picking up intermediates from TPM NV (0x01c00100..)

[quite]

Halo Loïc! It is very interesting to come across your work on collecting TPM EK CA roots, to gain trust in TPMs (and using transparency logging as part of that!).

While looking around your repos, I also tried running tpm-trust audit on my AMD laptop, but got error=EK certificate does not contain AIA extension with issuing certificate URL -- I think because the code that is used for audit does not extract intermediates stored in TPM NV (starting at index 0x01c00100, called EKCertChainIndexStart in the attest module). The attest module (your fork) has code for doing that in its info pkg, but that's just for informative use?

The extraction of any and all intermediates in TPM NV should be done in the attest module, or if it's rather in the tpm pkg of this tpm-trust module, and those then added to the EK struct. So that they then can be used for chainbuilding up in the ekchecker.check. Something like that :)

The TPM of this AMD laptop has 2 intermediates in TPM NV, and then an AIA URL in the last one, which needs to be followed recursively, fetching in total 2 more intermediates. Then the last intermediate is signed by the elusive CN=AMD Root CA R4 (Authority Key Identifier FE:C2:62:87:86:20:D2:92:61:A6:F1:ED:A6:4F:0D:E6:6D:C4:D3:F1), which I was also stumped by how it just can't seem to be found anywhere.

[loicsikidi]

Hi @quite,

Sorry for the late answer (I've been quite busy lately)...

Thanks for the feedback!

I'll try to address this soon (probably in an unstable release).

I hope that you will have a bit of time next week to test it 🤞.

[loicsikidi]

Hey @quite,

I've released version v0.3.0 which support EK chain stored in the NVRAM.

Normally you should see the chain using one of the commands below:

• tpm-trust info
• tpm-trust certificates get <key type> --bundle --format pem

In addition, tpm-trust audit should go one step further and hopefully work as expected.

Let me know!

[quite]

Cool! I gave it a quick run now. Running audit shows:

  • Reading EK certificate from TPM
    • manufacturer: "Microsoft"                      id=MSFT
    • start searching for EK certificates
    • found 2 EK certificate(s):
      • certificate                                  kty=rsa-2048
      • certificate                                  kty=ecc-nist-p256
    • select rsa-2048 certificate                    issuer=CN=PLUTON Firmware SVN04,OU=FIRMWARE EKICA DFID00B20F40,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US
    • took: 0s
  • Loading manufacturers trusted bundle
    • download and verify integrity
      • took: 0s
    • manufacturer supported                         id=MSFT
  • Validating EK certificate
  ⨯ command failed                                   error=EK certificate does not contain AIA extension with issuing certificate URL

Output from running info cmd shows at the end:

 • EK Certificate Chains                          present=true
    • EK Certificate Chains (2 certificates)
      • index 0                                      subject=CN=PLUTON Firmware SVN06,OU=FIRMWARE EKICA DFID00B20F40,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US issuer=CN=0227ABDA5BDD3DFD5463A391D800B20F40,OU=DEVICE EKICA DFID00B20F40,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US
      • index 1                                      subject=CN=0227ABDA5BDD3DFD5463A391D800B20F40,OU=DEVICE EKICA DFID00B20F40,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US issuer=CN=AMD Pluton Per-Product Factory NON-FIPS EK ICA DFID00B20F40,OU=IT,O=Advanced Micro Devices Inc.,L=Santa Clara,ST=California,C=US

Get the feeling there is still code which expects AIA. But on this machine, this is the situation:

EK RSA-2048: AuthorityKeyId: F8:2A:89:BD… No AIA.
1st TPM NV chain cert: SubjectKeyId: F8:2A:89:BD… AuthorityKeyId: E4:E3:8A:02… No AIA
2nd TPM NV chain cert: SubjectKeyId: E4:E3:8A:02… AuthorityKeyId: B8:38:4A:45… AIA URI https://ftpm.amd.com/hsp/ica/00B20F40-non-fips.crt

[loicsikidi]

Hi,

Ty for the feedback!

Maybe that you are experiencing the same behavior expressed in that issue 🤔 .

In a nutshell, the chain stored in the TPM isn't linked to the EK cert...

Note

• EK cert's issuer 👉 PLUTON Firmware SVN04
• SubCA subject 👉 PLUTON Firmware SVN06

You will be able to get the diferent PEM files with the commands below:

• ek cert: tpm-trust certificates get $KTY --format pem
• chain: tpm-trust info --format json | jq .ekCertChains

[quite]

Oh right, yes I seem to have run into that exact issue. It might be possible to make the message EK certificate does not contain AIA extension with issuing certificate URL more helpful. Should I file an issue?

[quite]

I have another machine which fails with the same message now. Managed to extract the following from tpm-trust certificate get rsa-2048 --bundle (looks same for the ecc-nist-p256). (Would be nice if --bundle --short would include SKI, AKI, and AIA. guess i should send patch to https://github.com/smallstep/certinfo :)

Subject:
 Issuer: CN=CSME ADL PTT  01SVN
    AKI: 24:F3:F4:92:69:BC:EC:C9:AE:92:50:C0:49:9E:EB:91:03:EE:AD:AB

Subject: CN=CSME ADL PTT  01SVN
 Issuer: CN=CSME ADL SVN01 Kernel CA
    SKI: 24:F3:F4:92:69:BC:EC:C9:AE:92:50:C0:49:9E:EB:91:03:EE:AD:AB
    AKI: 55:82:6D:C1:68:80:CE:11:70:C7:52:9B:C0:95:16:CE:34:31:DC:1D

Subject: CN=CSME ADL SVN01 Kernel CA
 Issuer: CN=CSME ADL ROM CA
    SKI: 55:82:6D:C1:68:80:CE:11:70:C7:52:9B:C0:95:16:CE:34:31:DC:1D
    AKI: 27:21:43:38:48:37:9D:AB:7C:AF:C0:5A:84:8D:39:E3:8B:3B:D0:BB

Subject: CN=CSME ADL ROM CA
 Issuer: OU=ODCA 2 CSME P_ADL 00002820 Issuing CA,CN=www.intel.com
    SKI: 27:21:43:38:48:37:9D:AB:7C:AF:C0:5A:84:8D:39:E3:8B:3B:D0:BB
    AKI: BA:21:13:65:73:C2:C3:8A:5B:E5:7C:B6:C6:8B:FC:23:BB:36:CA:58
AIA URI: https://tsci.intel.com/content/OnDieCA/certs/ADL_00002820_ODCA_CA2.cer

I'm not sure if it's the AIA that is not being downloaded, or if tpm-trust even should do that, or it should be in the tpm-ca-certificates bundle? But also, that AIA URI there points to a cert which is also an intermediate with an AIA URI.

I can provide the whole cert chain pems if needed.

[loicsikidi]

Hi @quite,

Ty for all the feedbacks!

It might be possible to make the message EK certificate does not contain AIA extension with issuing certificate URL more helpful. Should I file an issue?

My first implementation was a bit naïve, I expected each EK cert to have an AIA extension, which isn't always the case.

I've removed this check.

Would be nice if --bundle --short would include SKI, AKI, and AIA. guess i should send patch to https://github.com/smallstep/certinfo :)

It's not a big deal, I've enriched --short to include these information.

In addition I've added a new command: certificates bundle which prints EK chain certs stored in the TPM. It's an alternative to certificates get --bundle because the command includes the chain if and only if the chain is bound to the given EK cert.

Last topic:

Subject:
 Issuer: CN=CSME ADL PTT  01SVN
    AKI: 24:F3:F4:92:69:BC:EC:C9:AE:92:50:C0:49:9E:EB:91:03:EE:AD:AB

Subject: CN=CSME ADL PTT  01SVN
 Issuer: CN=CSME ADL SVN01 Kernel CA
    SKI: 24:F3:F4:92:69:BC:EC:C9:AE:92:50:C0:49:9E:EB:91:03:EE:AD:AB
    AKI: 55:82:6D:C1:68:80:CE:11:70:C7:52:9B:C0:95:16:CE:34:31:DC:1D

Subject: CN=CSME ADL SVN01 Kernel CA
 Issuer: CN=CSME ADL ROM CA
    SKI: 55:82:6D:C1:68:80:CE:11:70:C7:52:9B:C0:95:16:CE:34:31:DC:1D
    AKI: 27:21:43:38:48:37:9D:AB:7C:AF:C0:5A:84:8D:39:E3:8B:3B:D0:BB

Subject: CN=CSME ADL ROM CA
 Issuer: OU=ODCA 2 CSME P_ADL 00002820 Issuing CA,CN=www.intel.com
    SKI: 27:21:43:38:48:37:9D:AB:7C:AF:C0:5A:84:8D:39:E3:8B:3B:D0:BB
    AKI: BA:21:13:65:73:C2:C3:8A:5B:E5:7C:B6:C6:8B:FC:23:BB:36:CA:58
AIA URI: https://tsci.intel.com/content/OnDieCA/certs/ADL_00002820_ODCA_CA2.cer

tpm-ca-certificates doesn't include ADL_00002820_ODCA_CA2.cer yet BUT tpm-trust will try to download the file before running cert.Verify(opts), so theoretically it should work.

Note

The parent of ADL_00002820_ODCA_CA2.cer is included in tpm-ca-certificates

You can migrate to v0.4.0 to get the features presented above 💫 .

Once again let me know ;)

[quite]

tpm-ca-certificates doesn't include ADL_00002820_ODCA_CA2.cer yet BUT tpm-trust will try to download the file before running cert.Verify(opts), so theoretically it should work.

Yes, with the latest changes, the above chain validated tpm as genuine, great!

I could imagine something like the patch below to make it known when tpm-trust did have to download something from the Internet.

diff --git i/internal/validate/certificate.go w/internal/validate/certificate.go
index e8598a3..109f485 100644
--- i/internal/validate/certificate.go
+++ w/internal/validate/certificate.go
@@ -135,6 +135,7 @@ func (c *ekchecker) Check(cfg CheckConfig) error {
                        if err != nil {
                                return fmt.Errorf("failed to download CRL from %q: %w", url, err)
                        }
+                       c.logger.Infof("downloaded %s", url.String())

                        if err := crl.Verify(issuers...); err != nil {
                                return fmt.Errorf("failed to verify CRL: %w", err)
@@ -238,6 +239,7 @@ func (c *ekchecker) getIssuerCertificates(cert *x509.Certificate) ([]*x509.Certi
                if err != nil {
                        return nil, fmt.Errorf("failed to download issuer certificate: %w", err)
                }
+               c.logger.Infof("downloaded %s", url.String())

                hash := sha256.Sum256(cert.Raw)
                fingerprint := hex.EncodeToString(hash[:])

Skimming the code, it looks like an intermediate like this is downloaded unconditionally, and would be downloaded even if it was present in the tpm-ca-certs bundle, is that so?

[loicsikidi]

I could imagine something like the patch below to make it known when tpm-trust did have to download something from the Internet.

Yes sounds good.

Skimming the code, it looks like an intermediate like this is downloaded unconditionally, and would be downloaded even if it was present in the tpm-ca-certs bundle, is that so?

Well spotted! Indeed... there is room for optimization here. I'm currently working on an optimization in order to address recursive search. I'll include this shortcut ⚡.