, but because it isn’t necessary to use the TPM as a secure keystore, I won’t cover it further.
The other important key, which you have to generate, is called the Storage Root Key. This key is generated internally within the TPM once somebody takes ownership of it. The package you need to begin using the tpm is tpm-tools, which is packaged by most distros. You must also have the Linux TSS stack trousers installed (just installing tpm-tools will often pull this in) and have the tcsd part of trousers running (usually systemctl start tcsd; systemctl enable tcsd). I tend to configure my TPM with an owner password (for things like resetting dictionary attacks) but a well known storage root key authority. To do this from a fully cleared and enabled TPM, execute
And give your chosen owner password when prompted. If you get an error, chances are you need to go back to the BIOS menu and actively clear and reset the TPM (usually under the security options).
Aside about Authority and the Trusted Security Stack
To the TPM, an “authority” is a 20 byte number you use to prove you’re allowed to manipulate whatever object you’re trying to use. The TPM typically has a well known way of converting typed passwords into these 20 byte codes. The way you prove you know the authority is to add a Hashed Message Authentication Code (HMAC) to your TPM command. This means that the hash can only be generated by someone who knows the authority for the object, but anyone seeing the hash cannot derive the authority from it. The utility of this is that the trousers library (tspi) generates the HMAC before the TPM command is passed to the central daemon (tcsd) meaning that nothing except you and the TPM know the authority
The final thing about authority you need to know is that the TPM has a concept of “well known authority” which simply means supply 20 bytes of zeros. It’s kind of paradoxical to have a secret everyone knows, however, there are reasons for this: For most objects in the TPM whether you require authority to use them is optional, but for some it is mandatory. For objects (like the SRK) where authority is mandatory, using the well known authority is equivalent to saying actually I don’t need authorization for this object.
The Storage Root Key (SRK)
Once you’ve generated this above, the TPM keeps the secret part permanently hidden, but can be persuaded to give anyone the public part. In TPM 1.2, the SRK is a RSA 2048 key. On most modern TPMs, you have to tell the tpm you want anyone to be able to read the public part of the storage root key, which you do with this command
You’ll get prompted for the owner password. Once you execute this command, anyone who knows the SRK authority (which you’ve set to be well known) is allowed to read the public part.
Why all this fuss about SRK authorization? Well, traditionally, the TPM is designed for use in a hostile multi-user environment. In the relaxed, no authorization, environment I’ve advised you to set up, anyone who knows the SRK can upload any storage object (like a key or protected blob) into the TPM. This means, since the TPM has very limited storage, that they could in theory do a DoS attack against the TPM simply by filling it with objects. On a laptop where there’s only one user (you) this is not usually a concern, hence the advice to use a well known authority, which makes the TPM much easier to use.
The way external objects (like keys or data blobs) are uploaded into the TPM is that they all have a parent (which must be a storage key) and they are encrypted to the public part of this key (in TPM parlance, this is called wrapping). The TPM can have deep key hierarchies (all eventually parented to the SRK), but for a laptop, it makes sense simply to use the SRK as the only storage key and wrap everything for it as the parent. Now here’s the reason for the well known authority: to upload an object into the TPM, it not only needs to be wrapped to the parent key, you also need to use the parent key authority to perform the upload. The object you’re using also has a separate authority. This means that when you upload and use a key, if you’ve set a SRK password, you’ll end up having to type both the SRK password and the key password pretty much every time you use it, which is a bit of a pain.
The tools used to create wrapped keys are found in the openssl_tpm_engine package. I’ve done a few patches to make it easier to use (mostly by trying well known authority first before asking for the SRK password), so you can see my patched version here. The first thing you can do is take any PEM key file you have and wrap it for your tpm
create_tpm_key -m -w test.key test.tpm.key
This creates a TPM key file test.tpm.key containing a wrapped key for your TPM with no authority (to add an authority password, use the -a option). If you cat the test.tpm.key file, you’ll see it looks like a standard PEM file, except the guards are now
-----BEGIN TSS KEY BLOB----- -----END TSS KEY BLOB-----
This key is now wrapped for your TPM’s SRK and would only be usable on your laptop. If you’re fortunate enough to be using an application linked with gnutls, you can simply use this key with the URI tpmkey:file=<path to test.tpm.key>. If you’re using openssl, you need to patch it to get it to use TPM keys easily (see below).
The ideal, however, would be since these are PEM files with unique guards, any ssl provider should simply recognise the guards and load the key into the TPM This means that in order to use a TPM key, you take a standard PEM private key file, transform it into a TPM key file and then simply copy it back to where the original key file was being used from and voila! you’re using a TPM based key. This is what the openssl patches below do.
Getting TPM keys to “just work” with openssl
In openssl, external encryption processors, like the TPM or USB keys are used by things called engines. The engine you need for the TPM is also in the openssl_tpm_engine package, so once you’ve installed that package, the engine is available. Unfortunately, openssl doesn’t naturally use a particular engine unless told to do so (most of the openssl tools have a -engine option for this). However, having to specify the engine in every application somewhat spoils the “just works” aspect we’re looking for, so the openssl patches here allow an engine to specify that it knows how to parse a PEM file and can load a key from it. This allows you simply to replace the original key file with a TPM protected key file and have your application continue working with it.
As a demo of the usefulness, I’m using it on my current laptop with all my VPN keys. It is also possible to use it with openssh keys, since they’re standard PEM files. However, the way openssh works with agents means that the agent cannot handle the keys and you have to type the password (if you set one one the key) each time you use it.
It should be noted that the idea of having PEM based TPM keys just work in openssl is encountering resistance. However, it does just work in gnutls (provided you change the file name to be a tpmkey:file= URL).
Conclusions (or How Well is it Working?)
As I said above, I’m currently using this scheme for my openvpn and ssh keys. I have to confess, since I use openssh a lot, I got very tired of having to type the password on every ssh operation, so I’ve gone back to using non-TPM based keys which can be handled by the agent. Fixing this is on my list of things to look at. However, I still am using TPM based keys for my openvpn.
Even for openvpn, though there are hiccoughs: the trousers daemon, tcsd, crashes periodically on my platform. When it does, the vpn goes down (because the VPN needs a key based authentication transaction every hour to rotate the symmetric encryption keys). Unfortunately, just restarting tcsd isn’t enough because the design of trousers doesn’t seem to be robust to this failure (even though the tspi part linked with the application could recreate all the keys), so the VPN itself must be restarted when this happens, which makes it rather user unfriendly. Fixing trousers to cope with tcsd failure is also on my list of things to fix …