fTPM-based-UEFI-remote-attestation: fTPM-based UEFI remote attestation (duh)

April 14, 2018 ~ hucktech ~ Leave a comment

Zero documentation at this point:

https://github.com/Hecmay/fTPM-based-UEFI-remote-attestation

a bit more on AMD PSP vuln

January 12, 2018 ~ hucktech ~ 1 Comment

No CVE(s) from US-CERT/NIST/MITRE/NVD.
No AMD tracking id or public response from AMD.
No response from AMD support on the below question on their support forums.

AFAICT, AMD does not have a security advisories page, just occasional announcements on the main PR site. Intel does. Then again, AFAICT, neither does ARM.

Researcher clarifies original statement a bit:

http://seclists.org/fulldisclosure/2018/Jan/21

“I would like to clarify that here “remote” means remote code execution on
the TPM component. To mount the attack, local host access is still required.
Sorry if it caused any confusion.”

A code exec bug in AMD PSP module implementing TPM. PSP is similar to #IntelME. Key Qs:
1. Does PSP/fTPM have access to host memory?
2. How well is fTPM module isolated from the rest of the PSP?
3. How asynchronous is PSP execution with regards to the host? https://t.co/cSD1lzt3Kb

— Joanna Rutkowska (@rootkovska) January 8, 2018

https://community.amd.com/thread/224328

https://www.theregister.co.uk/2018/01/06/amd_cpu_psp_flaw/

http://www.amd.com/en/technologies/security

AMD PSP vuln: fTPM remote code execution

January 6, 2018January 6, 2018 ~ hucktech ~ Leave a comment

Busy year for processor security so far…

http://seclists.org/fulldisclosure/2018/Jan/12

AMD-PSP: fTPM Remote Code Execution via crafted EK certificate

From: Cfir Cohen via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 3 Jan 2018 09:40:40 -0800

AMD PSP is a dedicated security processor built onto the main CPU die. ARM TrustZone provides an isolated execution environment for sensitive and privileged tasks, such as main x86 core startup. [..] The fTPM trustlet code was found in Coreboot’s git repository [5] and in several BIOS update files. […] This research focused on vendor specific code that diverged from the TCG spec. […] As far as we know, general exploit mitigation technologies (stack cookies, NX stack, ASLR) are not implemented in the PSP environment. […] Credits: This vulnerability was discovered and reported to AMD by Cfir Cohen of the Google Cloud Security Team.

Timeline
========
09-28-17 – Vulnerability reported to AMD Security Team.
12-07-17 – Fix is ready. Vendor works on a rollout to affected partners.
01-03-18 – Public disclosure due to 90 day disclosure deadline.

Jesus Christ https://t.co/y9KLZgdK06

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) January 5, 2018

fTPM 2.0 research from Microsoft

November 16, 2015 ~ hucktech ~ Leave a comment

There’s a new paper from Microsoft Research, on a firmware-based TPM implementation (fTPM):

https://twitter.com/h0x0d/status/662465826503524352

This paper presents the design and implementation of a firmware-based TPM 2.0 (fTPM) leveraging ARM TrustZone. The fTPM is the reference implementation used in millions of mobile devices, and was the first hardware or software implementation to support the newly released TPM 2.0 specification. This paper describes the shortcomings of ARM’s TrustZone for implementing secure service (such as our implementation), and presents three different approaches to overcome them. Additionally, the paper analyzes the fTPM’s security guarantees and demonstrates that many of the ARM TrustZone’s shortcomings remain present in future trusted hardware, such as Intel’s Software Guard Extensions (SGX).

Authors: Himanshu Raj, Stefan Saroiu, Alec Wolman, Ronald Aigner, Jeremiah Cox, Paul England, Chris Fenner, Kinshuman Kinshumann, Jork Loeser, Dennis Mattoon, Magnus Nystrom, David Robinson, Rob Spiger, Stefan Thom, and David Wooten

http://research.microsoft.com/apps/pubs/default.aspx?id=258236