Heads OEM device ownership/reownership : A tamper evident approach to remote integrity attestation
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 490 | |
| Author | ||
| License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/47313 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Electric currentCollaborationismContent (media)Slide ruleOpen setPresentation of a groupOpen setSystem callPresentation of a groupComputer animation
00:24
Open sourceIntelComputer hardwareBinary fileComputer wormBridging (networking)TouchscreenInformation securityModule (mathematics)Right angleQR codeDistribution (mathematics)Process (computing)Validity (statistics)Core dumpCodeLaptopMereologyState of matterKey (cryptography)Automatic differentiationCubeEuklidischer RingBridging (networking)WordFirmwareProduct (business)BootingArithmetic meanMeasurementComputer wormTransport Layer SecurityResultantConnectivity (graph theory)Information privacyBefehlsprozessorComputer animation
02:58
BootingPhysical systemInformation securityBefehlsprozessorPresentation of a groupComputer hardwareServer (computing)LaptopConfiguration spaceSoftwareComputer wormRootData integrityDescriptive statisticsPatch (Unix)Euklidischer RingQR codePublic-key cryptographyKey (cryptography)Configuration spaceMathematicsModule (mathematics)MereologyCore dumpComputer fileHash functionMeasurementLaptopBootingLevel (video gaming)CodeLibrary (computing)NumberRemote procedure callCodeState of matterWordSource codeComputer animation
04:50
Level (video gaming)BootingBlock (periodic table)Minimal surfaceBootingComponent-based software engineeringSinguläres IntegralData recoveryNormal (geometry)InfinityAsynchronous Transfer ModeModul <Datentyp>EmailData integrityFirmwareInformation securitySoftware protection dongleMeasurementUsabilityINTEGRALMeasurementInformation securitySystem administratorPersonal identification numberKey (cryptography)Default (computer science)Software protection dongleBootingFirmware1 (number)Computer animation
06:20
Data integrityBootingData recoveryBootingKey (cryptography)Multiplication signLaptopElectronic signatureINTEGRALGroup actionContent (media)ResultantCode
06:57
EncryptionUniqueness quantificationSelf-organizationData integrityKey (cryptography)LaptopMoment (mathematics)Point (geometry)PasswordMedical imagingINTEGRALOperating systemEncryptionComputer clusterBitCovering spaceComputer animation
08:11
Hard disk driveKey (cryptography)PlastikkarteContent (media)Type theoryEncryptionLaptopComplete metric spaceComputerResultantComputer animation
08:55
Information securityWordPasswordGoodness of fitProcess (computing)Slide ruleDisk read-and-write headDifferent (Kate Ryan album)Menu (computing)Computer animation
09:58
Gateway (telecommunications)Information securityLeakComputer networkEmailTemplate (C++)Default (computer science)Reduction of orderSurfaceDomain nameOperating systemVirtual machineInformation securityComputer hardwareComputing platformReverse engineeringBridging (networking)Core dumpComputerIntegrated development environmentTube (container)Form (programming)Inverse problemKey (cryptography)Vulnerability (computing)Raster graphicsCartesian coordinate systemProbability density functionSoftwareContent (media)Computer fileVirtualizationBootingComputer animation
13:21
Endliche ModelltheorieBootingElement (mathematics)Focus (optics)Software developerOperator (mathematics)Data managementComputer hardwareInformation securityVulnerability (computing)Endliche ModelltheorieRemote procedure callComputer animation
14:40
Default (computer science)Keyboard shortcutSystem administratorPasswordLoginLink (knot theory)CubeComputer clusterComputer forensicsRemote procedure callMultiplication signPhysical systemRemote administrationIdentity managementDefault (computer science)FirmwareHard disk driveTelecommunicationDomain nameKeyboard shortcutInternetworkingMereologyContent (media)Computer animation
16:56
CollaborationismComputing platformSoftware developerLaptopBitMultiplication signPhysical systemContinuous integrationSoftware developerBuildingIntegrated development environmentDifferent (Kate Ryan album)Adventure gameComputer hardwareExterior algebraRight angleFirmwareMedical imagingOnline helpProcess (computing)MereologyComputer animation
18:06
Partition (number theory)EncryptionInformation securitySoftware protection dongleKey (cryptography)Open sourceFirmwareComputer hardwareInformation securityAutomatic differentiationElectric generatorKey (cryptography)Client (computing)Adventure gameTask (computing)PowerPCComputer animation
19:05
Execution unitComputer hardwareDirected setInformation securityWave packetComputer animation
19:28
Open setOpen sourceDirected setProof theoryOpen setMultiplication signAdventure gameLaptopData managementSoftware testingComputer animation
20:40
Public key certificateCodeDesign by contractComputing platformPowerPCSet (mathematics)Computer hardwareBootingCASE <Informatik>CollaborationismIntercept theoremBootingMeasurementKey (cryptography)Multiplication signRevision controlConfiguration spaceOperator (mathematics)Different (Kate Ryan album)Software developerSystem callEmailSoftwareDefault (computer science)Element (mathematics)Physical systemRight angleWorkstation <Musikinstrument>Similarity (geometry)LaptopPlanningSinc functionVirtual machineLink (knot theory)Computer animation
26:52
Point cloudFacebookOpen source
Transcript: English(auto-generated)
00:05
Hello everyone, I'm Thierry Lorient from Anser Go Open Technologies. The presentation of today is actually a call for collaboration, but showing you where the status is of ads, and where we need some help, actually.
00:26
Anser Go Privacy Beast was a product released and certified by Cubes OS in July 2019, trying to resolve the problem of being able to distribute Cubes OS pre-install without
00:40
reducing the security of the device. The reason why ads is used is because there is two different security that is added directly in the firmware. It gives us the possibility of knowing the state of the firmware by measuring the different parts. I will go through that later on. And we use a generated key that is on a secure device, and we put the public key inside of
01:05
the firmware, which permits us to have verified boot. Like the binaries inside of slash boot, which is not encrypted, is actually verified upon each boot. The reason why the X230 is actually interesting is because we can actually notre entelemi.
01:23
Nurturing in the activation is like a word that is really mixed up in the world right now, because nurturing means that all the parts are supposed to be removed, which is not possible anymore. The status of Sandy Bridge and Ivy Bridge is that you can actually remove all the
01:40
other modules, but the bring-up modules. So the parts that are necessary to actually start the main CPUs are still there, which is a result of 98 kilobytes of code that we still don't know what they do, but it's still there. So, binary-bub-free. EDS is actually a payload of core boot, and what I did is actually implement a re-ownership
02:05
process inside of EDS that permits us to, as an OEM, to actually certify, attest the state of the firmware and the boot status, and actually ship a QR code to the customer and the USB security key with the laptop, so that the user receives it and be able
02:25
to verify by having already the picture taken that the firmware validation measures are there, and the security key is actually plugged on the laptop. It's LibremKey develop technology, so basically the laptop communicates with the keys and
02:40
validates that the measurements are still there by flashing green or red if it's not okay. So basically, the process involves re-owning all those components when the user receives it, so that the OEM is not... There's no trace of the OEM work after the re-ownership wizard. So for those of you who don't know what EDS is, this is a quick description that
03:06
I've already come to. Basically, the goal of EDS is not to be perfect, it's to actually add more security inside of the firmware, like I said earlier, by measuring it. So it's not verified boot, it's measured boot, and the goal of it is, it was based
03:26
on core boot and older version, and patch were made to be able to actually modify the RAM stage to be dependent on the TPM library that measures the modules prior of launching them.
03:41
It permits remote attestation, remote attestation is a mixed word there, mixed in the sense that you verify the state on your phone with the QR code that you already scanned, so you have a TOTP, a code of six numbers that is regenerated every 30 seconds, and if the codes on your phone and on the laptop are the same, then you know that it
04:02
was not modified. LibremKey, like I said earlier, uses the same measurement from the TPM, but validates it on the USB key, so if it flashes green, you know that it's good, if it flashes red, it means that it was tempered with. The verified boot integrity, the part that the key actually is used, the USB key is
04:22
used to sign every change boot configuration. So when EDS boots, what it does is generate a digest of all the files that are present, and it is signed with your private key inside of your USB key. So when it boots, EDS just checks that the hash is signed by your public key that is
04:40
inside of the ROM, so if something changes, you will be notified, because you're the only one having the private key that matches the public key that is inside of the ROM. Voila for that. This is what EDS does, basically, it takes measurements in all of those PCRs, and those PCRs are used to validate the integrity.
05:06
So why I implemented an ownership, re-ownership? Because we want to have the firmware boot integrity validated, we want the USB security dongle that is shipped to the user to be temporarily owned by the OEM, and re-owned
05:22
by the user upon reception, and the USB key should be provisioned with secrets that are not the default ones. For example, if you buy a Librem key or an H3 key, the user pin will be 123456, and the admin will be 12345678. So if, for some example, the device, the laptop, and the USB key are sent separately,
05:46
but for some reason someone is able to get their hand on the key and the laptop, there is a possibility of being able to modify the boot integrity, for example, and being able to use the key with the admin pin and resign the measurements, and there would
06:00
be no security. So if we are able to provision those with random secrets, even though someone in the path will be able to get those two, they won't be able to measure and verify. So all of those are covered already by the re-ownership.
06:22
That gives something like that when you boot the laptop at first. What you see here is that the time is supposed to be the same. You see the POTP code that you can validate on your phone, which is supposed to be the same. The HOTP code there is the result of the key being connected directly in the USB port, and the boot integrity is validated because the public signature that is inside of the
06:44
ROM validated that the boot content was the same. So if you get those three right, you can continue the re-ownership. Hope you know that the laptop was not modified in transit. On that level, if you have an OS pre-installed, how can you verify that it was not tampered
07:07
with? The simplest solution that was done is actually we create an OEM image that we clone on each of the laptops. The problem doing that is that the LUX encryption key would be the same on all the laptops. We don't want that because I could lend that key to any authority, and it would be
07:24
a massive problem. So we want the initial LUX encryption key to be unique. We want the encryption password to be also different. And the last point is the integrity of the operating system needs to be validated.
07:42
We don't have the last one for the moment. There is work being done on that, and we'll cover it later on. Mainly, Edge lacks LVM provisioning tools right now, so that we have a possibility, if we deploy an OEM image, to be able to decrypt the LUX container and measure the LVM so that
08:01
we know that they have the same integrity as when it was shipped with. That's not done right now. It needs a bit more space inside of the ROM, and work is being done on that right now. So the result when the user receives the laptop and types the LUX encryption key, which is the same that unlocks the SD card content, which is encrypted and which will be used
08:21
to store the secrets of provisioning. It unlocks the two containers and actually re-encrypts the content of both disks. So the SD card, which is used to store the provision secret at the re-ownership, is also encrypted, and the hard drive is being re-encrypted right now. So what you see here is the result of 35, 40 minutes later, all the computer data
08:45
is being completely re-encrypted. So even if I was able to lend the keys to authorities, those keys don't exist anymore. They were changed completely. So here, the slides are being uploaded. If you click on those two links, you have what it would be for an OEM to actually re-own
09:05
the laptop, and it's the same process that is being used for the user when he receives it. So basically having one passphrase to type, and after that, I won't go through that, but the menu is actually asking you, generating, like, a diceware passphrase of different
09:22
lengths, depending on the security needed for all the devices generated for you, and you renew them until one flashes your head. I come from the psychology background, and the most basic problem for everyone is selecting good passphrases and good passwords. So if you have something that actually flabberglasts your mind, and you find it funny, you will
09:43
remember it. And if you try to remember A, X, zero, anyway, you're kind of security people, so good passphrases are the basic of everything, so the re-ownership takes that into matter and proposes you, like, randomly words until some fix your mind. So who doesn't know what Tubes OS is?
10:05
Okay. We decided to ship, actually it was an inverse problem. The problem was on what computer we can use Tubes OS securely, and the situation was resolved because Sandy Bridge and Ivy Bridge, there was a debate on that, but Sandy Bridge and
10:24
Ivy Bridge are the only last x86 platforms that are able to be freed. There is no binary responsible for the hardware initialization, RAM initialization, graphic initialization, all of those that are normally initialized by blobs are native on that
10:42
platform thanks to core boot effort and reversing. So on what hardware you can actually run Tubes OS securely, the X230 was one of the clear answers. So what I decided to do was to actually release a laptop, having Tubes OS pre-installed,
11:00
and voila. So what is Tubes OS? Tubes OS is an operating system based on virtualization that permits you to separate in a secluded environment what is untrusted on your computer. So basically you would have like the network that is isolated in a virtual machine, all that is USB would be isolated in the machine, and each of your virtual machine that you
11:24
pop up have routing vulnerabilities possible between the machine, but the rest of it is not connected, the rest of it doesn't have access to files that you, or vulnerabilities exposed by a rubber ducky USB key that you would put on your computer that you don't trust.
11:44
So basically everything that is untrusted that comes from the external until you do something really stupid, it won't affect you. Tubes OS is also really interesting because all attachment that you will open from emails or whatever, if you use Thunderbird, if you double click on the attachment, it will open
12:02
up in a disposable VM. A disposable VM is something that will just self-destruct after you saw the content. So if you clicked on a PDF or an XLS document, Word document or whatever, you may compromise your virtual machine that you're using, but once it's done, once you click that you finish
12:21
the application exam, the hypervisor will destroy your virtual machine and there won't be any trace of it. If you don't trust PDF, for example, you can also just right click on it and say convert it, and that's it. It's done in a bitmap form of document that you can use to share or whatever.
12:43
The same thing for devices that are coming from the outside. You have to explicitly say where you want that device to be attached. So there is no stupid corruption that would happen to the super secure machine that you want to use. It won't have networking if you don't want to, so you can have a vault that will contain
13:02
all your passwords and everything. You're actually responsible to define the environments the way that you need them to be. XOS comes with a couple of them, but that's irrelevant to this talk. The goal of it is to have a good hardware on which you can run a secure operating system.
13:23
So as of right now, there is not a lot of models that are supported under EDS because of security consideration and because EDS is a contributor-based project, but under development right now because I decided to go the path of Grant to be able to support
13:45
more hardware, being able to support remote management inside of QubesOS, because QubesOS is super nice, but most of you, if you don't know the operating system, you would be challenged by the idea of, okay, but will I receive help? Will I be able to deal with that if I come into a problem or whatever?
14:02
So I received a grant under NLNet to name accessible security. The goal of it is to, we have secure solutions, but how can we make them accessible to the users that need it? My main focus is actually journalists, freedom defenders, and those kind of people. So in my trainings, when I was asked, okay, but on what hardware do I implement those
14:24
super solutions that you say, and there was no clear answer because if you don't have a trustable hardware, a trustable phone, a trustable something, then everything can be hacked from the simple vulnerability.
14:43
So under Grant right now is this right now. 3M Dev here. Under it's supposed to, we will know like in the next day, but they should not have any problem. There's going to be a talk later on today about FW UPD. The goal of it is to be able to have like simple firmware upgrades like we
15:02
installed any updates in our operating system. The problem with Cubes OS, like I said super quickly, is that Cubes OS is not meant to have network access by default. So if you have a part of your system, which is the hypervisor that has access to your hardware, it's not supposed to have access to the internet.
15:20
So having updates for device under domain zero on the hypervisor requires some modification so that the communication is made to download the updates and make them available. So the goal of that is to have those updates available inside of EDDS so that the next time you reboot your laptop, EDDS is also updatable.
15:42
Like I introduced also, having remote administration because the people that are the most at risk, let's say journalists or anyone being in remote countries and needing help, right now they are kind of left alone. The goal of the Cubes OS WONIX partnership is to be able to have Tor, IDN, ONION
16:00
accessible remote administration so that when you need it you can ask for support and copy paste a link with a login and password and being able to have your admin VM or DOM zero being accessible to receive help remotely. The possibility of having safer anonymization forensic resistant defaults because right now
16:23
Cubes OS doesn't come with Mac randomization. So if you're roaming around here with your cell phone right now, okay, you're leaving trace everywhere because your Mac is known by all those Wi-Fi stations and everything. So if you're a journalist or a freedom defender and your identity is at risk, you want those trace to not exist.
16:42
Same thing for hard drive contents and everything. And the main problem that we have here because we try to go international is that there are so many keyboards that exist but EDDS support only US keyboards. So that's a challenge for going international. So the help that we need right now inside of EDDS is a better reproducibility because
17:04
EDDS motto is being able to produce the same exact image wherever you build it across different OS build systems and everything. We need help with that. If here there's people working in a continuous integration environment and are able to give a bit of help, that would be amazing.
17:22
EDDS needs a bit more involvement. And the main cue that I, it's not really related to firmware development right now, but we need an alternative to x86 so that we don't have blobs in our hardware. It's really a concern that should be addressed by firmware developers.
17:42
And the goal of all of this, because I'm doing this in six months right now, is that every time that we ship a laptop, it goes through customs and everything. So what we need right now is reprogrammers around the world that are ready to do exactly the same part of the job that I'm doing but in different countries so that laptops don't go across borders that are made locally.
18:03
And people that are interested in joining the adventure of making hardware more secure. Here for firmware developers, there is PowerPC needed work inside of Coreboot. So if you are willing to join the adventure of porting Coreboot to PowerPC, it would
18:23
be amazing. Those are tasks that I need to do right now because one of the most problems that arrive in my situation is a client saying, okay, but I lost my USB key. And when you lose your USB security key that is made to sign the configuration, it means that you have to buy another one and re-own the key, generate new keys and everything
18:45
because the keys are inside of the USB device. So it's not copyable. So the solution around that would be to use ads to generate those key pairs, save them inside of a Lux encrypted key, which I already resolved.
19:01
It's just like coding stuff that I will resolve in the next couple of weeks. And voila. So Ensergo is now incorporated. Like I said, we need reprogrammers. There is direct sourcing that is available to partners around the world that want to join the adventure. Training is provider. My background is security trainer.
19:21
So I would be more than willing to jump into the adventure and make this go broader. And this is what I want to promote is that I've been in this adventure for a couple of months right now. I did a lot of attempts and funding efforts.
19:43
This is nice. This is working, but it's complicated because of the added management that is there. So one Ensergo just created his Ensergo initiative at Open Collective. And every time that a laptop will be bought from us or any partners that is linked to us, 25% of the net profit will be donated inside of Open Collective.
20:05
Open Collective is what is used by Cubes OS and others. It's actually just an open book saying what money comes in and where it goes out. So the goal of this would be to actually be able to pay for development outside of those funds so that if there is an issue that you can actually deal with, you can
20:23
say, OK, it will take like 30 hours to resolve this. I will need like $5,000 and we can come with like an arrangement of what that needs to be done and when it's going to be paid. That's how funding works. You have to provide work, prove of work, and the fundings are released on each test that are completed.
20:42
Voila. Thank you. Yes. I have two quick questions. One question, one set here. So when you mentioned PowerPC, it's really interesting.
21:02
I myself was the first one to actually import a Blackbird, a Dallas 2 Blackbird in Europe last year. So the problem is that it's not something that Power9 in general will not be mass use. It's price, it's availability, it's distribution, but the effort is meaningful.
21:23
So I just would like to hear how do you think you can enable, if someone wants to help you, give him hardware to work with that. That's a challenge. Yeah, yeah. So really quick, how can we make involvement to make the work?
21:43
Basically, Raptor engineering for PowerPC. The question was how can we make PowerPC development work if hardware is not available? That's it? Yeah, first you need adoption to find problems, right? Yeah, okay. Basically, Raptor engineering is willing to provide hardware for all the developers that
22:04
would work on that. The contract would be like code needs to be released and be put upstream to compensate for the hardware enablement that they call. That's first. The second one is that the hardware is known to work. They received Respect Your Freedom certification three months ago, I think.
22:24
Two months ago. So basically, it's the first platform that respects your freedom since Libreboot Mini3 X200-200. So basically, the hardware is performant. They have a plan of releasing a laptop really soon. So the question is how can we manage to have all the stack available so that both
22:43
arrive at the same time? I understand your reflex of, okay, but we need needs, but the need will arise. So the question right now, and if you click on the link there, there's a bounty for Tubes OS, and if people here are XEN developers, the bounty is really interesting if you can
23:01
actually propose code to have XEN support or TVM or... I got the Taos 2 and the 2 Blackbirds for the same reason, to use them for remote attestation to verify all the machines. So when you make your code for collaboration, I actually would like to say awesome because I'm trying to do something similar. Contact me.
23:20
Yeah, I'm doing a developer-friendly trusted computing platform. I just want to say that tomorrow we'll do a bird-to-feather session for anyone interesting, especially in the remote station of different networks and platforms, and it will be in H3242 at 2.30. Write me an email.
23:40
Yeah, I'm just saying for everyone because your call for collaboration really makes sense to me. Thank you. You talked about what are the challenge to develop a coreboot version for PowerPC.
24:08
Ah, Ed. Right now, the work is done by Nine Element under Grant. The basic problem is just to have Vboot plus Measured Boot. That's kind of the new standard inside of coreboot.
24:23
The problem was that the support was not made properly for Sandy Bridge and Ivy Bridge, so it needs to be upstream first inside of coreboot, and after that, we will be able to make the merge. But it's supposed to happen in the next month or month and a half. They are working on it right now.
24:41
The design, what happens when you need to upgrade the kernel? You need to reown the whole system. What happens? Okay, the question is what happens when you upgrade the operating system? Yeah, what happens actually, when you sign your boot configuration, you're actually selecting
25:01
a default boot configuration. So what it means is that your grub, xen, kernel, and initrd will be measured, and the digest takes that into consideration. So when you upgrade, all of those will change at the same time. So as actually pops up and asks you if you are the origin of those changes.
25:25
If you are, you sign. If you don't, you inspect. One question or no? No? One short. That's like only one short question, or one short. Who is short?
25:45
Not yet. The question was, is there any interception story that happened? Not yet. Not that you know. No, but not that I know. Again, with all the measurements that are there, we put glitter under with nail polish
26:05
under the main screw. We sent a picture of that glitter to the customer, the QR code, blah, blah, blah. So to be able to travel here would be better place than me to answer what are exactly the use case that would be needed to actually be able to compromise the firmware, have
26:23
the measurements being done inside that would match the QR code, match the challenge version inside of your USB key and everything. I don't come up with a way, but there's possibly a way. And if you're a 3 billion targeted user, I'm sorry for you.
26:50
Thank you.