APT monitoring & analysis …below Ring 0

Applying Provenance in APT Monitoring and Analysis Practical Challenges for Scalable, Efficient and Trustworthy Distributed Provenance
Jenkinson G, Carata L, Bytheway T, Sohan R, Watson RNM, Anderson J, Kidney B, Strnad A, Thomas A, Neville-Neil G

[…] Below Ring 0 – hardware primitives can potentially support provenance capture in a number of ways. Trusted Computing primitives such as Intel SGX (Software Guard Extensions) can be used provide stronger non-repudiation (even in the presence of a compromised OS). And new hardware primitives could directly support provenance capture, for example providing an append only log for use by the kernel to store provenance records prior to sending over a network.[…]


Click to access tapp17_paper_jenkinson.pdf


Matthew on improving UEFI Secure Boot on Linux with TPMs


CMC-Vboot: investigates Chrome’s Verified Boot

This project takes Chrome’s Verified Boot (Vboot) process and examines its various security properties using formal logic. This verification is done with a focus on the firmware/hardware boundary. The Vboot process depends on the correct functionality of a Trusted Platform Module (TPM) and a SHA accelerator. Because these hardware accelerators are interacted with through Memory Mapped I/O (MMIO), it is difficult for normal formal methods to capture the interface between the MMIO registers and the workings of the Hardware modules. To explore this boundary I am using a Software TPM Library and passing it through to the QEMU Hardware Emulator. This allows me to use the normal MMIO registers of a TPM with the original Vboot Library.[…]


Windows 10 new preboot security features

There’s a few new preboot-related features in recent builds of Microsoft Windows, excerpt of some of them below.

New features in Windows 10, version 1511:
* Credential Guard: Enable Credential Guard without UEFI lock. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy.
* Bitlocker: DMA port protection. You can use the DataProtection/AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.

* Bitlocker: New Group Policy for configuring pre-boot recovery. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the Configure pre-boot recovery message and URL section in “BitLocker Group Policy settings.”
* New BCD events: Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): DEP/NEX settings, Test signing, PCAT SB simulation, Debug, Boot debug, Integrity Services, Disable Winload debugging menu
* New PNP events:  Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
* TPM: Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
* TPM: The following sections describe the new and changed functionality in the TPM for Windows 10: Device health attestation, Microsoft Passport support, Device Guard support, Credential Guard support […]


TPM firmware updates (and BiosSledgehammer)

The below tweet made me realize I’ve not been looking enough for TPM utilities. I’ve seen tools from HP, Dell, and Lenovo. Still looking for tools from other OEMs. The only community tool I can find is BiosSledgehammer, which only works on HP systems.


BiosSledgehammer: Automated BIOS update, TPM firmware update and BIOS settings for HP devices.







Finbarr’s TPM 2.0 PCR Tool

Finnbarr P. Murphy has a new blog post about a new UEFI-based TPM tool he’s written.

[…]By the way, if you have access to the Intel TXT (Trusted Execution Technology) EFI compliance testing toolkit, the included utility, pcrdump.efi, provides similar functionality to the utility described in this post.[…]


See more of his UEFI Utilities:




James on Linux and TPM (and TouSerS)

James Bottomley has a new blog post on TPM v2 and Linux:


See his pervious blog posts for more on TPM and Linux.

Blogging aside, James also posted a TPM2 patch to TouSerS to allow support for OpenSSL:

[TrouSerS-tech] [PATCH 0/1] TPM2 engine support for openssl

This is a completed version of the original RFC.  It’s working now both on the TPM2 simulator and on real hardware (I’ve converted my laptop to TPM2).  I’ve updated it to use the latest version of the ASN.1 for the key format (still using a TCG OID). I have it building here (it’s what I’m currently using for my laptop VPNs):


But note that this version also has experimental patches to activate the in-kernel TPM Resource Manager because for multiple applications TPM2 really doesn’t work well without one.  Since the patch for the RM is currently not upstream (yet), it’s not going to work unless you have a patched kernel.

More info:

James on Linux TPM stack

James has a new blog post that gives a good introduction to the Linux TPM stack:

“[…]One of the great advantages of the TPM, instead of messing about with USB pkcs11 tokens, is that it has a file format for TPM keys (I’ll explain this later) which can be used directly in place of standard private key files.  However, before we get there, lets discuss some of the basics of how your TPM works and how to make use of it.[…]”



OpenCIT 2.2 released

Adolfo V Aguayo of Intel announced the version 2.2 release of OpenCIT.

New Features in 2.2:
– TPM 2.0 support.
   + Added support for platform and asset tag attestation of Linux and Windows hosts with TPM 2.0.
   + Support attestation of either SHA1 or SHA256 PCR banks on TPM 2.0.
   + Ubuntu 16.04 and RHEL 7.2, 7.3 (SHA1 and SHA256), Windows Server 2012 and Hyper-V Server 2012 (SHA1) are supported with TPM 2.0
– All the certificates and hashing algorithms used in CIT are upgraded to use SHA256.  SHA1 has been deprecated and will no longer be used.
– CIT Attestation Service UI has been updated to allow the user to select either the SHA1 or SHA256 PCR bank for Attestation of TPM 2.0 hosts.
    + The CIT  Attestation Service will automatically choose the strongest available algorithm for attestation (SHA1 for TPM 1.2, and SHA256 for TPM 2.0)
– CIT Attestation Service UI Whitelist tab no longer requires the user to select PCRs when whitelisting, and will automatically choose the PCRs to use based on the host OS and TPM version.  This is done to reduce confusion due to differing behaviors between TPM 1.2 and TPM 2.0 PCR usages.
– Additional changes made to support TPM 2.0:
    + Linux hosts with TPM 2.0 will now utilize TPM2.0-TSS (TPM 2.0 Software Stack) and TPM2.0-tools instead of the legacy trousers and tpm-tools packages. The new TSS2 and TPM2.0-tools are packaged with the CIT Trust Agent installer.
    + TPM 2.0 Windows hosts use TSS.MSR (The TPM Software Stack from Microsoft Research) PCPTool.
    + TPM 1.2 hosts will continue to use the legacy TSS stack (trousers) and tpm-tools components.

For more information, see the full announcement on the oat-devel@lists.01.org mailing list.


TrouSerS getting kicked out of Debian?

Thomas Habets points out on the trousers-users list that TrouSerS, the open source TPM stack, is getting kicked out of Debian, due to it’s lack of OpenSSL 1.1 support. I hope someone at TrouSerS is working on this. Tomas has a similar tool, Simple-TPM-PK11, and has made similar changes in his tool, that TrouSerS will need to do, and describes this in his post to trousers-users.





SeaBIOS 1.10.0 released!

Kevin O’Connor announced the 1.10.0 release of SeaBIOS.

New in this release:
* Initial support for Trusted Platform Module (TPM) version 2.0
* Several USB XHCI timing fixes on real hardware
* Support for “LSI MPT Fusion” scsi controllers on QEMU
* Support for virtio devices mapped above 4GB
* Several bug fixes and code cleanups

Multiple contributors: Kevin O’Connor, Stefan Berger, Gerd Hoffmann, Igor Mammedov, Dana Rubin, Marcel Apfelbaum, Alex Williamson, Cao jin, Cole Robinson, Don Slutz, Haozhong Zhang, Matt DeVillier, Paolo Bonzini, Piotr Król, Roger Pau Monne, and Zheng Bao.

More info:


coreboot 4.5 released

Martin Roth posted a new coreboot blog post, announcing version 4.5 of coreboot! Look at the blog post for lots of details.
Two hightlights for me are: “Add support for TPM 2.0″and “SPI & refactored I2C TPM driver”.

We are happy to announce the release of coreboot 4.5. The 4.5 release covers commit 80a3df260767 to commit 0bc12abc2b26. This release is the first since the project switched from doing quarterly releases to doing biannual releases.  The next release will be in April of 2017. Since the last release in April, the coreboot project has had 1889 commits by 119 authors. The release tarballs and gpg signatures are available in the usual place at https://www.coreboot.org/releases/ There is a 4.5 tag in the git repository, and a branch will be created as needed.

coreboot statistics:
Total Commits: 1889
Average Commits per day: 10.92
Total authors: 119
New authors: 47
Total Reviewers: 67
Total Submitters: 19
Total lines added: 164950
Total lines removed: -182737
Total difference: -17787


Matthew Garrett on Linux boot security

Amber Ankerholz wrote an article for Linux.com on the Linux boot-time security presentation that Matthew Garrett recently gave at the Linux Security Summit. In addition to the article, the video of the presentation is also available.



SeaBIOS TPM support improved

Stefan Berger of IBM submitted a 6-part patch to the SeaBIOS project, updating it’s TPM support, his patch comment follows:

This series of patches extends the TPM2 code to extend the BIOS related PCRs 0-7 in all available banks. This prevents that these PCRs remain untouched and filled with bogus values by applications. For example, the SHA1 hash is extended into the SHA256 bank. The value that is extended into this bank is essentially a SHA1 with zero bytes used for filling it to the size of a sha256 hash. This is done for all PCR banks of the TPM2 where these PCRs are available. In v2 of this series I also extended the log functions for logging the additional hashes. So there are more patches now.

For more information, see the full patch sent to the SeaBIOS list:

Microsoft on TPM Lockout

Rafal Sosnowski of Microsoft has a new blog post on TPM:

Hello everyone. It’s Rafal Sosnowski from Microsoft Dubai Security PFE Team. Today, I am going to talk about TPM Lockout state. TPM (Trusted Platform Module) is a small chip on the motherboard (discrete TPM) or part of the CPU implementation (firmware TPM) which can be used to securely store small amount of information (certificates, private keys, virtual smartcards, Bitlocker keys etc.). That data is completely isolated from HDD and partially from OS thus giving it maximum protection. To get access to that information from OS level user has to present some kind of authorization value. For example, Bitlocker PIN to get access to the Bitlocker Keys, Virtual smart-card PIN to get access to the certificates and private keys etc. However, TPM has special anti-hammering logic which prevents malicious user from guessing that authorization data indefinitely. Number of possible PIN failures varies across TPM specification: […]

Full post:

BSSSD: Trusted Computing for FreeBSD and OpenBSD

Excerpting the recent TCG announcement:

BSSSD: Trusted Computing now available for FreeBSD and OpenBSD: All pieces to utilize Trusted Computing and build Trusted Computing applications on FreeBSD and OpenBSD have been made available by the BSSSD-project.

Software components:
 * TPM device driver for the FreeBSD-kernel
 * TPM device driver for the OpenBSD-kernel
 * TCG Software Stack TrouSerS
 * TrustedGRUB boot-loader
 * TPM-Tools
 * OpenSSL-TPMengine
 * OpenCryptoKi
 * TPM-Emulator
 * TPM-Testsuite

Kernel drivers were developed for the following TPMs:
 * Atmel 97SC3203
 * Broadcom BCM0102
 * Infineon IFX SLB 9635 TT 1.2
 * Intel INTC0102
 * Sinosun SNS SSX35
 * STM ST19WP18
 * Winbond WEC WPCT200
 * TPMemulator