Collaborate Disseminate
Within the measured boot process, consider a scenario where I aim to create a measurement for a specific piece of code, perhaps, for illustrative purposes, a potentially malicious operating system. so i know that the PCR is read and extend… Continue reading How does measured boot work using TPM
During remote attestation, a device sends the server the EK certificate, AK public, AK name. By using tpm2_makecredential/tpm2_activatecredential, the attestation sever can confirm that:
the EK is resident in the device TPM, and
the AK th… Continue reading How to bind TPM2.0 AK to the "AK name" used in tpm2_makecredential, and how is trust established in AIK?
I have to store a document (e.g. a JSON file) on a remote PC (that my App is running on) alongside a signature to be able to verify that this file was signed by me. I have no access to this PC nor does this PC have access to the internet. … Continue reading How to prevent public key tampering
So, before this year, when you were using WebAuthN to create security keys on an up to date Android phone (Pixel 6 in my case), you had these options (iirc):
When creating a platform authenticator, you were offered Fingerprint/Passcode. Wh… Continue reading Did Android remove Fingerprint/Passcode for WebAuthN and lower security to push Passkeys?
I’ve also checked with systemd-analyze pcrs if PCRs are the same at every reboot, and they are.
Only at first reboot I don’t know why the only PCRs that change are 8,9,10 lol(I don’t know why)… but in next reboots they are always the sam… Continue reading Why is my TPM bugged? If I enable checks on PCR 8,9,10, it ALWAYS asks for decryption password even if it shouldn’t [migrated]
In my laptop I’ve set up a bios password when I power on the laptop, and once I enter it the laptop starts my linux distro and decrypts the disk without asking any other password. To do this I’ve set up TPM to automatically decrypts the di… Continue reading Why the TPM PCRs does not consider a UEFI settings change? If someone resets CMOS, it’s undetected
When interfacing with a TPM 2.0 device, you can request that it calculate the TPM’s Endorsement Keys as "Primary" Objects using CreatePrimary. As I understand it, the TPM’s singular Endorsement Primary Seed (EPS) can be used to g… Continue reading What are the Symmetric Algorithm, Scheme, and KDF parameters used for in TPM2 CreatePrimary?
I am trying to understand the risks of configuring passwordless decryption via TPM of a LUKS/dm-crypt system with something like:
systemd-cryptenroll –tpm2-device=auto –tpm2-pcrs=0+1+2+3+4+5+7+8 /dev/disk/by-uuid/XXX-XXX
The idea would … Continue reading Using TPM to unlock LUKS/dm-crypt volume
I’d like to define a TPM access policy that allowlists multiple different values for certain PCRs. Hence, i’d like a policy like this:
(PolicyOR(PolicyPCR(value1,pcr4),PolicyPCR(value2,pcr4),PolicyPCR(value3,pcr4)) AND PolicyOR(PolicyPCR(v… Continue reading Can I set up a TPM2 policy that ANDs multiple OR policies?
Curl was recently notified of a CVE, CVE-2020-19909, rated at a hair-raising 9.8 on the CVSS scale. And PostgreSQL has CVE-2020-21469, clocking in with a 7.5 severity. You may notice …read more Continue reading This Week in Security: Not a Vulnerability, BGP Bug Propogation, and Press Enter to Hack