The unsealed secret flows through the TPM interface in clear text

[jx6f]

Thank you for sharing your valuable insights.

I read Protecting Secrets At Tpm Interface article and tried the demo script while capturing packets using SWTPM simulator. And then I found that unsealed secret is not encrypted.

I think that adding --enable-encrypt option to tpm2_sessionconfig command fixes this.

--- a/_posts/2021-02-17-Protecting-secrets-at-TPM-interface.md
+++ b/_posts/2021-02-17-Protecting-secrets-at-TPM-interface.md
@@ -231,7 +231,7 @@ setup_salted_param_encrypt_session_with_ek() {
     --tpmkey-context ek.ctx
     rm -f ek.ctx
 
-    tpm2_sessionconfig -Q  salted_session.ctx --enable-decrypt
+    tpm2_sessionconfig -Q  salted_session.ctx --enable-decrypt --enable-encrypt
 }
 
 #

Here is the result.

If this fix is suitable, I can also submit a merge request. Thanks.

[jx6f]

I forgot to write. I think the following document also has a similar script and has the same issue.

TCG CPU to TPM Bus Protection Guidance for Active Attacks Version 1.0 Revision 30

[idesai]

Thank you for sharing your valuable insights.

I read Protecting Secrets At Tpm Interface article and tried the demo script while capturing packets using SWTPM simulator. And then I found that unsealed secret is not encrypted.

I think that adding --enable-encrypt option to tpm2_sessionconfig command fixes this.

--- a/_posts/2021-02-17-Protecting-secrets-at-TPM-interface.md
+++ b/_posts/2021-02-17-Protecting-secrets-at-TPM-interface.md
@@ -231,7 +231,7 @@ setup_salted_param_encrypt_session_with_ek() {
     --tpmkey-context ek.ctx
     rm -f ek.ctx
 
-    tpm2_sessionconfig -Q  salted_session.ctx --enable-decrypt
+    tpm2_sessionconfig -Q  salted_session.ctx --enable-decrypt --enable-encrypt
 }
 
 #

Here is the result.

If this fix is suitable, I can also submit a merge request. Thanks.

Sure.

[jx6f]

Another problem found.

After cpu_secret_provisioning and runtime_provisioning and seal_data and TPM resets, running runtime_provisioning and unseal_data fails to unseal. This occurs both in the simulator and on the real TPM.

# unseal_data 
WARN: Reading full size of the NV index
WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x0000099d) 
ERROR: Esys_Unseal(0x99D) - tpm:session(1):a policy check failed
ERROR: Unable to run tpm2_unseal
UNSEALBLOB=

This is because the NV Extended value when sealing and the NV Extended value when unsealing are different. I'm currently looking into the detailed cause. I'll let you know if I find out anything.

Thank you again for sharing your valuable insights.

[jx6f]

runtime_provisioning and unseal_data after TPM reset was successful. I think it is necessary to have a separate session for parameter encryption and authentication when executing NV Extend. My guess is that otherwise the extended NV value may be encrypted.

--- a/_posts/2021-02-17-Protecting-secrets-at-TPM-interface.md
+++ b/_posts/2021-02-17-Protecting-secrets-at-TPM-interface.md
@@ -231,7 +231,7 @@ setup_salted_param_encrypt_session_with_ek() {
     --tpmkey-context ek.ctx
     rm -f ek.ctx
 
-    tpm2_sessionconfig -Q  salted_session.ctx --enable-decrypt
+    tpm2_sessionconfig -Q  salted_session.ctx --enable-decrypt --enable-encrypt
 }
 
 #
@@ -313,12 +313,11 @@ cpu_secret_provisioning() {
 #       TPM interface.
 #
 runtime_provisioning() {
+    setup_salted_param_encrypt_session_with_ek --hmac-session
+
     tpm2_startauthsession -Q  --session bounded_policy_session.ctx \
     --policy-session --bind-context $NVIndex --bind-auth $HOST_SECRET
 
-    tpm2_sessionconfig -Q bounded_policy_session.ctx \
-    --enable-decrypt --enable-encrypt
-
     tpm2_policycommandcode -Q --session bounded_policy_session.ctx \
     TPM2_CC_NV_Extend
 
@@ -326,10 +325,12 @@ runtime_provisioning() {
     --policy-list sha256:A.policy,B.policy,C.policy
 
     echo -n $NV_SECRET|tpm2_nvextend -Q -C $NVIndex -i- $NVIndex \
-    -P session:bounded_policy_session.ctx
+    -P session:bounded_policy_session.ctx \
+    -S salted_session.ctx
 
     tpm2_flushcontext -Q bounded_policy_session.ctx
-    rm -f bounded_policy_session.ctx
+    tpm2_flushcontext -Q salted_session.ctx
+    rm -f bounded_policy_session.ctx salted_session.ctx
 }