On Friday, 6 March 2020 13:48:00 GMT Rich Freeman wrote: > On Fri, Mar 6, 2020 at 3:50 AM Michael <confabul...@kintzios.com> wrote: > > I have lost count with the naming scheme of Intel's embedded spyware to > > know if this is yet another vulnerability, or something to convince me to > > throw away the last Intel powered box still in my possession (mind you > > its >10yr old): > > > > https://arstechnica.com/information-technology/2020/03/5-years-of-intel-cp > > us-and-chipsets-have-a-concerning-flaw-thats-unfixable/ > The article is actually pretty well-written. I haven't studied the > issue in any depth but here are my impressions: > > 1. You need a firmware update to prevent software vulnerabilities. > 2. Even with a firmware update you are vulnerable to somebody with > physical access to your device. > > The whole issue centers around TPM essentially. This potentially > impacts you if you don't care about TPM, but it impacts you more if > you do care about TPM. > > If you don't use TPM (probably many on this list), then your main > concern should just be with getting your firmware patched (#1 above). > Otherwise you could be vulnerable to rootkits that hijack the TPM on > your machine and use it to spy on you in hard-to-detect ways. Based > on the article a firmware patch should block the ability for software > to get into your TPM and mess with it. Then you're basically safe. > If you aren't using TPM you're already vulnerable to somebody with > physical access to your device, so there is no real change in the > threat model for you. > > Now let's get to those who use TPM or the other impacted trusted > services. You use these if: > 1. You rely on secure boot (with any OS - Linux does support this > though I imagine it is rare for Gentoo users to use it). > 2. You rely on TPM-backed full disk encryption. This includes > Bitlocker and most commercial solutions. This doesn't include LUKS. > If your disk is unreadable if you remove it from the computer, but you > don't need any password to boot it, then you're probably using > TPM-backed encryption. > 3. You are Netflix/etc and are relying on remote attestation or any > of the technologies RMS would term "treacherous computing." > 4. You are a corporate owner of computers and are relying on the same > technologies in #3 but to actually protect your own hardware. Or > maybe if you're the only person in the world using Trusted GRUB. > > If you fall into this camp you need to still update your firmware to > address the non-TPM-user and to avoid making it trivial for software > to steal your keys/etc. However, you need to be aware that you are no > longer secure against physical theft of your device. Somebody who > steals your laptop with passwordless encryption might be able to break > the encryption on your device. They would need to steal the entire > laptop though - if you throw out a hard drive nobody will be able to > recover it from the trash. If you're Netflix I'm not sure why you're > even bothering with this stuff because all your content is already > available in full quality on torrent sites, but I guess you can lose > even more sleep over it if you want to. If you're using secure boot > then somebody with physical access might be able to change the > authorization settings and let another OS boot. If you're a > corporation with sensitive data you probably have the biggest impact, > because you're distributing laptops to people who lose them and who > don't have a ton of security hygiene to begin with. > > The only people who probably will consider replacing hardware are > corporate users. Most on this list are going to be fine with a > firmware update as you're probably not using the TPM features. > Indeed, even getting those working on Linux is a PITA - I'm not aware > of any distro that has TPM-backed encryption out of the box. Windows > has this in the pro edition (Bitlocker) and it is probably fairly > popular. > > If you use LUKS-based encryption you are going to be secure with > patched firmware as long as nobody installs a keylogger on your > device. That will be easier with the vulnerability, though somebody > could just hack the keyboard hardware anyway and LUKS wouldn't protect > you against that. TPM has pros and cons compared to LUKS in general. > If you don't patch your firmware then it is possible a rootkit might > get in there and steal your keys at boot time. > > If somebody has more to add from researching this more I'm all ears. > Now I need to check if my windows tablet with Bitlocker is vulnerable. > This also shows the downside to TPM encryption - it is convenient but > if somebody steals a laptop and just keeps it stored away they could > always use a vulnerability like this to break in sometime in the > future. It is probably still worth using as a minimum because it does > protect against hard drive loss, and it works if your TPM isn't > vulnerable.
Thanks for this analysis Rich, quite thorough as usual. TBH I have avoided using TPM so far because it requires an implicit trust on the OEM and most observers and reports evidence this is invariably misplaced. I seem to recall a TPM vulnerability (not sure which version, I think TPM2), which cause TPM to always spew out the same limited number of ephemeral keys, making an unwarranted entry by a determined attacker possible. This is another reason I don't trust obscure closed code solutions like Ubikey.
signature.asc
Description: This is a digitally signed message part.
