Re: [PATCH v6 06/14] x86: Add early SHA support for Secure Launch early measurements

From: Ard Biesheuvel
Date: Fri May 12 2023 - 07:58:57 EST

Next message: Javier Martinez Canillas: "[PATCH] drm/ssd130x: Fix include guard name"
Previous message: Geert Uytterhoeven: "Re: [syzbot] upstream boot error: BUG: unable to handle kernel NULL pointer dereference in gic_eoi_irq"
In reply to: Matthew Garrett: "Re: [PATCH v6 06/14] x86: Add early SHA support for Secure Launch early measurements"
Next in thread: Andrew Cooper: "Re: [PATCH v6 06/14] x86: Add early SHA support for Secure Launch early measurements"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 12 May 2023 at 13:28, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote:
>
> On Fri, May 12, 2023 at 01:18:45PM +0200, Ard Biesheuvel wrote:
> > On Fri, 12 May 2023 at 13:04, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote:
> > >
> > > On Tue, May 09, 2023 at 06:21:44PM -0700, Eric Biggers wrote:
> > >
> > > > SHA-1 is insecure. Why are you still using SHA-1? Don't TPMs support SHA-2
> > > > now?
> > >
> > > TXT is supported on some TPM 1.2 systems as well. TPM 2 systems are also
> > > at the whim of the firmware in terms of whether the SHA-2 banks are
> > > enabled. But even if the SHA-2 banks are enabled, if you suddenly stop
> > > extending the SHA-1 banks, a malicious actor can later turn up and
> > > extend whatever they want into them and present a SHA-1-only
> > > attestation. Ideally whatever is handling that attestation should know
> > > whether or not to expect an attestation with SHA-2, but the easiest way
> > > to maintain security is to always extend all banks.
> > >
> >
> > Wouldn't it make more sense to measure some terminating event into the
> > SHA-1 banks instead?
>
> Unless we assert that SHA-1 events are unsupported, it seems a bit odd
> to force a policy on people who have both banks enabled. People with
> mixed fleets are potentially going to be dealing with SHA-1 measurements
> for a while yet, and while there's obviously a security benefit in using
> SHA-2 instead it'd be irritating to have to maintain two attestation
> policies.

I understand why that matters from an operational perspective.

However, we are dealing with brand new code being proposed for Linux
mainline, and so this is our only chance to push back on this, as
otherwise, we will have to maintain it for a very long time.

IOW, D-RTM does not exist today in Linux, and it is up to us to define
what it will look like. From that perspective, it is downright
preposterous to even consider supporting SHA-1, given that SHA-1 by
itself gives none of the guarantees that D-RTM aims to provide. If
reducing your TCB is important enough to warrant switching to this
implementation of D-RTM, surely you can upgrade your attestation
policies as well.

Next message: Javier Martinez Canillas: "[PATCH] drm/ssd130x: Fix include guard name"
Previous message: Geert Uytterhoeven: "Re: [syzbot] upstream boot error: BUG: unable to handle kernel NULL pointer dereference in gic_eoi_irq"
In reply to: Matthew Garrett: "Re: [PATCH v6 06/14] x86: Add early SHA support for Secure Launch early measurements"
Next in thread: Andrew Cooper: "Re: [PATCH v6 06/14] x86: Add early SHA support for Secure Launch early measurements"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]