It looks like you're having connection troubles. Reconnect now.
01/11/2021 23:23:44
33c3-talk-8142 Latest text of pad 33c3-talk-8142 Saved Jan 11, 2021 |
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles.
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
======================================================================
So I've been using PC emulators for code analysis purposes, like forever. It's, I guess, since the 90s. So not the gray hair, mainly because you can fool around with the hardware. You can do like silly little tricks. So but Kumo actually plays a lot larger role than just for freaks like me or so like to do code analysis. And and so the addition of a virtual secure boot, I believe, is going to make it very, very big difference. So in things like cloud computing. The following talk by aGet Hoffman is going to be all about the trials and tribulations, I believe, of trying to get secure food to actually work in Kumo and other systems. And that's really all I want to say about it. Please welcome to the stage. Get off on. Hello, I'm got Hoffman, I'm working for RedHat for already ten years around in the weatherization team, working on chemo, both and USERSPACE also on Caveman's Canalside and one of my work areas as Fermat. And that's why I'm giving this thought today. Um, well, it's a. I first want to go over some some Tums, which I'll talk about in this talk about how creating a plan and implementing something like security contribute for the machines, then go over the implementation. So we had to do in all three involved a software project and next some hands on session or some instructions if you want to play for yourself how we are going to do that, if there's enough time left to go on with a short demo. And at the end, of course, questions and answers. So. Let's start with the terms first one is, of course, secure, but it's specified in the waifish specification for that one. And the goal of secure boot is that you don't run untrust. That, uh, code on your machine, and this is done by, uh, verification of all those components started. And the basic idea is that each component verifies the next one before actually running it. So the format itself checks are lower than the level that goes on, checking the content you are loading. And secondly, again, checking any kind
of modules or drivers you are loading into, uh, kind of address space. And when you get there and all of those keys used to verify, uh, the components are managed by the firmware on that means for that to work, uh, the firmware itself, the code or living in, uh, in the memory and also the storage for the keys, which is Flesche usually, uh, must be protected so that, uh, the operating system or any malware trying to infect the system can't modify that kind of stuff. And how we are going to implement this for the machines as a topic of this talk. So next one, we probably know this one, it's an open source machine, American voters, Alysa, and emulates all the stuff you and your physical machine, as well as you have the chips that you have a time give up control over all the stuff you need to interact with the virtual machine, a video, graphics card, keyboard, simulation, simulation and vote Invensys so I can actually talk to, uh, Kümmel, um, which of course, Network Whispy. The next one is Cavium. It's the kind of machine that's of unknown driver for the Niños car, which provides, uh. Applications, access to the voter registration extensions and what else, if you use one of those other extensions on processors and SVM extensions and different sensors on armor, there's high mold and there are also other architectures supported by Cavium. And Kumal actually use KVM for C.P.U overgeneralization. That means the code of the machine runs directly on the C.P.U and of course, the fastest mode of operation you want to usually use for other option. We have a few more years to achieve. She stands for Tiny Code Generator that comes out of 2:00 a.m. and it's usually used if you're running not on your native architecture. For example, if you're emulating an arm, guess on a machine, then you can't run, of course, directly on the city. You so TCG will translate your instructions into US instructions and one of them can also be used, uh, to run between machines and all types of visuali
zation support and somewhat strenuous scares us sometimes. If you're running stuff on cavium, it's too fast, especially if you are running a very old guests. That's one funny example from old, uh, Windows operating system version. If you're it on a modern hardware on cavium, it's just so fast that the calibration loop goes so fast that the division by zero and the easy fix a ton of cavium. And she was TGT instead. And then. Well, next slide. Next one, LDK, through its development kit of reference implementation from Intel for if he lives on Chamaco dot org and the source code is available on GitHub. More interesting for perhaps that was oh, that's one more interesting for humor is all BMF is open to a machine from Bill Watson implementation for Kumo and actually lifts Insight's, uh, if development kit plebiscitary. It has drivers for the use military hardware you have in Kumo for what I call for Wichai devices and the etiquette, uh, to a positive ID also. So from afar. So if you want to play or send us a positive CBS show and email, so if you're stuck on say something else, you'll want to do this or that from what you get by default us. It's a classic bio's implementation. And the main users, uh, Kumo and also called would have Corbould on your machine and you won't need a bias interface. That's also the way to go. And we can also one club would assume that Foxo. So that about all the terms I want to cover first. So this is where we have been, uh, two years ago. I think you would support is available in in, uh, if you development kit, uh, Solsbury for quite a while already as users as open as EFORE Krypto support. But doesn't Chip, uh, as part of the repository. So you have to unpack the Tabar and apply a patch because some differences and on the environment, there's no scenario, for example, uh so uh a patch of out and then you can just go further secure about any other option. And you have working from Tykerb would support and that's the problem is the format itse
lf isn't protected, it's a memory and it's a data storage of the format. It's not protected at all. And also the flash, the keys are stored. And, uh, there's a if if I, uh, I thought if I was not protected at all so the gas can do whatever it wants. That's somewhat useful if you want, uh, developed software, uh, secure good support, or I can still use this for to verify, you know, using the interface in the correct way. But of course, that's not a legal thing. So I want to go changeless. So when designing to remove support for something new, there are basically two choices you have are some in between depends on option if you stay close to your hardware or something, which in the real world and the other option is to create something you are totally at all softwares or what you can do whatever you want. And of course, both approaches have advantages and disadvantages. If a guy emulates something which exists, it's easy on the gas side because guess gas, we found some hardware, even though it isn't real, which it knows how to handle. So you don't have to deal with drivers operating system to be able to just use your hardware. And that also usually simplifies the management of virtual machines and physical machines. If you keep the differences between physical machines and machines small, on the other hand, it can be quite a can. Also, if this doesn't have disadvantages, depends on the kind of hardware. Of course, one example is the old USB adapters, which are quite difficult to emulate in an efficient manner, and it's quite a bunch of time. So it has been for for a long time that as soon if you connect deviltry USB tablet to every machine, that it's a lot of support time. Another problem is that you limit it to what the physical hardware store immolating is able to do, which is becoming a problem these days with some serious graphics adapter, which is not the default graphics adapter anymore because of this, because, uh, is a design from the 19th and just can't keep
up of today's needs. And so, yeah, after. So the other option is something its usual term for that you have more freedom in design and things usually get better performance. If you're doing it in a clever way, you can go get a lot of code sharing. For example, all the voting devices for skuzzy, for block, for network, for input, for sale devices. They all use the very same winning format to send data between host and guest. And you can also try to simplify things because it's a machine. So some things are easier than on physical hardware. The back side, of course, have to wait and mine to maintain the gas drivers. Uh. That's not so much a problem for you as user of you using Linux. I was a part of Sukanya, so you don't notice it's more visible to the normal user on on Windows because you need the special driver image of your watch. What are your drivers on it? And if you try to simplify, it can also backfire if you're trying to simplify too much and can create quite a mess long term. For example, the original specification went on, say we have a machine. We have we know what, uh, Indianness our architecture has. And so we just go if the native Indian so we don't have to bother the whites. Fabin And that turned out to be not a good idea, because these days IBM is pushing the PowerPC architecture to a little engine from which was historically a big endian. And, uh, so the machine usually starts in fiscal year mode for historical reasons. The Fermat asked, where would I advise? And Indian mode then lots of little Indian little SCANA and little. And then of course, we'll also talk to the what are your devices for concept of native Indian just doesn't make sense anymore, especially for PowerPC. So that are the traps you can shop into if you're trying to simplify too much. So. Let's see how the firm is protected on physical hardware. We have something called system management mode on all the processors since at least 20 years or so and, uh, the chipset, can I interrupt to
enter system management mode and the process of a stall is a complete state of the processor and memory and start execution at a different address. And, uh, if the special instruction that can return to, uh, normal operation, it was designed for stuff like power management, that you don't need a special, uh, processor, uh, to do a power management. You can just have the chipset wires and system management and show up. And then at once this special code, which can look check the temperature sensor and maybe tune the fan speed. And if it's too hot to cold, um. Stuff like that. And there's some memory which can only be accessed in system management. Note, it's, um, it's pretty small. Uh, one of the 28 kilobytes at the location where usually is, uh, which, uh, frame of assets and you chipsets have in addition to that, uh, bigger section, uh, called Kucik can be up to eight megabytes big on that list at the upper end of the, uh, memory map, below four gigabytes. Uh, that's the upper end of the 32 bit address space. And, uh, the configuration for Eminem and HiSeq can be locked. So if it's once it's, uh, it's that, uh, it can be Tambov until the machine is reset. So the question is, we are going to do the same on Kareema or something else. The advantage, of course, is we can hope to not have to add too much new code because of your implementing system management nodes, and we can use existing lockbox code, for example, from the K to tool kit. Um, Performa shouldn't be, uh, that big issue. The problem is the system of management mode was originally designed for something else, not for security. And so it has a pretty bad security track record. You can check that from previous Congress years about various attacks on system management mode. Um, so we have to be quite careful if we go this route. Also, over two years ago, we had no, uh, system management support and KVAMME and, uh, TCG had at least some basic system management support. So we decided because the system managem
ent wrote and has stopped looking at how it looks and kumo. Our to do list can emulate two different chipsets. Uh, one is from the older one is from the mid 90s and this is all that it hasn't to sick memory. So we can't use this for secure both because, uh, the extent to implementation needs more memory. It just doesn't fit into Azmera. So this one is out. Uh, we have some new Kuhar thirty five, uh, chipset immobilization that you can if you start Kumo you can pick those sources. This m uh Q A thirty five and we have some support from the basic TCG support already present. Uh back then we have to complete it, we have to implement Pisek and also implement uh rocket support. So if you try to lock down the Terzic and as M m configuration actually works and you also have to figure out how we are going to protect. So threat a flash. One foundation we are building on is the memory API that was created by Abbie, that's the same guy who started the cavium project and it was merged in one, but. Oh, and it pretty much put the memory management insecurely upside down before all the versions of QMI had a very simple scheme for existing memory and MMO agents. You just I guess that and stays there and exits. And if you guess there's something else, um, on the same address or uh, what was the before just goes away and uh, now we have a hierarchy of memory regions and you can enable then can disable, then you can move them around, you can create aliases and these regions are used to put at risk spaces, which was a big step forward and correctness of the admiration of various court cases. For example, if you remember PCI bar of your network, for example, it now actually works correctly that the bar actually disappears its location as wasn't the case before we had some API and another interesting one which caused quite some, is that each PCI device got its own airspace for DMA. And if you don't turn on the bassmaster them a bit, uh, Shakespeares. We also don't turn on, uh, this memor
y, which was the fact that team stops working. And there have been quite a few drivers, especially video of us, which have never been tested on real hardware, which didn't set the bassmaster bits and this change for those drivers. And implementing system management mode would have been pretty much impossible without this memo API, so let's have a look at what this looks like. I think it's it fits. Yeah. There's a system in which one of the simplest, uh, machines, if you have at all, is a PC without any PCI stuff, but it's nice to see, uh, how this looks like. Here's the system, a region which covers the complete address space. We have, uh, the memory, um, which is twenty eight kilobytes, I think. And we have a container, which is a region with just holds the subdivision's for the sole memory and you can see the what you. Which is visible right now as well. Now there's this one because other regions are disabled. And you can program the bank, which gets us to map some memory of savegame memory and to add those two parts, in that case each will be enabled and that will be visible to the guests because it has a higher priority as a priority. That's what we want. So those will overlap with memory if it's any other less than just the one area that's a bias. And that's it for as simple as a machine. So how it looks like for our crew. Five machine. It's very similar to. We have, of course, uh, 255 pieces of have a lot of PCI bars, which I left out here, too, to have enough space on the slide. Um, you have a small region which was already there. And all I can remember for this basic, uh, support we had, um, which is new is this, uh, black hole. This overlaps the top of the, uh, uh, whem region, which is right here. That's, uh, uh, topmost piece of, uh, memory. And it has a higher priority. So if your guest tries to access access this address range, it will end at a black hole and the black hole just discards any whites. And if you wait for it, you will just cut, if nothing
else. So that's why that way we can hide, uh, t segment away from the normal, uh, system view. Then there's also my own, uh, uh, minimum config address space epic and, uh, secure. Thirty five chips that also has some areas at the higher address which oh it's disabled because, uh, indicate who doesn't use it. But, uh, the area is there and then we have uh we have uh message signaling and that and finally uh to address areas for the flash and the flash. One is uh my hobbies. I love living and flash. There is as a code. Just let me come to that letter in detail. On to enable access, uh, to as a, um, as, uh, system, uh, system, as a memory and as a mode, we have this as a region which has arisen to, uh, low and high as MRM locations and also for the Terzic, which refers to a memory. And then each, uh, city you get its own address space. Um, this one and it's just, uh, these two is, uh, as I'm sure you have right here, and, uh, the memory of all the stuff you had on the previous slide and the C.P.U and US system management note, this is areas will be enabled and so you can access all these regions. And if it leaves system management mode, it's disabled again and it's not visible anymore. And we have one of these edwar spaces for each, uh, virtual civil, uh, so it's impossible to, um, uh, stop attacks because each has its private space so it can try to bring one virtual C.P.U into system management mode and try to fix the systems out there to get access to those memory, which is the help of another C.P.U. It doesn't work because each of you has its own private view. Uh, and each for each of you individually is a little less enabled or disabled here. Um, we also have to care about PCI devices and PCI devices, uh, get for Bassmaster, uh, just the normal system view, which is basically the same CPU as seeing if it's not in system management mode. So you can so you can't use your network card or the hard drive to access other memory and directly. So we also had to implement t
he law support. This is a snippet from the test case, um, the configuration of the guest has an open bit which can be used, uh, to make as available even and not in system management mode, which is used, uh, for initialization. So the first part of this test case checks of, uh, the open but can be set. And if you set it, it's actually open on the second part of the test. Uh, just sets the lock that. And if you flip flop, it's true, it will automatically kill switch, as I admit, to false. So it's closed and only on assemblyman's, only available to system management mode. And it also flips the open pit trube with only. So you can't open it again until the machine is reset. And this lock, which will also lock down the configuration for the Terzic memory. So the original Akua 35 chipsets and physical hardware had back. There's a register which basically configures the memo is split, how much memory is mapped below four gigabytes, how much memory is above four gigabytes? And if you lock down a few sets, a locked pitch to lock down the configuration, the Terzic, uh, size and the neighborhood are locked down, but not this, uh, configuration requestor. So you can use this configuration, I guess, to just move away, um, the protection and access, access to memory. Nevertheless, um, it's, uh, that one is easy for Cuma to handle because we don't configure the memories this way. So I guess that simply doesn't exist. And and so we can't exploit it and we do uh, um, the memory spec configuration of command and switches instead. And by default you have, uh, two gigabytes of memory and everything else unsnapped above four gigabytes. Next one is flash protection, where are the keys and virus are stored, we need to protect this one as well. And on physical hardware, it works that way that if you try to ride to flash, will be put in device mode and it will also trigger system management interrupt. And the management then dropped it, put it back into it only mode and it's pretty complic
ated. It's also prone to race. Attacks have been successful attacks to that. And because it's on physical hardware, you can't physically can't fix that. So new versions of the chipset use even more complicated protocols to handle the races. And we tried to do that in a simpler way. First, we have two parts of the film. First, the code, and first, and second, the valuables. There are the keys are stored as well. And the code is usually just wait only for a gas card. Why did. And, uh, Foma updates simply happen by doing them on the host, so the film is just a normal just package and your normal just two upgrades also upgrade the, uh, the firmware. And Kumail will pick up the new, uh, version on the next PowerSecure the machine. And we have the second part of The Flash, which stars the variables, and we can simply discard any whites which happen if you are not in system management mode. That's a concept we have borrowed from ARM. Um, we have a secure flag, which is an arm, uh, used to signal userspace or mode access and an arm and actually exists as far as signal. So the first ship can see whenever the excess comes from space or use the space and, uh, can control access that way on 86. This doesn't exist as a signal, but, um, on Kumo it's software so we can just pose the concept and use it on on on our virtual machines. Let's implement it using memory transaction attributes, among other things. Uh, as a note about a secure like set on that not set. And then the flash code can just decide, OK, this is it can allow this right or we can't. So that's a lot easier than on physical hardware. So this all works just fine, but we also want to run it fast with Cavium, so look how we are going to do that. We can't pass the memo agents, the hierarchy. We have access to the cavium module and the collar, so chemo has to flatten the space us into a memory map, which is just a linked list of, uh, slots. Um, this one is passed on to as a kind of module, so, uh, Cavium kind of module kn
ows anything it needs to know about the address spaces. And this memory map is used there. Or we suppose each time, uh, the outer space changes, it has to be updated. Um, so we have a program that becomes quite expensive on SMP machines. If you would take the same approach. We have an TSG that each CPU gets its own, uh, aerospace or in this case, its own memory map. So it has to be designed in a different way. Um, Cavium got support for address based IDs, so now we can pass down to address places, um, to cavium one for system management, not one for outside system management mode. And again, these two maps we have now, uh, will be shared or, uh, we suppose so any more visible would make things slower. We also needed a new control to ask, uh, cavium to waste and mismanagement and dropped. And also the KVM one, uh, state structure, uh, gotten flack for system management mode. So monos an exit happens. And I was a city, uh, which was currently running as an a mode or not, because it needs that to set the transaction attributes correctly. So the chip knows when that right is coming from the system management mode or not. So was this the other. Um, uh, cavium mode, they look a bit different. Uh, we have to have them to calibrate so as to remember with maps one specific memory, which is just a normal system. You basically, um, for, uh, if you are not in system management mode and for, uh, the system management mode, uh, address, uh, memory map, we have the other the same address space, which is basically, um, as um um container very similar, uh, to the one and TTG mode with a higher priority and also the flow ability and. Ah yes. To just an honor system. Amawi. So that was it for Cavium, and of course, he also needs some support and of WMF an hour from. So he thought, oh, that should be easy because the intention of doing the assignment as a way was to share the code. And we use the code as a lockbox code as an to people, but are the code to create system for aerosolizati
on and also as Hender itself wasn't in the repository. So we want to round up, guys. Uh, which are maintaining the indicator. And the first thing we got was appointed to the clock, uh, tool kit, which is thirty two of its, uh, chipsets designed from Intel. And of course, only the three to bit code was in there, which was a bit disappointing. And, uh, Laszlo, coworker of mine, went to the code and found a security in there which delayed the whole thing quite a bit. That's a lot of discussions of interest to educate, to maintain order of the team and of the security team. The security issue wasn't handled very well by Angela. I'm not aware of any official security adviser, Tony, for this thing, but finally, half a year later, the code was committed to indicate who positively we didn't only got 32 bit also forbid code and the first committed version also had the security bug fixed. And nice thing US continues to maintain this code in the open repository. So we see a constant flow of patches and improvements. So it's not an Android style code drop. Just here you have it. And now keep quiet for the next month until we have the next phase of actually happening in a positive way. And it's also the repository where they cut the development kit releases now and then for the OEM's for the laptops. So then I think at some point in the future, you should be able to look at the code, which you are the what you are running on your laptops. So that's nice that you got this open source as part of this effort. So there's this place, it was as easy as he expected initially to get, uh, to implement, uh, secure but support and also not trivial. There are a lot of things that it has to have to get right. And but we got to finally emerged, uh, one month after the Industrialization Court, uh, was matched. So if you want to play with us yourself, you need Kumo version Tunel five. Also, Cannon, come for on, you are there shouldn't be a big problem if it isn't or isn't, Destra research suppo
rt took a bit longer. It's an aversion to that one, which is pretty recent. So it could be that can not not have it on your distribution and etiquette doesn't relate to releases. So you can just, uh, pick the latest snapshot. Uh, and Masafumi are using a snapshot in March of the year. And then this is how the liver configuration looks like. You need two, three, five machine type right here. Well, that's a bit long. Come on, we get fat ass. That's not. If you don't want the default form, which is seven years, you have to specify the slower that tack, which is a lot of historical reasons, dated back to the end times. You say it only because the switch only is what's the code switch? Only Securitas as far as, uh, viable store, um, type T flashes of flash memory is a template, um, for, um, is a viable store for an empty, viable store. And, um, you don't have to see this one little fellow, uh, start, uh, by itself, create a copy of the template and, uh, start an envelope. Uh, Lipford somewhere. And of course, you need, uh, system management support turned on because it's turned off by default because it doesn't work in all of. So I want to use Kumai directly, it looks like this, of course, and yet again, the 35 machine type, and you have to turn on for some management note. So this creates the flash device, the first one for for the firmware, for the code, which is set to it, only the second one, um, for the wireless, which we put into secure mode, which needs to be done, uh, that's a separate configurations switch. And then, of course, all your configuration locks. One nice thing Kumo supports is that you can put a command line arguments, I want to at 2:00 a.m. and this, uh, special kumo tax, you have to import this special namespace and your little config and then you can have this one. It's very useful if you have a little, which is too old to have system management support, you can do it this way was created to make it easier for developers to work on new stuff which
isn't not yet supported by email. You can stay one year, but machines you are using for development and testing using Litefoot because you can just tweak the human command line to say. Um. I'm warning and Jenkins and Sensage stars automatic fumbles, and that's this at this address. Each time something is committed to the upstream repository, it kicks up also have updates quite frequently. Um, it's an easy way to install, um, CDK to, uh, for or BMF. There's also packages for the, um, firmware also so severe as Corbould. But the most interesting one is BMF. There are three different versions, uh, the one uh named as a MM. As one with system management support and system management support or compile time options so that I know it doesn't work with our system management support and also requires three five because all the chipset that just doesn't have a big enough Terzic and the other ones, uh, for a few is just an iffy, uh, firmware, uh, that supports both, uh, human chipsets. And the third one additionally has CBS compiled compatibility module. Um, there's little reason to actually use it. And a virtual machine because you can just see by actually. But if you want to play the or test something which needs a compatibility module, you can use those. OK, what's the time? Yeah, I think you have enough time for a short timer, um. Oh. This one. I feel this one. Control. OK, this. I think it's the device that's secure board configuration, I can look at it disabled. And woops, I just noticed I missed the slide, but I can show it in the tamo. That's extra. OBM doesn't come of any, uh, no. It doesn't come with any keys in the default key store and the way you can look at them as if a small ezo. I can see I can see it right here. This one is, uh, is a match, uh, uh, skuzzy. And there's an application which can be used, uh, to add the divorce case. So that's the case and it enables secure both support and then we can. Bought. And then it just stops, there's a reason for that i
s that either image which enables secure about isn't signed and because it isn't signed now anymore, because it would have enabled ops that wasn't. So I can just use this one. So let's call this one. So they can see secure borders enabled. And if you look. And can you see the certificates which are loaded by this and what application first one is, uh, vinos key and, uh, which Microsoft uses for to sign the Windows operating system. The other one is key Microsoft users to sign, uh, for party stuff. So that includes, uh, Linux, uh, Linux. If your application is put to an application use by whilst disappearance and also PCI, OMS and stuff like that. And the RedHat version of it is also in thoughts about the keyboard key. So, OK, let's close that. OK, that's the end. I didn't do this on my own. Actually, it was a quite a small part of it. I did most of the Q thirty five chipset implementation has also involved, uh, Polo, which that's on the KVM and TTG coach Paolo s cover and cavium kind of maintainer and uh, most Osterberg inside, uh obm f and talking to the little guys about reading the source code for as a translation as Laszlo and I think he did most of the book. I think it's the end to get all this going online on the sling. You can also scan the archeologists, the link on the slides, uh, to the slides. That's it. Any questions? So if you have any questions, we have four microphones here, too, on each side, do you have any questions yet otherwise? I have a very quick question. Kind of high level. Is there going to be support for or or does secure but support things like containerization with C groups? Or will it or does it is not even relevant? I think for container's it isn't relevant, although there is a need for for for secure bood in that environment to I would have thought, um, I think we would have to take a completely different approach because it just don't happen with a machine or you don't have one in containers. Is there are there any questions from the
Internet? Unfortunately not. OK. All right. Well, join me in thanking the speaker for such a great talk.
