On 04/04/2017 02:27 AM, Vít Šesták wrote:
> That sounds interesting. Well, I don't think Opal provides a better protection, but it comes with a potentially lower price.
> I'll try to compare level of protection, correct me if I am wrong:
Ok, ;)
> Persistent malware installed from a running system: Both are rather clueless unless you decide to lock the system very much.
> In practice, you would have to prevent even autostart of custom bash scripts.
This startup code is the domain of IMA measurement, TPM or otherwise.
This has to happen before Opal or Software Encryption is unlocked. To
use the TPM your code must be in control to perform the IMA. That code
then must be protected from tampering, like being set read-only in
hardware. Software write protect won't help.
> SSD/HDD-based cold Evil Maid attack: Both can protect you from SSD/HDD tampering. (Provided that
> you consider the poor man's authentication as a real protection, i.e., you believe that the dm-crypt
> encryption is not *practically* malleable.) Worth noting, this is likely to be the most common scenario,
> since iit does not need to handle various BIOSes etc.
> Tampered firmware combined with DMA attack: TPM theoretically could protect you, Opal cannot.
> BIOS-related attacks: It depends. If attacker flashes BIOS, TPM might help you, while Opal cannot.
TPM can help in that the "secrets" are stored in the TPM hardware and
are not accessible to the BIOS or DMA directly. To get into the TPM the
malware would need the TPM administrative password which is not
generally used thus not available to make modifications. During software
updates that modify the IMA PCR value you will likely need the
administrative key to bond the drive to the new PCR value.
It the Opal drive is locked by the TPM PCR registers then the Opal drive
can only be opened for use if the magic value (correct measurement) is
obtained during startup. Once the drive is decrypted and the OS is
loaded then the DMA/BIOS is of course able to continue the attack.
Basically if you have a bad BIOS its game over, so the IMA must be sure
to check for this without relying on the BIOS itself to do it, and
purposely fail to unlock/boot if anything is detected. DMA attacks
likely depend on things like rootkits in your GPU/Network-card that
become resident even before your OS, so those BIOS's must be checked as
well, its debatable as to how effective that would be depending on how
intelligent the malware is.
Opal is designed to prevent you from gaining access to code/data before
the system has been verified, or the password is supplied by the user.
If its the actual boot drive you can load some code called the Pre-Boot
Authorization (PBA) onto the drive, that can be loaded to take care of
collecting keys, authentication, or whatever, before the drive is
unlocked and presents the OS/Data proper.
If the key for software encryption exists on the un/decrypted system
then BIOS/DMA have access to it, but not true for Opal. For either
Software or Opal the key can be stored in/by the TPM so that it is
encrypted by the TPM/KEK or stored in its internal NVRAM where it can
not be touched.
> But if attacker tries to maliciously modify some SSD/HDD data that BIOS parses in order to
> perform buffer overflow in BIOS, Opal could prevent this, while TPM
might be clueless.
I'm not sure I quite follow this line of questioning, so correct me if I
misunderstood you question.
Either SSD or HDD will store what you tell it, and you could tell either
to scramble its MBR, superblock, or any of their filesystem pages
causing the parsing of it troublesome. In the Opal drive these bits
naturally get scrambled and descrambled by using the same key, and for
SSD's they may get cached out to different memory chip pages to level
out the wear on the memory. No surprise there. Garbage in Garbage out.
The TPM is always clueless, because it is not an active processor, but
rather stores the current state derived by prior actions. During IMA for
instance you can tell it to take a hash and cryptographically increment
(extend is the correct term) a PCR value that you can then read but can
not change the value. BIOS nor DMA can overwrite that value but could
reset it back to zero for a denial of service. They can not force it to
take on a magic value that unlocks anything, nor unlock any key when
bound to a PCR. They could continually extend the PCR until it has the
value they want, but that is like trying for a SHA256 hash collision.
> Copy attack: Attacker might take an identical model of the SSD and
> copy all data there, effectively disabling the Opal protection. But
> maybe if attacker has enough time to perform such tampering, you
> are already out of luck, since she can instal keyloggers etc.
Once the data is exposed by unlocking, it is accessible, just like any
other storage device. So naturally malware can copy it elsewhere.
You can however layer a software session key on top of that device
encryption and store data in encrypted application level streams. One
could build an infrastructure such that an API provides an encrypted
streaming capability for subsets of cooperative processes thus making
all data at rest, even on the same drive, all have different sets of
decryption keys. The applications do not need to do more than open a
file while the TPM/API & encrypted Policy selects a descriptor for each
session stream. Obviously encryption hardware would be needed to stop
BIOS/DMA attacks on this. The TPM is far too inefficient to act as a
stream processor, but maybe in TPM 3.0? If so then even the application
would not need to know the key it is using, so buffer overruns won't
help the bad guy steal the key or decrypt that stream.