 Yeah, so great so my corner. I'm from Krakow, Poland I work for semi-health and I'm also a student at your Gironian University. I'm currently pursuing my master's degree So I'm going to talk about improving security of free BSD with various cryptographic related features such as tpm 2.0 trusted platform manager and interest SGX So the presentation is going to split into four parts tpm overview to tpm related features measured boot and strong swan integration and then I'm going to end with Overview SGX So let's start with the tpm. So What is for years now we've been offloading cryptographic operations to like various Hardware designed especially for that whether is it a smart card or HSM? I mean depends on whether you are enterprise level or consumer grade I guess so the HSM's hardware security modules They are designed to be a secure storage for digital keys They usually have their own onboard key generation included with their own RNG and They have some kind of a protection against physical tampering. Usually they are attached to computer on PCI express lane I guess and yeah, so there's that So the tpm's I mean I kind of want to tell that they are smaller Versions of HMMs. They are significantly cheaper PMS can be bad for like a couple of bucks So does that and therefore they can be significantly more popular. They are usually usually attached to like I square C bus LPC, I mean They don't have internet access. So that's great So, yeah, they're cheap The are of the resources are available available through API. So, yeah, this is the basic idea You can let's say create a RSA key and that key can be only used to like sign certain things It can be read directly. So that's like the basic idea behind smart cards and also tpm's tpm's have their own RNG for Safe key generation The sad part is that the standard specifies that it can be a deterministic RNG It only has to be seated at manufacturing time with a value unknown to the manufacturer. So That's that again cheap has its price and It also supposed to All of tpm's have anti-harmor restrictions which basically means that if you try to Break the passwords in dictionary attacks, then at some point you'll get locked out And it also is supposed to be built to prevent physical tempering. I mean I'll talk about about it more later, but we see so another way of implementing tpm's is to instead of having a Discrete chip attached to your motherboard. You can have it implemented in firmware So obviously it has to be run in some sort of separation from the rest of the system to make sense It's much faster than the script tpm's which are usually 16 bits based and it just runs on your main CPU and It is implemented widely as a part of management engine on Intel's and there's a version from AMD But obviously it needs to be supported in your BIOS, but it usually is it's It's present on most of the modern PCs So what are the use cases for tpm's well, it can be just used as a smart card for Generating digital signatures for your SSH clients You can put your private keys or generate private keys with your tpm and then use it to log into your SSH's It can be used for IPsec with trunks one which I'm going to talk about later to factor in GPG just your normal smart card So another thing is measured boot Where basically your measure various components of system from early boots to through firmware to OS and based of those measurements you can then do remote attestation and things and Also, it is used for bit locker and looks I is not supported unfortunately and another thing that is kind of unpopular but I Fertile this one use case is secure storage of certificates So we can put if tpm's come with a small envirom usually are a couple of kilobytes and you can put CAs there So to make sure that their integrity is good. I guess so what's the So what are the alteration in methods in tpm? So basically if you have an object there, you have to like authenticate because otherwise it doesn't think much sense So each object has some hierarchy. There is a platform character key owner character key and the new character key and basically each object has its own parent and You can create a password for each character key and That's like the basics then yeah, there are just passphrase for each object and Also, you can make fairly complex rules with something called enhanced authentication authorization with tpm 2.0 So that's like a new thing. It's also the fairly recently within a standard and Different assertions can be combined with end of ours. So what are those assertions? Well, it can be a password. Just a passphrase like the previous At the previous thing it can be like an HMAC, which is essentially a appreciate key a secret That is shared with the tpm It can be a state of the PCRs, which are the platform control registers. These are connected with the machine boot so basically a PCR stores a Concentration of hush hushes and basing on their states you can Allow the access to a certain object or not So there is also physical presence, but it's very complex to use to implement and it's not really Was popular and There are other similar things as but counters and in Httpm has an internal clock. So we can also use that I guess Yeah, so What are the caveats of tpm's? Well, the software support is not all that great. The whole technology is fairly new and Yeah, pretty much Very few applications supported The strong fund us there's SSH clients that also do that, but Not much else. Oh So all these tpm's pretty much all of them have different peanut configurations So I checked three computers at office All of them had different headers and none of those headers match the chip that we've got so Yeah, that was fun Also, the script chips are terribly slow So I've measured that generating our signature using RSA 2038 key takes about a tenth of a second. So that's like I mean, it's a smart card basically so you can't expect expect much. I guess that you know, oh And there is at least one documented attack on physical attack on tpm We're basically a guy used a microscope to like Take apart the tpm and listen on its internal Communication so that's great. I recommend you watch his video. There's a video of experimentation from black hat 2010 And yeah, oh and another thing when you use a firmware implementation of a tpm We essentially have to trust whoever wrote that implementation So there's a question of whether do you trust Intel with their management engine or IMD or whoever Your implementation is wrote by So what are the states of tpm for BSD? Well, the two point one point two driver is like very odd It there So the two point our driver was developed in the company or for I wrote it in last year and the books here It only supposed LPC bus. We didn't really have a platform To test it on so actually only tested it with a single tpm chip because we didn't have anything So yes, there's that but I mean in theory it should work the driver with other chips because it's standardized, but You know, I haven't run it So yeah, there's that So let's go to the second part. It's going to be about measured boot a practical use case of tpm So what is measured boot? Well, every time you look at this a critical part of your system That image is hushed and then it's hushed it starts in something called a PCR platform controller register They can only be read or extend that's like the basic thing And they all have to be zeroed during reboot obviously and The extent operation it goes like follow you take the current value of PCR You do the incremental hashing by concatenating the hash of the image and you have that so Very simple, I think So another problem was that we have a bunch of PCRs they're usually around 24 per system and we kind of want to standardize what do we measure in each PCR and the problem is who should standardize that should it be in UEFI or OS specification so basically the certification came from the same Organization that made the tpm standard, but it's cross-reference cross-reference in UEFI specification and It just more or less tells you which PCR Store information about which part of the system as you can see We measure things like from pretty early boot times We measure pretty much everything including UEFI images and drivers So each time something changes the entire hash is supposed to change and The third part about the kernel. It's completely un-standardized So only the first eight or only the PCR from zero to seven are somehow standardized, but You're still relying on your Firmary presentation to follow the standard. So it may vary so event look So we might to want to tie the security of system to a certain hash and it's not really convenient because if we change the order of Things that are loaded then the hash will obviously change. Also, we might want to Load a kernel module that is optional So if we don't load it or if we load it then the hash will also change So it's not really convenient because of that as a part of UEFI so we called event look was created so UEFI creates an event look for each extent operation and basically every entry of that event lock contains a distinct name of image that has it's usually a path to a file or something like that and PCR number and it's hash obviously So the basic idea is that one can later compare the lock entries against a database of trusted values which is by far more convenient than just relying on a hard-coded hash and then you can replay the event lock to make sure that It is It has correct entries against the signed PCRs. So there is something called a quote operation where basically you take all of the PCRs and You signed their values with private key So you can do just you can just do a standard Certificate based application So currently free BSD can't really extend a PCR something so there's no support for that I mean the kernel can't the loader can't do that But you can do that from the user space, but I mean I don't really think that it makes much sense at this point However, UEFI measures every binary There is loaded using the load image and start image calls So at least but one and loader are measured already. So we have that and loader could be Easily extended to measure like kernel and other parts loaded. I mean, there is a protocol in UEFI But services which can be used for that and I think that's fairly simple So now I'm going to talk about remote the station which is Pretty much the most important part of measure boot So basically you want to present the state of our machine to another PC over the network Want to prove that our machine runs? Good trusted firmware and OS So basically we just sent event log together with a signed PCR values Doing the quote operation So yeah, the signature is going to be using the code operation every TPM comes with something called endorsement key which is basically a certificate signed by its manufacturer So it can be infinite on or whoever material TPM and it can be used indirectly to establish trust of the code operation So now with the event lock and signed PCR values the remote machine can verify Integrity of our firmware and maybe even the OS if that's supported and it was with strong fun and strong fun for those of you who don't know is a APC client it can be used to establish APC tunnels But it only works on Linux because it uses IMA So yeah, there's that oh and so I've talked about why measure boot is a Fine security feature. I'm going to tell you why it doesn't work really. I mean it can be patched but someone found a very serious vulnerability So when we either go to sleep or hibernate a TPM was this is power You can't do anything about that So PCRs are supposed to be present in environment TPM has that ability and I mean people thought about it And it was designed But TPM needs to be informed whether we are going to sleep or to reboot in which case the PCRs need to be reset at zero and Unfortunately, it has to be inferred by the OS So, you know, you can modify the driver boot Your own OS PCRs now should have wrong values, right? but then you can just go to sleep and Tell the TPM that we are about to reboot So PCRs are now reset it you can spoof the current values and pray You just broken boot but it's visible in firmware and most of the film is should have it fixed already I mean the CV is from 2018. So I Mean it might depend Yes, you're right. I mean If you're running an enterprise grade system, then it should have its firmware updated But I mean There is that So that's it about measured boot. I'm now going to talk about some fun so as I said earlier songs one is a piece of software that can do an Ikea internet key exchange and basically establish a IPsec tunnel tunnels and the authentication Can be done either by using a PS key preserved pre-shared keys or with your standard a certificate with a roots of certificates chain of certificates so in the if you are Authenticating using the certificate base method. Basically what happens is that you take a message You signed it with private key and then you send it to The other site I guess So what you want to do now is That we want to use TPM basically as a smart card We want to store the private keys generate them using the TPM and generate the certificate and out of the kid that way So what it gives us is that even if the computer is compromised? well The private should never leak. I mean someone might use it to sign some things Sign some things, but it's significantly better than just the private key being clicked all together. I guess So yeah, it keeps them with a certificate that's used in the Ikea and the access Can be only protected with a fast phrase unfortunately and that fast phrase can only be starting clear text in Configuration or you can be prompt for it. So that's like kind of unfortunate, but that's everything that's just fun supports on the moment So this is like a basic diagram that shows you how it's supposed to work. Maybe I mean, maybe it's too basic But yeah Strong some issues are signing request with proper authentication. We just means a passphrase. Unfortunately the TPM does are the signing and then We get the encrypted digest and send it to the other part to authenticate So what do you need to even run this? Configuration so obviously you need a TPM driver TPM to both 2.0 driver and it's available in 3b the 11.3 And you need something called a TSS which is basically a user space a library that can talk to the TPM So the entire idea is that the driver doesn't really care about the payload it just passes bytes from user space to the TPM itself and The entire construction of commands is done in user space. So I think that's pretty nice So the TSS there are two libraries and One is developed by Intel Intel other by IBM. So I personally think that the Intel one is like more mature But both are pretty much in development. So the Intel's is It's port is country I mean, I think that it might have been already reviewed and might have landed but the last time I checked this was on fabricator in review And the other one it follows POSIX. So I've used it before the using the interest was Kind of possible on 3b SD and it only needed a one-liner patch. So that was pretty neat. So the caveats of this solution First of all, all of the keys are obviously bounded to the TPM that was used to create them and Although there is a mechanism to back up the keys It's fairly hard to use and undocumented and it has to be supported by the TSS So I haven't really used it Yeah I mean, I don't think there might be someone who uses it actually but I don't know So both or the TSS is in development I mean, they are usable, but They're pretty much in beta beta version. I guess I could say and unfortunately As I said earlier pretty much no applications supported I mean, there are several exceptions but overall TPM 2.0 is a fairly new technology So, I mean, I don't know we may to wait and it will get better Oh, and as I said earlier TPMs are just terribly slow So, yeah, I mean if you use electric course is a little bit better I don't remember how much better but it's still slow compared to just doing everything on your CPU but I guess that's the price of security and Obviously if you use a firmware implementation, then I mean there might be some overhead, but it's not going to be Terrible as the discrete version so I guess that's it for the TPMs So now I want to talk about SGX software guard extensions, then it's a another technology done by Intel and It's supposed to make your PCs more secure, whatever that means So, yeah, it was developed for Skylake CPUs and newer I guess And It introduces new special instructions because that's what Intel likes to do And the basic idea is that you can run programs in enclaves Enclaves are separated from the rest of the systems by hardware and from each other so what is kind of really Neat in this Technology is that it supers both interrupts and it therefore it works with the scheduler so if you compare it with ATF with arms Kind of similar thing on arm. That's a big problem there Because if you are in a secure world ATF on arm no interrupts our interrupts are masked basically So SGX Unfortunately enclave memory the memory the entire memory that will be used by enclaves have to be reserved by firmware and Therefore it's not accessible so you just take a Slice of memory and you call it a PC and basically it can only be then used for SGX so because of that it has to be supported in firmware and Pretty much not every bios super system But the memory management there is swapping is done in OS driver. So if you let's say reserve a hundred and twenty eight megabytes for SGX And then you start running out of that memory the OS driver can just swap that page swap a page and Yeah to write the ground memory or even to your disk So the basic idea is that we do a transparent encryption of every of the entire memory that is used for SGX That includes both data and code But it's also susceptible to safe channel attacks since data in CPU cache is not encrypted probably for performance reasons and Yeah, it's called for shadow the attack It was proven that you can actually just Break SGX listen to extract data by using safe channel attacks So, okay everything in enclave or everything outside of enclave. It's not trusted. Thank you clues Colonel and Shot libraries and just everything. So we cannot really use these calls because you don't trust the corner And yeah, also because of that all everything has to be linked statically I think that they were supposed to change that in the new release SGX 2.0, but It's not really available yet at least to my knowledge so, yeah, and Because of that Intel had to provide like their own Lipsy and Other libraries that can be used within place and you just linked everything statically So This is an image took taken from like interest white paper. I think and it's supposed to show why SGX is good I guess so basically the it's supposed to significantly reduce the attack surface Where if you have an app running in enclave then You either have to somehow hack that up that is in enclave Or maybe there is something wrong with the hardware, but other than that it should be safe but Yeah so Another problem is that if you want to run an enclave before it can be run in production mode with any security Features it has to be signed and by default on the Intel approf in case are allowed So basically you have to enter into a commercial agreement with Intel And have them bless your certificates so we can run you on the enclave. So yeah, I mean the community wasn't really Cheerful about that So the interest reasoning behind this is that you can with SGX you could make basically an Undetectable ransomware malware and all of that stuff because since enclaves are encrypted. No antivirus can scan them oh and also a Huge part of SGX is remote attestation, which also requires some kind of signatures Kind of I mean it's basically it's basically DRM. Oh, sorry. I should repeat the questions So yes, it's so the question is whether is it for protecting the users or the manufacturers from the users And yeah, it's for DRM's I think mostly I mean you could mix all stuff other than the RMS with it And I get I will give some examples, but I mean even even in process decay They've made some examples programs and part of them. I think that half of them have DRM in name. So So, how do we even learn to enclaves? So basically there is a special lunch enclave that is used to launch other Enclaves, but obviously it's verifies their signatures before they can be launched and the lunch and safe itself is verified by the CPU and The way it works is that we have three module registers special registers that contain a hash of public key used to sign the lunch enclave, which is kind of I Mean the CPU can verify Certificates by its arms, which is I mean I haven't seen that before so Nobody really liked the idea that you have to rely on Intel to launch and slaves in production mode So they introduce I think about a year ago. So if we caught flexible lunch control Basically the register attack I talked about earlier Yeah, you can use it to build a trust a trust chain that is independent from Intel which is kind of a basic thing and The registers I talked about error can be just overwritten with your with a hash of your own public key But it needs to be supported by both fumer and the CPU obviously and I think that I mean Researching this subject was fairly hard because there's not much information on the internet But I think that FLC is only supported in Xeon a series a series. So, you know There is that And yeah, I've a very beauty may vary So the attestation so it's kind of a little bit similar as in TPM And the idea is that we might want to show our secret between enclaves over the interns maybe even and We need to establish whether an enclave can be trusted whether it runs code that it claims to run and whether it runs on a genuine Intel CPU So it uses something that resembles certificate training at the station and obviously Intel has to issue the CA I Mean you need to verify whether that and play France on an Intel CPU. So it kind of has to be involved in town. Unfortunately And yeah, the way it works is that CPU has a some fuses that are born to a manufacturer in time and Private key is derived from this uses you can then request Intel to like create a certificate For that key and it should kind of prove that this is a good processor Manufactured by the Intel and yeah, obviously it's mostly used for the RMS unfortunately So another thing is sitting sitting so and please don't really have any kind of non-volatile storage of their own I mean, they're just a part of the CPU and We might want to preserve some secrets in a secure way and Yeah, as I said, I really don't really trust anyone. So we also have to verify Integrity, so we just use ASGCM to encrypt the secrets and store them on a disk or somewhere externally And the way it works is similar to Attestation and basically Cpu has a fuse Intel it fills it during manufacturing and I think that they claim that they don't know the value the The value of that fuse and The ceiling key is supposed to be derived from set fuse and from some of the mclave Related measurements so that each key is bound to both decode the mclave and a specific CPU So all secrets are bound to SPU. So which means that if you want to have an mclave and move it from One computer to another it shouldn't work really, but that's the part of Yeah, and the interface for that is fairly simple you just have SDK and You just do in the SGX seal and SGX and seal and it's like I mean the idea is that it does everything for you So what are the use cases? Well, you can basically do something similar with TPM. You can just offload your cryptographic operations You can You can also Generate private keys you can seal them and store them on disk and later load them and find stuff I guess and Yeah, as I said earlier you can do remote to the station and Yeah, another thing that into advertising is secure computation on remote machines where basically you have a cloud and You have your own software and you want to protect that software from the rest of the cloud so But cloud can run an enclave and They can present you with an enclave and then you can run that code in an enclave Yeah, and yeah here I am So Netflix has their own app on Windows that can be used To watch 4k videos With which works with SGX and there's a thing for Blu-rays So I talked about DRM's quite a lot. Now. I'm going to give like a better this case so signal is Communication up there is privacy oriented So how do we know who uses signal? Well, it's basing Basically bases on your contact list The way it works is that it sends hashes of phone numbers on your contact list to a server And that server then checks if that person has is using signal but then I mean those hashes can be inverted since there is not all that many phone numbers So the idea is that Server is running in an enclave then client can verify that that service is running in an enclave Before sharing current secrets So, yeah, there's that it's not DRM at least and under if it is graphene, so This is a fairly new thing so it's supposed to be like kind of library OS and It's supposed to allow you to run any native linux binary in an enclave So it has like gdpc It has built-in remote to the station And it was released like last week the two point one point of vision to be honest I haven't really Tried it worked with it. I just found it and thought that it would be nice to present it here But I mean, yeah So how about SGX support in 3dsd? where the kernel driver was introduced fairly a couple years ago and And the SDK is has also been ported, but it's like it's missing some features For example, you can't really be back anything at 3dsd at least I couldn't do it do that and yeah other libraries that internal route for SGX such as their Open SSL versions weren't reported and I tried to run it on 3dsd the open SSL But it I mean I gave up after a day or two So yeah, and I would like to thank Stormshoot. They pretty much paid for the entire thing the Development and the research and Do you have any questions? So the question is did Intel make a speculative boundary, so They claim that all of the side channel attacks are like not Really of their concern with SGX basically doesn't really protect against anything like that No, unfortunately, I don't think so I sorry I should repeat the Forgetting so the question was do you know if any work has been done to support? GLA in TPM and The answer is that I don't think so. I don't know. Yeah, go ahead So the question is do I know if any people use TPM on interest hardware like with their management engine and No, I haven't checked that. I don't know So anything more questions? So I think that's it. Thank you for listening