Collaborate Disseminate
In my laptop I’ve set up a bios password when I power on the laptop, and once I enter it the laptop starts my linux distro and decrypts the disk without asking any other password. To do this I’ve set up TPM to automatically decrypts the di… Continue reading Why the TPM PCRs does not consider a UEFI settings change? If someone resets CMOS, it’s undetected
When interfacing with a TPM 2.0 device, you can request that it calculate the TPM’s Endorsement Keys as "Primary" Objects using CreatePrimary. As I understand it, the TPM’s singular Endorsement Primary Seed (EPS) can be used to g… Continue reading What are the Symmetric Algorithm, Scheme, and KDF parameters used for in TPM2 CreatePrimary?
I am trying to understand the risks of configuring passwordless decryption via TPM of a LUKS/dm-crypt system with something like:
systemd-cryptenroll –tpm2-device=auto –tpm2-pcrs=0+1+2+3+4+5+7+8 /dev/disk/by-uuid/XXX-XXX
The idea would … Continue reading Using TPM to unlock LUKS/dm-crypt volume
I’d like to define a TPM access policy that allowlists multiple different values for certain PCRs. Hence, i’d like a policy like this:
(PolicyOR(PolicyPCR(value1,pcr4),PolicyPCR(value2,pcr4),PolicyPCR(value3,pcr4)) AND PolicyOR(PolicyPCR(v… Continue reading Can I set up a TPM2 policy that ANDs multiple OR policies?
Curl was recently notified of a CVE, CVE-2020-19909, rated at a hair-raising 9.8 on the CVSS scale. And PostgreSQL has CVE-2020-21469, clocking in with a 7.5 severity. You may notice …read more Continue reading This Week in Security: Not a Vulnerability, BGP Bug Propogation, and Press Enter to Hack
Security threat: physical theft of a laptop and a server that use TPM2 auto unlock FDE with LUKS. In both cases the TPM checks against some PCRs before unsealing the key. The laptop prompts for a TPM PIN, the server doesn’t. The attacker i… Continue reading PCR to prevent TPM2 key unsealing in case of rogue DMA devices connected?
Security Engineer [Guillaume Quéré] spends the day penetration testing systems for their employer and has pointed out and successfully exploited a rather obvious weakness in the BitLocker full volume encryption …read more Continue reading Bypassing Bitlocker with a Logic Analzyer
I have a stateless machine that is PXE booting from some host, and I’m curious if there is some clever way to achieve host authentication by only using the TMP (No UEFI Secure Boot).
For obvious reasons, I cannot really use code downloaded… Continue reading Using a TPM for host authentication during PXE boot
I have a remote client A which wants to communicate securely with a server B having a discrete TPM. My understanding is that each TPM normally come with a endorsement key from manufacture like Infineon. Therefore, client A can validate cli… Continue reading How to wrap/unwrap with TPM2 endorsement key
I have a remote client A which wants to communicate securely with a server B having a discrete TPM. My understanding is that each TPM normally come with a endorsement key from manufacture like Infineon. Therefore, client A can validate cli… Continue reading How to wrap/unwrap with TPM2 endorsement key