Embedded Security Subsystem

From ThinkWiki
Jump to: navigation, search
IBM Embedded Security Subsystem

The Embedded Security Subsystem

The Embedded Security Subsystem is a chip on the ThinkPad's mainboard that can take care of certain security related tasks conforming to the TCPA standard. It was first introduced among the T23 models and is now under the name "Embedded Security Subsystem 2.0". It is an integral part of most of the modern ThinkPads. The functions of the chip fall into three main groups:

  • Public key functions
  • Trusted boot functions
  • Initialization and management functions
The purpose of the Embedded Security Subsystem is to keep the user's sensitive data out of range from software based attacks (like viruses, Internet attacks etc.). One way the chip offers to achieve this is by providing storage for keys along with the necessary functions to handle them within itself, so that a for example a private key never has to leave the chip (can't be seen by any piece of software). Besides this, there are more complex topics covered by the functionality of the chip. If you want to find out more about it you can find good documents on the IBM Research TCPA resources page.
Current ThinkPads have the TPM chip integrated into the SuperIO chip, or integrated into the chipset. Don't let the picture fool you...

Trusted or Treacherous?

In addition to benefits (such as in-hardware storage of cryptographic keys) TCG standards have some drawbacks.

As ThinkPads of recent generations following the ThinkPad T23 (see the complete list of models) are equipped with this disputed TCG-/TCPA-Technology, it can be interesting, which promises of the TCG are fulfilled inside your ThinkPad and which parts of the TCG-specifications still seem to be a privacy issue for every user of digital devices like a MP3-player or a ThinkPad - so please read this article for more details.

Linux Support

There are three main drivers that support most of the ThinkPads

  • tpm_atmel - for those ThinkPads with older Atmel 97SC3201 chips
  • tpm_nsc - for the ThinkPad T43/P and R52
  • tpm_tis - for recent ThinkPads with TPM 1.2

In addition you will need some something like TrouSerS, which your distribution may have packaged as tpm-tools.

Versions & Features

Embedded Security Chip

IBM introduced it's TCPA/TCG features with some of the T23 models. The earlier of them didn't yet have the Embedded Security Subsystem, but a kind of pre 1.0 version called the Embedded Security Chip. This chip had the following capabilities:

  • Data communications authentication and encryption
  • Storage of encrypted passwords

Embedded Security Subsystem (1.0)

The original Embedded Security Subsystem (in IBM documents there is no use of the additive version-number 1.0) claims to be compliant with TCG specs, but apparently did not fully implement any specific TCG spec.

The Embedded Security Subsystem has the following features:

  • hardware key storage
  • multi-factor authentication
  • local file encryption
  • enhances VPN security

Embedded Security Subsystem 2.0

The Embedded Security Subsystem 2.0 conforms to the TCG TPM 1.1b specification, with a TPM manufactured by either Atmel or National Semiconductor, and TCG TPM PC client 1.1 BIOS extensions.

The Embedded Security Subsystem 2.0 has the following features:

  • hardware key storage
  • multi-factor authentication
  • local file encryption
  • enhances VPN security
  • TCG compliant

ThinkPads with Atmel chips are supported by the tpm_atmel kernel module. The few ThinkPads with National Semiconductor chips (T43/p and R52) are supported by the tpm_nsc kernel module.

Trusted Computing Group TPM 1.2

Since the *60 series Thinkpads all new models have had TCG TPM 1.2 compliant chips. During the *60 series this was part of an ATMEL chip, in later ThinkPads this is actually part of the Intel chipset itself.

Regardless if it is part of the Atmel chip or the Intel chipset, these TPM 1.2 devices are supported by the tpm_tis kernel module

Clearing/Reseting the Embedded Security Subsystem

Be sure that there are no active HDD passwords, and that you have uninstalled any IBM/Lenovo security software that might want information stored or encrypted with the help of the TPM chip before you clear the chip. Any data that is encrypted using information inside the TPM chip will be useless after you clear the TPM chip. It is unknown if clearing the TPM chip can mess with the BIOS HDD password support, but until someone tests it, it is best to play it safe.
A password-locked HDD can be made useful again by using a low-level utility capable of issuing the SECURE-ERASE command to it. You will lose all data, but at least the HDD will be usable again, as that also unlocks the HDD.

If there is a need to reset and clear the TPM chip, the IBM BIOS has a "Clear Security Chip" option that will work (as long as you did not issue one of the very few "permanently lock the TPM chip in a certain state for life" commands, so Do Not Do That!).

That option is not readily accessible. To unhide it and reset the TPM chip, you have to:

Method 1

  1. Power down the ThinkPad;
  2. Power up the ThinkPad, with the Fn key pressed (or CTRL in a ThinkCenter);
  3. When the BIOS screen shows up, release the Fn key;
  4. Press the required key to enter the BIOS configuration;
  5. Enter BIOS supervisor password if required;
  6. Go to the security menu, security chip submenu, and clear the TPM chip.

Method 2

  1. Power down the ThinkPad;
  2. Power up the ThinkPad;
  3. Press the ThinkVantage/Access IBM button while the BIOS is still booting;
  4. Type in the supervisor password if the BIOS asks for it;
  5. Press ESC a number of times, which will cause the BIOS to switch to maintenance mode and display a number of text screens;
  6. Power down the ThinkPad as soon as it hits the boot loader of the Operating System (it doesn't matter which O.S.);
  7. Power on the ThinkPad;
  8. Enter the BIOS configuration screen (may require supervisor password);
  9. Go to the security menu, security chip submenu, and clear the TPM chip.

Using the Embedded Security Subsystem

TPM 1.1b basics

The TPM chip is a "secure" brokerer of data signatures and keys, as well as a slow but very good hardware RNG. It has some registers called PCRs that are used for trusted platform attestation. It can sign data using 2048-bit RSA keys. It is slow. It is not easy to use, either :-)

The current version of the TPM chips found on ThinkPads (TPM 1.1b) isn't secure at all against moderately sophisticated physical attacks, and it is also useless for DRM and other Treacherous Platform corporate ideas.

A Trusted Platform in a context involving a TPM means that the PCRs contains values that they are expected to, because the TPM will allow data that is "sealed" (as opposed to "bound") to it to be accessed ("unsealed") only when the PCRs match the PCRs at sealing time. The interesting magic is, therefore, in the process of updating the contents of the PCRs.

The PCRs start zeroed at TPM reset. As things load (BIOS, bootloader, OS, userspace), they are supposed to verify if the PCRs are at a state they can trust, and if so, to add the checksum of their own code, data, and configuration to the PCRs and load the next stage. Alternatively, they can skip the PCR test and just extend it if they don't care that they are running in an untrusted state.

PCRs cannot be set to a given value. The TPM only allows one to "extend" a PCR, which is an operation where the result is a SHA-1 hash that depends on the previous value of the PCR and on the data you give the TPM to extend the PCR with. It is non-trivial to get the PCR to a desired value based only on its previous contents and the desired target value.

It is obviously a total nightmare to update the system in a trusted platform scenario, as the contents of the PCRs starting from the update point will change. A changed PCR immediately makes any data that was sealed based on its old value impossible to access. This is one of the reasons why nobody is doing remote trusted platform assurance, except in very controlled scenarios right now. New versions of the specifications around the trusted platform support specifications (like TPM 1.2) are trying to address this problem.

Trusted Platform assurance with a TPM 1.1b isn't easy to do, but it is possible (and it is not in any way unbreakable!, but it is a lot better than nothing for many uses).

The ThinkPad BIOS measures the boot loader and stores the relevant data on PCR registers and the TPCA log, so if one adds a trusted boot loader to the system (like trusted-grub), one can load a trusted operating system and from there, trusted userspace applications, etc.

Note that LPC-bus tricks using modchips to trap and modify the data flow to the TPM chip can effectively bust the Trusted Platform assurance completely on any ThinkPads up to the T61/R61/X61. To avoid that, a TPM inside the northbridge is needed. Intel plans to add a TPM 1.2 to their chipsets in 2008, so it is likely that the T62/X62/R62 TPMs won't be as vulnerable to hardware hacks.

ThinkPad BIOS TPM basics

The TCG TCPA specification also defines PC BIOS behaviour and extensions to deal with the TPM chip and Trusted Platform requirements. The ThinkPad BIOS is compliant to the TCG PC Client specification v1.1 (and, in new ThinkPads, maybe v1.2).

This means that:

  • The BIOS can be used to reset the TPM using physical presence (see above for the reset procedure);
  • Physical presence is only available to the BIOS (unless you hack the BIOS or the hardware, obviously);
  • The BIOS can be configured to log or not (which also means calculate PCRs) the checksum of some of the platform data. If you don't want the ESCD or NVRAM contents to interfere in PCR calculations, you need to disable their logging in the BIOS for example;
  • The BIOS touches PCRs 0 to 7, but leaves PCRs 8 to 15 alone (zeroed);
  • You can disable the TPM chip in the BIOS, and not worry about someone using it behind your back. But they will be able to know that there is a TPM in the system (the chip can still be found, and will report its version, manufacturer, and disabled state), unless you remove all the kernel TPM support, including tpm_bios;
  • The BIOS might use the TPM, so watch out for trouble if you have HDD passwords enabled, etc;

PCR registers extended by the BIOS

PCR # Description (TCG PC client spec v1.1) Notes

T43 26xx BIOS 1.29

0 CRTM, BIOS, and platform extensions The BIOS logs many BIOS POST PCR extensions, probably hardware and firmware-related
1 Platform configuration:
  • BIOS ROM strings (BIOS version and checksum)
  • NVRAM (Asset tag data)
  • CMOS configuration (basic, always logged)
  • CMOS configuration (extended)
  • ESCD platform configuration data (like size of memory modules, etc)
  • SMBIOS data (?)
  • Useful when BIOS ROM logging is enabled, since one has to trust the BIOS and it is best to not let someone update it behind your back. Upgrading the BIOS invalidates data sealed to this PCR, though
  • NVRAM logging is useful to seal data to a particular asset tag
2 Option ROM code Can be used to detect the addition/subtraction/upgrade of Option ROMs (extra BIOS code from third parties)
3 Option ROM configuration and data Not modified except for the event separator on my current T43 config
4 IPL Code (system bootstrap)
  • BIOS password used to authorize booting (if any)
  • Boot device used
  • MBR/boot sector checksum (LILO, Grub stage 1, etc)
  • The password hash itself of the BIOS user or supervisor password is used to extend this PCR
  • When you reboot, if the box doesn't ask for a password, the PCR will have different contents (work around: go into BIOS and exit saving changes, so that you are asked the password again)
  • Lets one seal data to a particular boot password and to the fact that the password was typed in the keyboard
  • Takes into account the device used to boot, and the bootstrap code checksum
5 IPL Code configuration and data This PCR is reserved for the boot loader to extend with its configuration and whatever else it loads
  • trusted-grub extends it with stage 1.5 and stage 2 checksums, grub.conf checksum, and kernel and initrd checksum
  • Not modified by the BIOS itself, except for the event separator
6 State transitions and wake events Logs a WAKE EVENT 0 hash on power up and simple reset (same event)
7 Reserved Not modified except for the event separator. Reserved by the TCG for future use.
8-15 User PCRs
  • Not modified by BIOS or bootstrap
  • Still zeroed at end of Linux boot
  • Can be used for whatever the user wants

Using the TPM in Windows

Just install the full IBM Security solution, and let it use the TPM. What good it will do to increase the security of your data is unknown.

Using the TPM in Linux

This section is very incomplete, but here are some pointers to get you started:

  • Compile a 2.6.23 or later kernel with the driver for the tpm chip in your ThinkPad model enabled;
    • You need to enable CONFIG_SECURITY to get securityfs, and CONFIG_KEYS to use eCryptfs TPM support;
    • You need to enable tpm_bios to access the TCPA log;
  • Make sure to mount the securityfs filesystem on /sys/kernel/security to access tpm_bios data (the TCPA log);
  • You should use dm-crypt to have an encrypted swap partition with an ephemeral key;
  • The TCPA log can be found in the securityfs directory, and it might help you understand how the BIOS and boot loaders are using the PCRs. The first number for each event in the log is the number PCR register that was extended by that event;
  • You need an up-to-date version of the TrouSerS software stack to use the TPM for anything other than reading the TPCA log;
  • You need an up-to-date eCryptfs userspace (with TPM support compiled in) to use the TPM to store filesystem keys;
  • Using the TPM as a PKCS11 token is possible, but I have no idea how safe it is, since that requires a null (well-known) SRK;
  • trusted-grub can be used to play with the PCRs before Linux loads, and to checksum the Linux kernel and extend a PCR with that data;
  • The PCRs can be read through sysfs, under the /sys/bus/platform/devices/tpm*/pcrs file for the TPM driver for your TPM chip;
  • TrouSerS 0.3.1 tpm_getpubek seems not to work too well, it gets the PUBEK attributes wrong from the NSC TPM chip in a T43 (but the key data itself is correct). Compare to sys/bus/platform/devices/tpm*/pubek to check yours.

Models featuring this Technology

IBM Embedded Security Chip

IBM Embedded Security Subsystem

IBM Embedded Security Subsystem 2.0

unknown chip

Atmel 97SC3201

NS PC8394T


Atmel 97SC3203

Integrated in chipset

External Sources