Embedded Trusted Computing on ARM-based systems

(1)

Trusted Computing ...

... on x86-based systems ... on ARM-based systems

Establishment of

Initial Trust

Processor Security Features Software-based Approaches

ARM-based TC Core

Concepts

Chain of Trust Unique Identity Anti Rollback Protection Remote Attestation Key Authenticity Verification Trustworthy Network Connect

Demonstration Setup

Conclusion

Questions?

Embedded Trusted Computing on

ARM-based systems

T E C H N I S C H E

H O C H S C H U L E

D E G G E N D O R F

Martin Schramm, M.Eng.

10.04.2014

(2)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Agenda

Motivation

Trusted Computing ...

... on x86-based systems

... on ARM-based systems

Establishment of Initial Trust

Processor Security Features

Software-based Approaches

ARM-based TC Core Concepts

Chain of Trust

Unique Identity

Anti Rollback Protection

Remote Attestation

Key Authenticity Verification

Trustworthy Network Connect

Demonstration Setup

Conclusion

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(3)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

I

Embedded computing platforms have become omnipresent

I

intend to alleviate everyday life

I

up and running in a 24/7 manner

I

applications with high requirements for safety, security and

privacy

I

industrial automation

I

medical

I

automotive

I

well-defined hardware and software components

I

cost pressure

I

ease of development

I

arising problems regarding system security

I

attacker effort is considerably reduced

I

tremendous financial damage

I

physical injury

I

loss of human lives

3 of 26

[email protected]

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(4)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Trusted Computing ...

... on x86-based systems

I

Trusted Platform Module

I

usually connected via LPC Bus

I

Roots of Trust (RTS, RTR and RTM)

I

CRTM implemented in BIOS

I

Well-defined Chain of Trust

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(5)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

... on x86-based systems

I

Chain of Trust

PCR:

PCR usage:

0 CRTM, BIOS and Platform Extensions

1 Platform Configuration

2 Option ROM Code

3 Option ROM Configuration and Data

4 IPL Code (usually the MBR)

5 IPL Configuration and Data (for use by the IPL Code)

6 State Transition and Wake Events

7 Host Platform Manufacturer Control

8 - 15

Defined for use by the Static Operating System

16 Debug

17 - 23

Defined for use by the Dynamic Operating System

I

BIOS part often poorly implemented

I

User often has no insight of what is going on

5 of 26

[email protected]

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(6)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Trusted Computing ...

... on ARM-based systems

I

TPM connected via embedded interface (e.g. I

2 C)

I

Unique identification possible

I

Lack of BIOS on ARM-based systems

I

Root of Trust for Measurement must be redefined

I

New Core Root of Trust for Measurement concept needed

I

Initial Trust must be guaranteed

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(7)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Processor Security Features

I

Freescale High Assurance Boot

I

Implemented in Boot ROM

I

Based on signed code execution

I

Validation of eFuses

i.Mx Boot Rom

Reset

Bootloader

CSF

HAB Library

Boot Device Driver

OS

Bootloader

Boot Device Driver

Subsystem

Security Device Driver

Boot Stages

First Second Third

TPM

OS

Policy

7 of 26

[email protected]

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(8)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Establishment of Initial Trust

Processor Security Features

I

Freescale High Assurance Boot

I

Secure Boot capability

I

HAB Library in Boot ROM is CRTM

I

RTM comprised by enhanced Bootloader

I

RTS and RTR located inside of the TPM

I

Manufacturer has to be trusted

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(9)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Software-based Approaches

I

U-Boot Verified Boot

I

Uses Flattened uImage Tree (FIT)

images {

kernel@1 {

data = < data f o r k e r n e l 1 >

signature@1 {

a l g o = " sha1 , rsa2048 " ;

v a l u e =

< . . . k e r n e l s i g n a t u r e 1 . . . >

} ;

fdt@1 {

data = < data f o r f d t 1 > ;

signature@1 {

a l g o = " sha1 , rsa2048 " ;

vaue =

< . . . f d t s i g n a t u r e 1 . . . >

} ;

I

Sign images in FIT

I

Hash an image in the FIT

I

Sign the hash

I

Store resulting signature in the FIT

I

Verify the images

I

Read the FIT and obtain public key

I

Extract the signature from FIT and hash image

I

Verify the signature

9 of 26

[email protected]

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(10)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Establishment of Initial Trust

Software-based Approaches

I

U-Boot Verified Boot

I

Public key must be trusted

I

Stored in U-Boot’s control Flattened Device Tree (FDT)

I

Secure field-upgrades are possible

I

U-Boot must be loaded from read-only memory (CRTM)

I

Chaining images possible

I

Signed configurations possible

c o n f i g u r a t i o n s {

d e f a u l t = " conf@1 " ;

conf@1 {

k e r n e l = " kernel@1 " ;

f d t = " fdt@1 " ;

signature@1 {

a l g o = " sha1 , rsa2048 " ;

key−name−h i n t = " dev " ;

s i g n−images = " f d t " , " k e r n e l " ;

} ;

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(11)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Software-based Approaches

I

libSboot

I

libSboot, libTLCL and TPM drivers

I

Secure Boot example for pre-OS boot environment

I

U-Boot binary loaded by a Second Phase Loader (SPL)

I

EEPROM defining platform indentification and configuration

I

Environment data read from an initial external source

I

Environment variables set via the U-Boot console

I

Flattened Device Tree files

I

Initial Ram Disks

I

An OS kernel

I

Initialization of libSboot occurs from ROM code

I

Initialization of TPM in SPL

I

Verification that PCRs are reset

I

Asserts Physical Presence

11 of 26

[email protected]

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(12)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Establishment of Initial Trust

Software-based Approaches

I

libSboot

I

Sealed data stored in TPM NVRAM

I

Pre-execution of U-Boot

I

OS kernel

I

System only boots after successfull unseal operation

I

Extend PCRs with random data after measurements/error

I

Trustworthy modifications of U-Boot are difficult

I

Signature based approach possible

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(13)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Chain of Trust

I

HAB + TPM

13 of 26

[email protected]

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(14)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

ARM-based TC Core Concepts

Chain of Trust

I

U-Boot verified Boot

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(15)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Chain of Trust

I

libSboot

15 of 26

[email protected]

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(16)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

ARM-based TC Core Concepts

Chain of Trust

PCR:

Possible PCR usage:

0 U-Boot image

1 U-Boot environment variables

2 U-Boot typed in commands

3 Kernel FDT

4 Initial RAM Disk

5 OS kernel image

6 reserved for further use

7 reserved for further use

8 - 15

Defined for use by the Static Operating System

16 Debug

17 - 23

Defined for use by the Dynamic Operating System

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(17)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Unique Identity

I

Embedded devices might be uniquely identified

I

Endorsement Key certificate

I

Hash of public Endorsement Key

I

Barcode of public EK Hash

I

Easy exchange of Trustworthy devices

17 of 26

[email protected]

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(18)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

ARM-based TC Core Concepts

Anti Rollback Protection

I

What if signed image gets compromised?

I

TPM chip features monotonic counters

I

Can be used to implement rollback counters

I

Rolling back an older signed firmware can be mitigated

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(19)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Remote Attestation

I

Remote Attestation requires authentic AIK key

I

PrivacyCA (online verification)

I

AIK direct proof (offline verification)

19 of 26

[email protected]

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(20)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

ARM-based TC Core Concepts

Remote Attestation

I

Remote Attestation via TPM_QUOTE

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(21)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Key Authenticity Verification

I

Possibility to certify any key in the TPM key hierarchy

21 of 26

[email protected]

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(22)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

ARM-based TC Core Concepts

Trustworthy Network Connect

I

Prevent compromise of the hosts that connect to a network

I

Based on extended attributes such as platform authentication,

endpoint compliance or software state information

I

Policy for assessment, isolation and remediation needed

I

Common three party model: Access Requester (AR), Policy

Decision Point (PDP) and Policy Enforcement Point (PEP)

I

AR might be a VPN Client or IEEE 802.1X Supplicant

I

AR’s request processed by PDP which might be a software

component or a RADIUS server

I

PDP reports its decision (access granted or denied) to a PEP

I

PEP might be a VPN gateway, switch, firewall or IEEE 802.1X

Access Point

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(23)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Trustworthy Network Connect

23 of 26

[email protected]

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(24)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Demonstration Setup

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(25)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

I

Manifold application areas of embedded devices

I

Urgent need for sophisticated security solutions

I

Initial Trust must be guaranteed

I

Unique identification and anti-rollback possible

I

Well-defined policies are of great importance

I

Security versus Usability!

25 of 26

[email protected]

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF

(26)

Motivation

Trusted Computing ...

Establishment of

Initial Trust

ARM-based TC Core

Concepts

Demonstration Setup

Conclusion

Questions?

Thank you for your attention!

Questions?

T E C H N I S C H E

H O C H S C H U L E

DEGGENDORF