How does TPM2 MITM protection fit into Heads?

[JonathonHall-Purism]

With TPM2, it's possible to ensure that there is not an attacker intercepting the connection to the TPM. (We check the primary handle against a known value when setting up the encrypted session, this is similar to SSH known_hosts.) TPM1.2 does not have this at all, this is TPM2 only.

The current method stores a digest of the primary handle in /boot, and signs it. But this does not seem effective against an attacker that can open the device, which is necessary to MITM the TPM. (A device-opening attacker could gain access to the TOTP/HOTP secret, which means they could alter the firmware. They could remove the MITM check or just intercept whatever they want from the firmware, no need to MITM the TPM.)

An alternative I can think of is to extend the TOTP/HOTP secret with the primary handle digest, so a change in the primary handle (an MITM attack) would cause TOTP/HOTP verification to fail. (E.g. the TOTP/HOTP secret would become sha256(unsealed_secret + prim_handle_digest).) This does not require storing any trust anchor for the TPM on the device itself, essentially it's stored on the TOTP/HOTP authenticator. But I'm also not sure whether this gains any security guarantee against a device-opening attacker.

Either way, I tend to think the primary handle digest on /boot is ineffective, so we should remove it to eliminate the headaches it causes currently.

Originated from discussion in #1630 (comment)

[tlaurion]

Note that code refers to comment, not here

heads/initrd/bin/tpmr

Lines 360 to 365 in 3fef9e0

	tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE"
	#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" > /dev/null 2>&1
	#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" > /dev/null 2>&1
	tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE"

Error on console was suppressed successfully (first attempt was unsuccessful) under tlaurion@25d88f2

@JonathonHall-Purism

[tlaurion]

Note that code refers to comment, not here

heads/initrd/bin/tpmr

Lines 360 to 365 in 3fef9e0

	tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE"
	#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" > /dev/null 2>&1
	#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" > /dev/null 2>&1
	tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE"

Error on console was suppressed successfully (first attempt was unsuccessful) under tlaurion@25d88f2

@JonathonHall-Purism

Concerned user raised discussion for firmware older then 3 weeks ago, didn't see the error on screen being new after upgrade of tpm2 toolstack, today at
https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$YGvznhSP5qAh0gK2Nbzw9KkunSUboiEMA3EsheWozUs?via=matrix.org&via=nitro.chat&via=tchncs.de

[tlaurion]

@JonathonHall-Purism to be prioritized alongside of of hotp counter eradication, see #1873 (comment) in goal of supporting unsafe usb boot