Re: [PATCH v8 3/4] doc: trusted-encrypted: updates with TEE as a new trust source

From: Mimi Zohar
Date: Tue Dec 08 2020 - 10:57:12 EST


Hi Sumit, Jarkko,

Re-posting Elaine Palmer's comments, inline below, trimmed and properly
formatted.

On Tue, 2020-11-03 at 21:31 +0530, Sumit Garg wrote:
> Update documentation for Trusted and Encrypted Keys with TEE as a new
> trust source. Following is brief description of updates:
>
> - Add a section to demostrate a list of supported devices along with
> their security properties/guarantees.
> - Add a key generation section.
> - Updates for usage section including differences specific to a trust
> source.
>
> Signed-off-by: Sumit Garg <sumit.garg@xxxxxxxxxx>
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
> ---
> Documentation/security/keys/trusted-encrypted.rst | 203 ++++++++++++++++++----
> 1 file changed, 171 insertions(+), 32 deletions(-)
>
> diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
> index 1da879a..16042c8 100644
> --- a/Documentation/security/keys/trusted-encrypted.rst
> +++ b/Documentation/security/keys/trusted-encrypted.rst
> @@ -6,30 +6,161 @@ Trusted and Encrypted Keys are two new key types added to the existing kernel
> key ring service. Both of these new types are variable length symmetric keys,
> and in both cases all keys are created in the kernel, and user space sees,
> stores, and loads only encrypted blobs. Trusted Keys require the availability
> -of a Trusted Platform Module (TPM) chip for greater security, while Encrypted
> -Keys can be used on any system. All user level blobs, are displayed and loaded
> -in hex ascii for convenience, and are integrity verified.
> +of a Trust Source for greater security, while Encrypted Keys can be used on any
> +system. All user level blobs, are displayed and loaded in hex ascii for
> +convenience, and are integrity verified.
>
> -Trusted Keys use a TPM both to generate and to seal the keys. Keys are sealed
> -under a 2048 bit RSA key in the TPM, and optionally sealed to specified PCR
> -(integrity measurement) values, and only unsealed by the TPM, if PCRs and blob
> -integrity verifications match. A loaded Trusted Key can be updated with new
> -(future) PCR values, so keys are easily migrated to new pcr values, such as
> -when the kernel and initramfs are updated. The same key can have many saved
> -blobs under different PCR values, so multiple boots are easily supported.
>
> -TPM 1.2
> --------
> +Trust Source
> +============
>
> -By default, trusted keys are sealed under the SRK, which has the default
> -authorization value (20 zeros). This can be set at takeownership time with the
> -trouser's utility: "tpm_takeownership -u -z".
> +Trust Source provides the source of security for the Trusted Keys, on which
> +basis Trusted Keys establishes a Trust model with its user.

A trust source provides the source of security for the Trusted
Keys. Whether or not a trust source is sufficiently safe depends on
the strength and correctness of its implementation, as well as the
threat environment for a specific use case. Since the kernel doesn't
know what the environment is, and there is no metric of trust, it is
dependent on the consumer of the Trusted Keys to determine if the trust
source is sufficiently safe.

> A Trust Source could
> +differ from one system to another depending on its security requirements. It
> +could be either an off-chip device or an on-chip device. Following section
> +demostrates a list of supported devices along with their security properties/
> +guarantees:
>
> -TPM 2.0
> --------
> + * Root of trust for storage
>
> -The user must first create a storage key and make it persistent, so the key is
> -available after reboot. This can be done using the following commands.
> + (1) TPM (Trusted Platform Module: hardware device)
> +
> + Rooted to Storage Root Key (SRK) which never leaves the TPM that
> + provides crypto operation to establish root of trust for storage.
> +
> + (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone)
> +
> + Rooted to Hardware Unique Key (HUK) which is generally burnt in on-chip
> + fuses and is accessible to TEE only.
> +
> + * Execution isolation
> +
> + (1) TPM
> +
> + Fixed set of operations running in isolated execution environment.
> +
> + (2) TEE
> +
> + Customizable set of operations running in isolated execution
> + environment verified via Secure/Trusted boot process.
> +
> + * Optional binding to platform integrity state
> +
> + (1) TPM
> +
> + Keys can be optionally sealed to specified PCR (integrity measurement)
> + values, and only unsealed by the TPM, if PCRs and blob integrity
> + verifications match. A loaded Trusted Key can be updated with new
> + (future) PCR values, so keys are easily migrated to new PCR values,
> + such as when the kernel and initramfs are updated. The same key can
> + have many saved blobs under different PCR values, so multiple boots are
> + easily supported.
> +
> + (2) TEE
> +
> + Relies on Secure/Trusted boot process for platform integrity. It can
> + be extended with TEE based measured boot process.
> +
> + * On-chip versus off-chip
> +
> + (1) TPM
> +
> + Off-chip device connected via serial bus (like I2C, SPI etc.) exposing
> + physical access which represents an attack surface that can be
> + mitigated via tamper detection.
> +
> + (2) TEE
> +
> + On-chip functionality, immune to this attack surface.
> +
> + * Memory attacks (DRAM based like attaching a bus monitor etc.)
> +
> + (1) TPM
> +
> + Immune to these attacks as it doesn’t make use of system DRAM.
> +
> + (2) TEE
> +
> + An implementation based on TrustZone protected DRAM is susceptible to
> + such attacks. In order to mitigate these attacks one needs to rely on
> + on-chip secure RAM to store secrets or have the entire TEE
> + implementation based on on-chip secure RAM. An alternative mitigation
> + would be to use encrypted DRAM.
> +
> + * Side-channel attacks (cache, memory, CPU or time based)
> +
> + (1) TPM
> +
> + Immune to side-channel attacks as its resources are isolated from the
> + main OS.
> +
> + (2) TEE
> +
> + A careful implementation is required to mitigate against these attacks
> + for resources which are shared (eg. shared memory) with the main OS.
> + Cache and CPU based side-channel attacks can be mitigated via
> + invalidating caches and CPU registers during context switch to and from
> + the secure world.
> + To mitigate against time based attacks, one needs to have time
> + invariant implementations (like crypto algorithms etc.).
> +
> + * Resistance to physical attacks (power analysis, electromagnetic emanation,
> + probes etc.)
> +
> + (1) TPM
> +
> + Provides limited protection utilizing tamper resistance.
> +
> + (2) TEE
> +
> + Provides no protection by itself, relies on the underlying platform for
> + features such as tamper resistance.
> +

Please add the following topics:

* Provisioning - the trust source's unique and verifiable cryptographic
identity is provisioned during manufacturing

(1) TPM

The unique and verifiable cryptographic identity is the endorsement key
(EK) or its primary seed. A review of the generation of the EK and its
accompanying certificate is part of the Common Criteria evaluation of
the product's lifecycle processes (ALC_*). See "TCG Protection Profile
for PC Client Specific TPM 2" (
https://trustedcomputinggroup.org/resource/pc-client-protection-profile-for-tpm-2-0/
).

(2) TEE

A protection profile for TEEs does not yet exist. Therefore, the
provisioning process that generates the Hardware Unique Key is not
evaluated by an independent third party and is highly dependent on the
manufacturing environment.


* Cryptography

(1) TPM

As part of the TPM's mandatory Common Criteria evaluation, the
correctness of the TPM's implementation of cryptographic algorithms,
the protection of keys, and the generation of random numbers, and other
security-relevant functions must be documented, reviewed, and tested by
an independent third party evaluation agency. It must meet the
requirements of FIPS 140-2, FIPS 140-3, or ISO/IEC 19790:2012.

(2) TEE

Evaluations of cryptographic modules within TEEs are not required, but
some are available for specific implementations within TEEs.


* Interfaces and APIs

(1) TPM

TPMs have well-documented, standardized interfaces and APIs.

(2) TEE

Unless TEEs implement functionality such as a virtual TPM, they have
custom interfaces and APIs.


* Threat model

The strength and appropriateness of TPMs and TEEs for a given purpose
must be assessed when using them to protect security-relevant data.

> +
> +Key Generation
> +==============
> +
> +Trusted Keys
> +------------
> +
> +New keys are created from trust source generated random numbers, and are
> +encrypted/decrypted using trust source storage root key.

New keys are created from random numbers generated in the trust source.
They are encrypted/decrypted using a child key in the storage key
hierarchy. Encryption and decryption of the child key must be
protected by a strong access control policy within the trust source.

Thank you,

Elaine (and Mimi)