Hacking

Linux TPM encryption: Initializing and using the TPM

Dejan Lukan
September 27, 2012 by
Dejan Lukan

Initializing the TPM

To secure our data we must first initialize the TPM. What we're actually doing is changing the settings of the hardware TPM chip module on the computer motherboard itself.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

First we must initialize the TPM physical chip with the tpm_clear command, which returns the TPM to the default state, which is unowned, disabled and inactive. That command wipes all the ownership information from the TPM, invalidates all the keys and data tied to the TPM and even disables and deactivates the TPM.

We must remember that the TPM won't actually be used to encrypt/decrypt our data on the hard drive; it's just a hardware that contains secret keys that are used by the software component to actually do the encryption and decryption on the fly. The TPM is primarily used to check during boot if the kernel is unmodified, because otherwise an attacker could change our kernel with a malicious one, since the /boot partition is not encrypted when used with LUKS. But the TPM is not checking the integrity of the kernel only, but also the integrity of all BIOS components, bootloader, and other OS components.

 Clearing the TPM

[plain]

# tpm_clear --force

Tspi_TPM_ClearOwner failed: 0x00000007 - layer=tpm, code=0007 (7), TPM is disabled

[/plain]

We can see that the TPM is disabled, which is why we can't clear it. This can happen if we forget to actually enable the TPM in BIOS. The first thing to do would be to actually enable the TPM in BIOS. But if the TPM has been initialized before, we would receive the output that can be seen below:

[plain]

# tpm_clear --force

TPM Successfully Cleared. You need to reboot to complete this operation. After reboot the TPM will be in the default state: unowned, disabled and inactive.

[/plain]

This would require us to reboot the computer for changes to take effect. When clearing the TPM we'll return it to the default state, which is unowned, disabled and inactive, as already mentioned. To enable the TPM afterwards, we need the owner password. But since the TPM owner has been cleared, there is no owner password and we can set a new one without entering the old one. We can also receive an error like the following:

[plain]

# tpm_clear --force

Tspi_TPM_ClearOwner failed: 0x0000002d - layer=tpm, code=002d (45), Bad physical presence value

[/plain]

This happens because we can't clear the TPM from the Linux system, but from BIOS only. This is a security limitation that prevents any user from clearing the TPM.

1.2. Owning the TPM

We must also own the TPM to protect our data. Owning the TPM means setting the password that ensures that only the authorized user can access and manage the TPM. This password is also used when we want to turn off the TPM, disable the TPM, clear the TPM, etc, so we must always remember it and don't forget it. The TPM is shipped in unowned state.

We must set two passwords. The first password is an administration password, which is used for administering the TPM, and the second password is a SRK (Storage Root Key) password that is needed whenever we will load a key into the TPM. We can set both passwords with the tpm_takeownership command as can be seen below:

[plain]

# tpm_takeownership

Enter owner password:

Confirm password:

Enter SRK password:

Confirm password:

[/plain]

If we later want to change either of the commands, we can do it with the tpm_changeownerauth command. If we pass the --owner argument to the tpm_changeownerauth command we'll be changing the administration password and if we pass the --srk into the tpm_changeownerauth command we'll be changing the SRK password. We can see the example of both commands in the output below:

[plain]

# tpm_changeownerauth --owner

Enter owner password:

Enter new owner password:

Confirm password:

# tpm_changeownerauth --srk

Enter owner password:

Enter new SRK password:

Confirm password:

[/plain]

There are 5 keys in TPM:

  1. TPM Endorsement Key (EK): This key is created by the manufacturer and cannot be removed. Sometimes it can be changed by the owner of the computer.
  2. TPM Storage Key (SRK): Is the 2048 bit RSA key created when configuring the ownership. This key is stored inside the chip and can be removed. The key is used to encrypt the Storage Key (SK) and Attestation Identity Key (AIK).
  3. TPM Storage Key (SK): This key is created during initialization and is used to encrypt other elements in the TPM hierarchy, presumably the Binding Key (BK):
  4. Binding Key (BK): This key is used to encrypt little data blocks used by TPM.
  5. Attestation Key (AIK): This key is used for the exchanges with TPM, it is used to allow applications to authenticate the TPM.

To enable the TPM we must run the tpm_setenable and tpm_setactive commands as below. If we pass the --force option to any of those commands, it will try to use physical presence authorization to execute the command. We must know that most of the TPM operations require owner authorization, but physical access allows us to access certain TPM functions without the owner password. Of course, the physical access doesn't allow us to reveal TPM ownership password, which would break the confidentiality.

[plain]

# tpm_setenable --enable

Enter owner password:

Disabled status: false

# tpm_setactive

Enter owner password:

Persistent Deactivated Status: false

Volatile Deactivated Status: false

[/plain]

There are usually two Endorsement Keys (EK): the public and private one. The private key is always stored at the TPM and cannot even be seen by anyone, while the public key can be displayed with the tpm_getpubek command.

[plain]

# tpm_getpubek

Tspi_TPM_GetPubEndorsementKey failed: 0x00000008 - layer=tpm, code=0008 (8), The TPM target command has been disabled

Enter owner password:

Public Endorsement Key:

Version: 01010000

Usage: 0x0002 (Unknown)

Flags: 0x00000000 (!VOLATILE, !MIGRATABLE, !REDIRECTION)

AuthUsage: 0x00 (Never)

Algorithm: 0x00000020 (Unknown)

Encryption Scheme: 0x00000012 (Unknown)

Signature Scheme: 0x00000010 (Unknown)

Public Key:

a350b3a3 3edddc30 06248f4f 5d3eb80a 34fcbea0 83dde002 8dffa703 e116f8b0

eb1962ee a65998b3 384aeb6e 85486be9 0316a6ca a189a5ba 2217b2a2 9da014db

dfbe7731 fb675e7a 438c4775 deea54fb 0c75de5d ba961950 3eda4555 d27a9a30

e94d39d0 a4ea314d a70eaf08 e49dd354 d57ed34d 234220d9 604471a9 86173050

9ff9b0e5 b65cb4b5 5f46a7f9 4378bd7e 8c61b91b ad312974 fef5d70f 84f4484f

e5c95300 0eef76f2 1667443f dc2fa82e 351d945e 6b5f75e8 828d010f 61541552

[...]

[/plain]

TrustedGRUB

TrustedGRUB is an extension to a normal GRUB boot loader, which has been modified to support the TPM. We can use TrustedGRUB to connect to the TPM and measure the binary configuration and store the resulting measurements in the Platform Configuration Registers (PCR) in the TPM. These registers can then be used to verify the software configuration running on the TPM-enabled platform.

We can list the values in the PCR registers by printing the value of the file /sys/class/misc/tpm0/device/pcrs. An example of such an output can be seen below:

[plain]

# cat /sys/class/misc/tpm0/device/pcrs

PCR-00: AD B5 A1 6B F5 42 CA 9D 0F EA 7A 60 94 81 53 F8 E0 42 E6 B6

PCR-01: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75

PCR-02: 0E AA F8 1E 92 C7 84 F9 9C BB C1 D3 72 12 9D DD DA 30 6E 5A

PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75

PCR-04: 47 0E D4 44 DE 46 2C FC 17 5E 3C 68 8D 79 A3 2B 97 30 DF 13

PCR-05: 81 96 5F 15 B0 6D 54 56 18 FA E1 51 F1 48 B3 02 D5 08 E9 21

PCR-06: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75

PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75

PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[/plain]

First, we must download the TrustedGRUB from the address TrustedGRUB. To download the TrustedGRUB execute the commands below:

[plain]

# svn co <a href="https://projects.sirrix.com/svn/trustedgrub/release/">https://projects.sirrix.com/svn/trustedgrub/release/</a>

# mv release/ TrustedGRUB/

# tar xvzf TrustedGRUB-1.1.5.tar.gz

# cd TrustedGRUB-1.1.5/

[/plain]

What follows is the compilation phase. We can configure and compile the TrustedGRUB with the following command:

[plain]

# ./build_tgrub.sh

- Deflating TrustedGRUB

- Configuring TrustedGRUB

- Compiling TrustedGRUB

- done

Please do

'cp default /boot/grub'

'cd TrustedGRUB-1.1.5'

'make install'

To install TrustedGRUB to your local hard disc do:

'rm -rf /boot/grub/stage*'

'rm -rf /boot/grub/*1_5'

'cp default /boot/grub'

'cd TrustedGRUB-1.1.5'

'cp stage1/stage1 /boot/grub'

'cp stage2/stage2 /boot/grub'

'./grub/grub --no-floppy'

Then enter:

root (hdX,Y)

setup (hdX)

quit

or alternatively

'rm -rf /boot/grub/stage*'

'rm -rf /boot/grub/*1_5'

'./TrustedGRUB-1.1.5/util/grub-install /dev/XXX --no-floppy'

[/plain]

We can see that the TrustedGRUB was successfully configured and compiled. To replace our old GRUB with the new TrustedGRUB, we need to remove the old GRUB from the system and install the new TrustedGRUB. We can do that with issuing the commands below:

[plain]

# emerge -C grub

# cd TrustedGRUB-1.1.5/

# make install

[/plain]

The first command removes the system GRUB, while the second command installs the new TrustedGRUB. Afterwards we need to copy some files needed for the boot process to the /boot partition. First we'll make a backup of the old /boot partition, and afterwards overwrite some files with new ones. Let's create a backup:

[plain]

# cp -r /boot /boot2

[/plain]

And copy some of the files from TrustedGRUB to the new /boot partition (the old files are still there, so we need to overwrite those):

[plain]

# cp ../default /boot/grub/

# cp stage1/stage1 /boot/grub

# cp stage2/stage2 /boot/grub

[/plain]

The only thing left is to actually install grub, which can be done by entering the grub command:

[plain]

# grub

grub> root(hd0,0)

grub> setup(hd0)

grub> exit

[/plain]

Then we can restart the system to see if everything works as expected. If the system boots normally, then everything is ok. Since the TPM doesn't do anything by itself, but requires the software that supports the TPM to control it, it's redundant to mention that we must configure TrustedGRUB to use the TPM. The TrustedGRUB supports additional functionality: the checkfile and the pcr_verify options. The checkfile option allows us to specify the grub.conf file and additional files and programs to check at startup. Grub will extend one of the PCR registers with a SHA1 of the specified files.

Conclusion

TPM provides a hardware support that holds the keys, which can be used to prove that the platform is trusted and the operating system can be booted securely. We can use TPM with LUKS in Linux, where the LUKS key can be written into TPM and then set-up a TrustedGRUB, which would unlock the sealed key. The /etc/crypttab in initrd should retrieve the key from TPM and boot the system securely, which is why we need to include tpm-tools into the initrd.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

We must also mention that LUKS is compatible with TPM in Linux, whereas the TrueCrypt still isn't. Not to mention that the Linux version of TrueCrypt doesn't even have the option to encrypt the whole partition, while the LUKS is a champion in doing that.

Dejan Lukan
Dejan Lukan

Dejan Lukan is a security researcher for InfoSec Institute and penetration tester from Slovenia. He is very interested in finding new bugs in real world software products with source code analysis, fuzzing and reverse engineering. He also has a great passion for developing his own simple scripts for security related problems and learning about new hacking techniques. He knows a great deal about programming languages, as he can write in couple of dozen of them. His passion is also Antivirus bypassing techniques, malware research and operating systems, mainly Linux, Windows and BSD. He also has his own blog available here: http://www.proteansec.com/.