TPM Genie: I2C bus interposer for discrete TPMs

[…]This tool was primarily developed to manipulate TPM response packets in order to trigger parsing bugs in the host-side TPM drivers. These bugs can be found in the Linux kernel, as well as a variety of bootloaders such as Tboot and Tianocore EDKII. Leveraging these vulnerabilities, an attacker may be able to compromise a host machine after it had successfully booted up into a fully measured and attested state. TPM Genie is also able to man-in-the-middle PCR Extend operations, yielding the ability to undermine most of the stated purposes of a TPM: measured boot, remote attestation, and sealed storage. Normally, attestation or unsealing should fail if an attacker modifies any component of the measured boot process. However, the interposer makes it is possible to spoof these measurements by replacing the the payload associated with the PCR Extend ordinal as it is transmitted across the bus. Additionally, TPM Genie can weaken the Linux hardware random number generator. On some systems, /dev/hwrng is tied into the Trusted Platform Module such that all reads on the character device will actually result in the TPM chip providing the random bytes. In this way, the interposer can subtly alter the platform’s RNG which may impair cryptographic operations on the host. Finally, TPM Genie can be used to simply sniff the bus to capture secrets, such as session data associated with the OIAP and OSAP commands. And with nominal additional engineering effort, TPM Genie should be able to spoof the Endorsement Key, gain control of the AuthData and recalculate the Authorization Session HMAC. (More info on that in my whitepaper. I promise I’ll implement that soon).[…]


DMTF updates MCTP SMBus/I2C Transport Binding spec

DMTF Releases Updated MCTP SMBus/I2C Transport Binding Specification
The DMTF’s Platform Management Components Intercommunication (PMCI) Working Group defines standards to address “inside the box” communication and functional interfaces between the components of the platform management subsystem (e.g., management controllers, managed devices, etc.). PMCI’s Management Component Transport Protocol (MCTP) over SMBus/I2C Transport Binding Specification is now available in version 1.1.0 . This specification addresses how MCTP packets are delivered over a physical SMBus or I2C medium using SMBus transactions. It defines how physical addresses are used, how fixed addresses are accommodated, how physical address assignment is accomplished for hot-plug or other devices that require dynamic physical address assignment, and how MCTP support is discovered. In addition, timing specifications for bus and MCTP control operations are included, and a “fairness” protocol is defined for the purpose of avoiding deadlock and starvation/lockout situations among MCTP endpoints. The binding has been designed to be able to share the same bus as devices communicating using earlier SMBus/I2C management protocols, such as Alert Standard Format (ASF) and Intelligent Platform Management (IPMI), and with vendor-specific devices using SMBus/I2C protocols. The specification also allows a given device to incorporate non-MCTP SMBus functions alongside MCTP.

Click to access DSP0237_1.1.0.pdf

OpenBSD 5.9 released

OpenBSD 5.9 has been released. There are a few firmware-related improvements in this release, such as:
* New efifb(4) driver for EFI frame buffer.
* amd64 can now boot from 32 bit and 64 bit EFI.
* Initial support for hardware reduced ACPI added to acpi(4).

* New asmc(4) driver for the Apple System Management Controller.
* New dwiic(4) driver for the Synopsys DesignWare I2C controller.
* Support for ACPI configured SD host controllers has been added to sdhc(4).
* The sdmmc(4) driver now supports sector mode for eMMC devices, such as those found on some BeagleBone Black boards.
* The ipmi(4) driver now supports OpenIPMI compatible character device.

Full announcement:

U-Boot TPM driver model added

Yesterday Simon Glass of Chromium has submitted a large (28-part) patch to U-Boot, adding a driver model for TPMs.

[PATCH v2 00/28] dm: Convert TPM drivers to driver model

This series adds driver model support for Trusted Platform Modules (TPMs). These have a very simple interface and are configured via the device tree.

Two bus types are supported at present: I2C and LPC (Intel Low-Pin-Count).

Most drivers and users are converted over to driver model. The exception is the Atmel TPM and its users.

The I2C driver has been cleaned up and simplified. It was ported from Linux and was pretty hard to follow. This series includes patches to unify the code, remove duplicated data structures and drop unnecessary indirection.

Also this series enables the TPM on all Chromebooks supported by upstream U-Boot (snow, spring, nyan-big, pit, pi, link, panther) since some did not have it fully enabled.

As before, the ‘tpm’ command can be used to implement TPM functionality. In addition a ‘tpmtest’ command provides some basic TPM tests taken from Chrome OS U-Boot. These are fairly rudimentary but are useful if you know what you are doing.

For more information, see the U-boot mailing list: