On Sun, 2025-09-14 at 19:23 +0300, Jarkko Sakkinen wrote: > On Sun, Sep 14, 2025 at 07:08:37PM +0300, Jarkko Sakkinen wrote: > > Hi, > > > > In practice, while implementing tpm2sh and its self-contained TPM > > emulator called "MockTPM", I've noticed that 'tpm2key.asn1.' has a > > major bottleneck, but luckily it is easy to squash. > > > > Parent handle should never be persisted, as it defies the > > existential reason of having a file format in the first place. > > > > To address this issue I just added couple of optional fields to > > TPMKey: > > > > parentName [6] EXPLICIT OCTET STRING OPTIONAL, > > parentPubkey [7] EXPLICIT OCTET STRING OPTIONAL > > > > By persisting this information TPM2_GetCapability + TPM2_ReadPublic > > can be used to acquire an appropriate handle. > > > > I'd highly recommend to add this quirk to anything that processes > > this ASN.1 format. > > > Here's a proof of concept: > > https://github.com/puavo-org/tpm2sh/commit/18ec3c2169b23523d8866c58fa7b8a89a79bd3d4
Saving the output of read_public and comparing against the saved value provides no proof of binding. This is actually what the systemd TPM keys handlers do and, as I demonstrated in FOSDEM, an interposer attack that's early enough to come at key sealing still manages to exfiltrate the secret without being revealed. https://archive.fosdem.org/2025/schedule/event/fosdem-2025-4827-recent-tpm-security-enhancements-to-the-linux-kernel/ One possible benefit of saving the public part of the TPM key parent is to give subsequent sessions a known key to encrypt a salt to which an interposer can't hack. However, this only works, as demonstrated above, if you certify the parent *before* you save it. However, if you're doing certification, it's just as easy to derive a primary and certify that before salting the session ... again, as demonstrated, this is done by saving the name of the EK signing key somewhere in an encrypted filesystem the attacker wouldn't find it easy to alter. Regards, James
