Discussion on Purism

skyvine · June 1, 2024, 2:36pm

I understand that the TPM is a passive chip. The point about checking timing does not require that the TPM is active. It can check the time as part of processing the requests it receives.

TommyTran732 · June 1, 2024, 7:16pm

There is no timing difference to be checked if the firmware already knows which value to use to lie to the TPM

skyvine · June 6, 2024, 10:21am

The paper describes sending data to the TPM in multiple pieces, not all at once. You can send a value to “extend” a current value which the TPM will combine internally. So the TPM could be programmed to expect that a specific number of values are sent within a specific set of time windows, and that the final value which the TPM calculates based on the series of inputs matches the expected value.

For the benefit of anyone reading this thread, I again want to emphasize that I am speaking only in theory. I do not know whether or not this logic is implemented in Librem hardware and I make no claim that it is or is not implemented.

FranklyFlawless · June 7, 2024, 9:14am

More photos of the Librem 16 prototype:

My response:

fsflover · July 5, 2024, 9:35pm

This is a ridiculous statement. Everyone has their own threat model and this one can be good enough for some people. Also @marmarek disagrees with you. Also AFAIK it’s the only way to provide security while keeping the user ownership of the hardware without blind trust in any corporation, including Purism.

Discussed here: https://forum.qubes-os.org/t/how-exactly-is-heads-pureboot-secure/23092. Key link from there: Notes on how to audit a maximized flashed firmware image · Issue #107 · linuxboot/heads-wiki · GitHub

TommyTran732 · July 6, 2024, 2:50am

This is a ridiculous statement. Everyone has their own threat model and this one can be good enough for some people.

It is objectively worse than Boot Guard, which is available on standard laptops. You haven’t even pointed out how it is not theatre, especially when compared to Boot Guard.

Also @marmarek disagrees with you.

No he doesn’t. You can’t defend an attacker with a programmer. The glitter business is pure luck, and you wouldn’t notice it until it’s too late.

Also AFAIK it’s the only way to provide security while keeping the user ownership of the hardware without blind trust in any corporation, including Purism.

Except its not how the world works, and entities like Intel are still part of the TCB. You just crippled security by making it possible for an attacker to be able to flash malicious firmware and still has it boot normally.

What ownership? You can’t even make the device not boot malicious firmware.

Discussed here: https://forum.qubes-os.org/t/how-exactly-is-heads-pureboot-secure/23092. Key link from there: Notes on how to audit a maximized flashed firmware image · Issue #107 · linuxboot/heads-wiki · GitHub

Exactly. I made that discussion. Nothing in that thread contradicts what I said. This is substantially worse than Boot Guard and cannot protect against tampering like Boot Guard can. Did you even read what you linked?

catacombs · July 6, 2024, 2:16pm

I thought the glitter nail polish could create a unique pattern that would be difficult to duplicate.

The pattern could be examined by an App on my phone, and compared to a previous image. Images could be routinely send – to another computer to verify that I am using the correct one.

Or is the image of glitter nailpolish easy to duplicate?
Or is the compare program on the phone not accurate enough?
Or the entropy of the glitter nail pollsh have too low an entropy?

I would not be surprised that groups like the NSA could duplicate an entropy image. They can spend a lot of money to create new technologies that can accomplish nearly anything.

renehoj · July 6, 2024, 2:55pm

Sure, on a long enough timeline, the survival rate of anything drops to zero.

They probably also have access to the source code used by all the major laptop manufacturers, and can easily produce modified firmware for any major brand laptop. Then they just need to get the manufacturer to signed it, if they don’t have their own copy of the Boot Guard signing key.

The same people that can “easily” break into your house and flash a modified version of Heads, can just as easily do the same thing with Boot Guard protected devices, the Boot Guard signing key is not a fortress.

Insurgo · July 6, 2024, 6:14pm

Flashkeeper will happen:

github.com/linuxboot/heads-wiki

Notes on how to audit a maximized flashed firmware image

opened 05:41PM - 25 Nov 22 UTC

tlaurion

This is raw notes. This will get edited multiple times prior of having a base to… create a wiki page. The quick way, no-brainer, is to reflash the same downloaded/compiled firmware and keeping settings, as already documented at: https://osresearch.net/Updating#reflashing-the-same-firmware Unless flashrom itself was compromised (meaning that the payload is tampered), reflashing the same firmware image using the menu options to flash new firmware while keeping settings will reflash IFD+ME+GBE+coreboot+payload+current CBFS files. Since coreboot measures its bootblock + ramstage+romstage+payload, and then Heads measures added CBFS content, TOTP/HOTP measurements should be the same, and TOTP/HOTP unsealing of secrets should match. But that doesn't answer the introspection need of some users to actually validate that the firmware components are actually in the expected state. And those notes, even better, if translated into code, should answer those needs. ----- # Taking an internal backup of the firmware to be inspected externally From Heads Recovery console, one can easily obtain actual BOARD_NAME and FW_VER that includes the bits we want to differenciate properly the actual board and flashed Heads commit ID in case we want to go back. From Heads recovery shell, with a USB thumb drive ready to receive backup, we mount usb drive in read+write and we take a backup with proper naming scheme: ``` mount-usb rw flashrom -p internal -r /media/$CONFIG_BOARD-$(echo $FW_VER|awk -F ' ' '{print $2}'_backup.rom umount /media ``` # Extracting content from that firmware image for validation Unfortunately, coreboot-utils are precompiled for a limited number of distributions today. I'll take for granted here that debian12 is installed under QubesOS (see unman's repo https://qubes.3isec.org/Templates_4.1/) Then a quick `sudo apt install coreboot-utils binwalk` will make the tools available with/without sudo. Each Heads board's build comes with a hashes.txt file. It is either dowloadable from CircleCI artifacts, or can be seen, and copy pasted from a build's output given on screen. Following download instructions will lead you to the hashes step of any CircleCI build: https://osresearch.net/Downloading Now. After having mounted our USB thumb drive under a debian-12 based qube with tools installed, from command line, having passed the USB thumb drive to our newly booted qube: ``` sudo mount /dev/sda1 /media mkdir -p /tmp/inspection cp /media/x230-hotp-maximized-Heads-v0.2.0-1296-g139ecb8_backup.rom /tmp/inspection cd /tmp/inspection ``` And then we work on our copied to memory image. We can extract partitions not managed from coreboot actual versions measurements: ``` user@heads-backup-extraction:/tmp/inspection$ ifdtool -x x230-hotp-maximized-Heads-v0.2.0-1296-g139ecb8_backup.rom File x230-hotp-maximized-Heads-v0.2.0-1296-g139ecb8_backup.rom is 12582912 bytes Flash Region 0 (Flash Descriptor): 00000000 - 00000fff Flash Region 1 (BIOS): 0001b000 - 00bfffff Flash Region 2 (Intel ME): 00003000 - 0001afff Flash Region 3 (GbE): 00001000 - 00002fff Flash Region 4 (Platform Data): 00fff000 - 00000fff (unused) user@heads-backup-extraction:/tmp/inspection$ ls -al total 24592 drwxr-xr-x 3 user user 4096 Nov 25 10:56 . drwxrwxrwt 12 root root 4096 Nov 25 11:22 .. -rw-r--r-- 1 user user 4096 Nov 25 12:05 flashregion_0_flashdescriptor.bin -rw-r--r-- 1 user user 12472320 Nov 25 12:05 flashregion_1_bios.bin -rw-r--r-- 1 user user 98304 Nov 25 12:05 flashregion_2_intel_me.bin -rw-r--r-- 1 user user 8192 Nov 25 12:05 flashregion_3_gbe.bin -rw-r--r-- 1 user user 12582912 Nov 25 10:14 x230-hotp-maximized-Heads-v0.2.0-1296-g139ecb8_backup.rom ``` Here one could compare ME against what is downloaded and extracted from Heads scripts, GBE and IFD configs against what is stored under Heads tree. But most questions are related to the firmware integrity itself, Heads itself: ``` user@heads-backup-extraction:/tmp/inspection$ cbfstool x230-hotp-maximized-Heads-v0.2.0-1296-g139ecb8_backup.rom print FMAP REGION: COREBOOT Name Offset Type Size Comp cbfs master header 0x0 cbfs header 32 none fallback/romstage 0x80 (unknown) 85100 none cpu_microcode_blob.bin 0x14d80 microcode 26624 none fallback/ramstage 0x1b600 (unknown) 97676 none config 0x33400 raw 834 none revision 0x33780 raw 691 none fallback/dsdt.aml 0x33a80 raw 14615 none vbt.bin 0x37400 raw 1433 LZMA (4281 decompressed) cmos_layout.bin 0x37a00 cmos_layout 1884 none fallback/postcar 0x381c0 (unknown) 25816 none fallback/payload 0x3e700 simple elf 7320519 none heads/initrd/.gnupg/pubring.kbx 0x739b00 raw 11549 none heads/initrd/.gnupg/trustdb.gpg 0x73c880 raw 1320 none heads/initrd/etc/config.user 0x73ce00 raw 22 none (empty) 0x73ce80 null 4337432 none bootblock 0xb5fdc0 bootblock 65536 none ``` Here again, a lot of stuff there. # Get build hashes for current rom x230-hotp-maximized-Heads-v0.2.0-1296-g139ecb8_backup.rom is commit 139ecb8 We go over https://github.com/osresearch/heads/commit/139ecb8 We click grewn mark, follow the rabbit to the build for x230-hot-maximized at https://app.circleci.com/jobs/github/osresearch/heads/5448, click the "Output hashes" if this is an old build without artifacts, and copy the output of the hashes there to a local hashes.txt file we make sure to have available for our situation. We can directly save the output from CircleCI's Download Icon, which in our case leads to https://circleci.com/api/v1.1/project/github/osresearch/heads/5448/output/104/0?file=true&allocation-id=63751e76e6fb893f12bf3473-0-build%2F97AF006 From now on I consider we have that file saved into hashes.txt to be used locally. # Extract content from coreboot's payload ``` user@heads-backup-extraction:/tmp/inspection$ mkdir -p payload_content user@heads-backup-extraction:/tmp/inspection$ cbfstool x230-hotp-maximized-Heads-v0.2.0-1296-g139ecb8_backup.rom extract -n fallback/payload -f payload_content/payload -m x86 ``` We now have coreboot's payload. ``` user@heads-backup-extraction:/tmp/inspection/payload_content$ ls -al total 7180 drwxr-xr-x 2 user user 4096 Nov 25 12:22 . drwxr-xr-x 3 user user 4096 Nov 25 10:56 .. -rw-r--r-- 1 user user 11525 Nov 25 10:58 hashes.txt -rw-r--r-- 1 user user 7328543 Nov 25 12:14 payload ``` We extract the content with binwalk ``` user@heads-backup-extraction:/tmp/inspection/payload_content$ binwalk --extract payload DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 ELF, 32-bit LSB executable, Intel 80386, version 1 (SYSV) 13013 0x32D5 xz compressed data 2072933 0x1FA165 MySQL MISAM compressed data file Version 8 2910340 0x2C6884 bix header, header size: 64 bytes, header CRC: 0xE802F8, created: 2106-02-07 01:21:09, image size: 186 bytes, Data Address: 0x1000000, Entry Point: 0x83BB9000, data CRC: 0x50F, compression type: none, image name: "" 2923392 0x2C9B80 xz compressed data 3035935 0x2E531F xz compressed data user@heads-backup-extraction:/tmp/inspection/payload_content$ ls -al total 7184 drwxr-xr-x 3 user user 4096 Nov 25 12:22 . drwxr-xr-x 3 user user 4096 Nov 25 10:56 .. -rw-r--r-- 1 user user 11525 Nov 25 10:58 hashes.txt -rw-r--r-- 1 user user 7328543 Nov 25 12:14 payload drwxr-xr-x 2 user user 4096 Nov 25 12:22 _payload.extracted user@heads-backup-extraction:/tmp/inspection/payload_content/_payload.extracted$ ls | while read file; do sha256sum $file; done | while read line; do hash=$(echo $line | awk -F " " '{print $1}'); file=$(echo $line | awk -F " " '{print $2}'); grep $hash ../hashes.txt && echo "we have match for $hash in $file"; done b3387d6b04c6246198638a46a2fec5bb7623a99a97189a26c5e019524aef8992 build/x86/x230-hotp-maximized/initrd.cpio.xz we have match for b3387d6b04c6246198638a46a2fec5bb7623a99a97189a26c5e019524aef8992 in 2E531F.xz ``` So we have a matching initrd.cpio.xz into 2E531F.xz We could dig more into that, and will (after all, everything hashes.txt is detailing why we have a match for the payload). # hashes.txt can be used under recovery shell to verify hashes of the initrd binaries The paths undr hashes.txt are relative. If we have hashes.txt under USB thumb drive, from Heads recovery shell: cd / mount-usb sha256sum -c /media/hashes.txt Will give OK reports for all files that were found, including libraries and binaries and scripts user by heads, as seen under # Check bzImage Unfortunately, this requires CircleCI bzImage since mathing can only be made against decompressed binary. After our binwalk --extract command: ``` user@heads-backup-extraction:/tmp/inspection/payload_content$ cd _payload.extracted/ user@heads-backup-extraction:/tmp/inspection/payload_content/_payload.extracted$ ls 2C9B80.xz 2E531F 2E531F.xz 32D5 32D5.xz user@heads-backup-extraction:/tmp/inspection/payload_content/_payload.extracted$ wget -O extract-vmlinux https://raw.githubusercontent.com/torvalds/linux/master/scripts/extract-vmlinux user@heads-backup-extraction:/tmp/inspection/payload_content/_payload.extracted$ chmod +x ./extract-vmlinux user@heads-backup-extraction:/tmp/inspection/payload_content/_payload.extracted$ ls -al total 47316 drwxr-xr-x 2 user user 4096 Nov 25 12:34 . drwxr-xr-x 3 user user 4096 Nov 25 12:22 .. -rw-r--r-- 1 user user 4405151 Nov 25 12:22 2C9B80.xz -rw-r--r-- 1 user user 12882944 Nov 25 12:22 2E531F -rw-r--r-- 1 user user 4292608 Nov 25 12:22 2E531F.xz -rw-r--r-- 1 user user 19528104 Nov 25 12:22 32D5 -rw-r--r-- 1 user user 7315530 Nov 25 12:22 32D5.xz -rwxr-xr-x 1 user user 1695 Nov 25 12:34 extract-vmlinux user@heads-backup-extraction:/tmp/inspection/payload_content/_payload.extracted$ ./extract-vmlinux 32D5 > vmlinux_local ``` Download bzImage from CircleCI artifact ``` user@heads-backup-extraction:/tmp/inspection/payload_content/_payload.extracted$ ./extract-vmlinux bzImage > vmlinux_remote user@heads-backup-extraction:/tmp/inspection/payload_content/_payload.extracted$ diff vmlinux_local vmlinux_remote user@heads-backup-extraction:/tmp/inspection/payload_content/_payload.extracted$ ```

TommyTran732 · July 9, 2024, 7:59pm

Are you gonna check the glitter nail every time you boot your computer? Or are you gonna slip and ignore it from time to time?

catacombs · July 9, 2024, 10:59pm

maybe just when the computer was outside my control.

But my question was. Is it really a waste of effort, even if I checked it every time I was about to boot up?

EDIT: 7-11-2024

Tommy Tran raises a good point. I am not likely to do this test at every time I power up computer. Even if I did the test once a day. I would have some means to detect if something had gone wrong.

Let me say it another way. I don’t trust in any one method to make my computer efforts perfectly secure.

But

I want to do what I can to make it difficult for anyone else to interfere with my computer security.

However, even if I felt the Entropy in glitter finger nail paint was great enough to offer some means of verifying the computer had not been opened, my next problem is whether the phone app that measures the glitter, had not been corrupted.

lion · July 12, 2024, 2:46pm

I am just speculating, but securing the pureboot (Heads) TPM could be maybe improved like this, assuming the TPM is passive:

Level +1: Purism would include in the firmware a user/personal passphrase chosen by flashing the firmware and encrypted by the librem key…At boot, it would display the passphrase so that the user should be aware of tampering (replaced firmware). So, if the firmware is replaced with a corrupted firmware version, ti would not display the correct passphrase. How couldd the corrupted firmware lie? The hack would be to read the firmware, extract the passphrase and include it at the write place in the corrupted one, build the firmware and hack, This would need time.
Level +2: the passphrase could be stored in a separate chip on the hardware, encrypted by the librem key, maybe.

Insurgo · July 25, 2024, 7:25pm

@TommyTran732 : Are you going to check the news and replace opsec by blind faith every time you boot your computer? Or are you gonna slip into denial from time to time, not considering that key leaks are not a question of “if”, but “when” and “how” with OTP?

Just happened:

Current and past leaks:

Convenience vs security. Nothing else.

Insurgo · July 25, 2024, 7:53pm

I updated Heads conferences and lectures. Pureboot is a fork of Heads.

Conferences and papers About | Heads - Wiki
Article: About | Heads - Wiki
Community: Community | Heads - Wiki

TommyTran732 · July 25, 2024, 10:39pm

Are you going to check the news and replace opsec by blind faith every time you boot your computer? Or are you gonna slip into denial from time to time, not considering that key leaks are not a question of “if”, but “when” and “how” with OTP?

Secure Boot is completely broken on 200+ models from 5 big device makers

I do follow the news, yes. Also, I have 0 clue what you are even trying to say here. This is a case of the UEFI Secure Boot Platform Key being leaked, and not Boot Guard keys.

Just enroll your own PK and it would solve the issue, idk what the big deal is. It’s not permanently tied to the device.

To compromise a reasonable computer with Boot Guard, and assuming there is no serious vulnerabilities with the firmware, you need to:

Have physical access (specifically, they have to open up the laptop and flash to the EEPROM).
Either do a downgrade attack or have a leaked key

If the attacker has physical access, they can just defeat Heads anyways, where as with Boot Guard, they need some sort of exploit to defeat PCR 0 when doing a downgrade attack or have a leaked key.

If I have a device with leaked Boot Guard keys and I am aware of it, I will just buy a different device. I also follow the good security practice of switching devices before it goes EOL, so its not like I am stuck with the same device/key forever.

If I have a device with leaked Boot Guard keys and I am not aware of it, well, it only goes down to about as insecure as Heads. I don’t see what how “keys sometimes get leaked” justifies using Heads over Boot Guard.

Insurgo · July 29, 2024, 6:19pm

This post is an echo chamber. I would recommend joining Slack OSFW group security-discuss channel, where all expert people discuss those things. Heads is attempting to change things but cannot work alone. We miss RoT anchor which cannot be bootguard. Whatever you think.

You can read PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem and believe what you want, really.

I won’t loose my time explaining things again and again, I gave up on that. At best you sound like an employee of Intel, trying to defend a rotten architecture with trust anchors and programmed obsolescence policies going against everything transparency the ecosystem actually needs to move forward with.

Give a PoC showing measured boot and bootblock is dead. You will get everyone’s attention. Otherwise you just promote status quo. Not sure it’s helpful, but you do you.

TommyTran732 · July 29, 2024, 6:41pm

You can read PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem and believe what you want, really.

So what? You didn’t know the PK can be enrolled by the user? Or you didn’t know changing the PK trips the PCRs?

Leaked PK is a legitimate issue, but you are pretending like the user can’t just trivially enroll their own. Last I remember, I enroll my own PK on my Linux laptops.

And no, the attackers can’t just change the PK without me knowing. PCR 7 will trip and the encryption key will not get released.

I won’t loose my time explaining things again and again, I gave up on that. At best you sound like an employee of Intel, trying to defend a rotten architecture with trust anchors and programmed obsolescence policies going against everything transparency the ecosystem actually needs to move forward with.

No man. I just hate it when people advocate for stuff that are objectively worse than the status quo, then pretend like it’s secure to sell overpriced products. Pretty unethical don’t you think?

trying to defend a rotten architecture with trust anchors

If you legitimately think Heads is somehow better than Boot Guard, then leaked Boot Guard keys would be amazing, wouldn’t it? Now you can sign your own firmware with their keys

Give a PoC showing measured boot and bootblock is dead. You will get everyone’s attention. Otherwise you just promote status quo. Not sure it’s helpful, but you do you.

So is this the classic “my logic is obviously broken but I will pretend like it’s not an issue until you write a POC”?

fsflover · July 29, 2024, 8:49pm

You just conveniently ignored the main point of Heads, which is transparency, verifiability and openness. Maybe Qubes isn’t for you, since you do not value that?

This is only obvious for you and nobody else. A PoC would make it obvious for other people, too, if it was your goal.

TommyTran732 · July 29, 2024, 9:20pm

You just conveniently ignored the main point of Heads, which is transparency, verifiability and openness.

So what? It’s less secure than Boot Guard, so don’t sell it as a more secure product for thousands of dollars. I wouldn’t have a that big of a problem with Purism if they didn’t claim it’s “high security” and “for people at risk”. That just crosses an ethical line that really shouldn’t be crossed.

Maybe Qubes isn’t for you, since you do not value that?

Since when did you get to decide what I value and why I use a particular operating system?

Let me tell you what… I value maintainability and security above all else. I daily drove Qubes in the past because it was the most secure system that I could reasonably use and maintain. Nowadays I mainly use a different setup with better security properties for what I need and Qubes is mostly for anonymously browsing the internet. This is what works for my threat model.

I care plenty about “transparency, verifiability and openness”, unlike your characterization. But that comes after security. I make plenty of open source stuff (permissively licensed btw) and contribute to various projects, but I don’t go around smearing other people because their stuff is proprietary, and pretending like my stuff is more secure.

This is only obvious for you and nobody else.

I explained the immutable RoT stuff countless time. I am fairly sure other people understand that if you don’t have a immutable RoT, an attacker can just replace your RoT and compromise you from there.

fsflover · July 29, 2024, 9:46pm

This completely depends on your threat model. Please do not force your own threat model on other people. I do not trust non-verifiable software written by huge corporations. I avoid it as much as possible (which means not always!).

You have the right to follow a different threat model, but you do not have a right to claim that companies offering me a transparent system fitting to my threat model “cross an ethical line that really shouldn’t be crossed”.