We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback
00:00

Formal Metadata

Title
Ultrablue
Subtitle
User-friendly Lightweight TPM Remote Attestation over Bluetooth
Title of Series
Number of Parts
542
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Ultrablue (User-friendly Lightweight TPM Remote Attestation over Bluetooth) is a solution to allow individual users to perform boot state attestation with their phone. It consists in a server, running on a computer, acting as the attester, and a graphical client application, running on a trusted phone, acting as the verifier. A typical use-case is to verify the integrity of your bootchain before unlocking your computer, to prevent offline attacks on an unattended laptop. It can also serve as a debugging tool for secure boot issues after firmware upgrades or as a second factor for disk encryption. During the boot of a PC, it is now common to have each stage store measurements of the next one into a TPM, in order to keep a tamper-proof log of the boot chain. Those measurements are then leveraged to seal secrets, eg. a disk encryption key, or to report the state of the device to a remote server in cryptographically secure way, using a procedure known as remote attestation. Remote attestation has slowly gained traction over the last few years, most notably among cloud providers such as Azure, to guard access to online resources. It is also a key element in validating dynamic root-of-trust measurements (DRTM), which reduce the trusted computing base compared to traditional UEFI-based boot chains, but require a trusted third-party to validate the final state of the system. Unfortunately, little progress has been made recently to enable individual users without access to server resources to reap the benefits of remote attestation. This is particularly frustrating considering that almost everybody carries a small trusted server with them all the time: smartphones. Building upon an idea by Matthew Garrett (Linux Conference Australia, 2020), we introduce Ultrablue (User-friendly Lightweight TPM Remote Attestation over Bluetooth), a solution to securely inspect and validate a TPM event log from a phone. Ultrablue consists of a command-line attester, running on a computer, and an Android graphical application, running on a trusted phone, communicating over encrypted Bluetooth low-energy (BLE). Pairing the phone and computer is made easier and more secure through the use of a QR Code. After a trust-on-first-use provisioning phase to enroll the computer on the phone, the phone can check that the boot chain has not been compromised in later boots. Sample scripts and a self-contained virtual machine are also provided as a reference of how to integrate Ultrablue in the boot process to guard disk encryption by a secret delivered by the phone. Future work includes improving the user interface to inspect and validate unexpected event logs, adding support for more versatile verification policies, and integrating Ultrablue into existing hardened systems such as Safeboot (safeboot.net). The Ultrablue project has been developped at ANSSI (https://ssi.gouv.fr) by Loïc Falkau--Buckwell, under the supervision of Nicolas Bouchinet and Gabriel Kerneis.
MiniDiscChainBootingEncryptionServer (computing)Expected valueServer (computing)Mobile appCodeMedical imagingRemote procedure callSelf-organizationInheritance (object-oriented programming)LaptopCASE <Informatik>Connectivity (graph theory)Block (periodic table)NeuroinformatikClient (computing)BootingMeasurementGame controllerMinimal surfaceMiniDiscBitData storage deviceMessage passingChainPhysical systemKernel (computing)Information securityComputer animation
Information securityServer (computing)LaptopComputer animationProgram flowchart
PrototypeHacker (term)GradientLaptopClient (computing)Product (business)Remote procedure callComputer animation
Server (computing)Client (computing)SmartphoneLaptopEncryptionCodeBootingBootingControl flowChainAndroid (robot)MeasurementStack (abstract data type)Virtual machineLaptopoutputComputer hardwareQR codeRemote procedure callSoftware testingServer (computing)Client (computing)Key (cryptography)ResultantSelf-organizationVideoconferencingMultiplication signCASE <Informatik>Demo (music)MiniDiscTelecommunicationMereologyEncryptionComputer animation
Tablet computerEvent horizonBootingConfiguration spacePower (physics)State of matterKernel (computing)Hash functionCharacteristic polynomialVirtual machineMeasurementoutputPhysical systemQR codeTouchscreenGreatest elementInformation securityMultiplication signAndroid (robot)CryptographyServer (computing)MiniDiscMessage passingClient (computing)BootingContent (media)Module (mathematics)
Kernel (computing)Hash functionBootingEvent horizonInheritance (object-oriented programming)Hash functionInformationKernel (computing)Differenz <Mathematik>
Event horizonReading (process)Decision theoryServer (computing)Electronic signatureMechatronicsDependent and independent variablesCharacteristic polynomialMiniDiscMessage passingCASE <Informatik>FirmwareWeb browser
Limit (category theory)Level (video gaming)DivisorMiniDiscEncryptionUsabilitySample (statistics)Scripting languageExtension (kinesiology)Scripting languageDivisorSampling (statistics)Computer animation
Software testingLaptopStandard deviationBootingRight angleCommunications protocolComputer fileInformation securityLoginRemote procedure callSource codeMechanism designGradientProduct (business)BootingRun time (program lifecycle phase)Binary codeAndroid (robot)CodeVariety (linguistics)Computer animation
TouchscreenLaptopDynamical systemBootingMeasurementLevel (video gaming)RootMereologyMultiplication signElectronic signatureBootingProduct (business)BefehlsprozessorNeuroinformatikComputer animation
Chi-squared distributionMobile appVirtual machinePublic key certificateKey (cryptography)TelecommunicationElectronic mailing listPublic-key cryptographyOperating systemIdentity managementInformation securityMinimal surfaceSoftwareServer (computing)Software testingRight anglePhysicalismQR codeComputer hardwareComputer animation
Computer clusterEncryptionCodeOpen sourceLatent heatTwitterComputer configurationDistribution (mathematics)Message passingStack (abstract data type)Demo (music)Order (biology)Library (computing)Position operatorComputer animation
Program flowchart
Transcript: English(auto-generated)