VMware Cloud Community
vbalogh28
Contributor
Contributor

VM SecureBoot with vTPM and custom signed kernel

Hi,

I am in the process of hardening Debian. Due to some other requirements the kernel has to be recompiled with some special settings and eventually it will be signed for SecureBoot. There are various tools to deal with EFI binaries and the TPM 2.0 chip, some of them are distribution specific. My aim is to wipe the default keys in the TPM and put in my own PK, KEK and DB keys. Then I compose an EFI binary where I put the kernel, the initial ramdisk and the modules and sign it with my DB key so I can start it off EFI directly without a bootloader. My workflow is mostly based on this article:

https://blastrock.github.io/fde-tpm-sb.html

All is fine and I was able to compile a fresh custom kernel, generate the PK/KEK/DB keys, pack everything into an EFI binary and sign it with the DB key. The whole thing was even able to boot with LUKS full disk encryption and the passphrase stored in TPM if I disable SecureBoot, so I know that the rest is working. So now only the key replacement is left.

But here comes the issue: I cannot replace the keys in the vTPM module. I went through the official documentation on docs.vmware.com multiple times, it seems all I am able to do is replace the CERTIFICATE in the TPM. However, I need to replace the keys as well since I need the PK (platform) key to sign the KEK and then I need the KEK key to sign the DB key. Without the custom platform key I am lost as that is how the chain should start.

Now various sources all over the internet describe how to put the TPM chip into "Setup mode" and then back to "User mode" or whatever (the naming might change from vendor to vendor) and then I would be able to replace the keys.

So far I have tried standard Linux tools like efi-updatevar or  tpm2-tools and tpm2-initramfs-tools, and even the EFI binary based Keytool.efi image. None of these gave me success, the most intuitive was the Keytool.efi where I have seen the attached error message (26) Security Violation.  I have tried to clear TPM from within UEFI but that just seems to reset the chip to the initial state with the standard Microsoft keys and chain.

Does anyone know if what I am trying is even implemented? I am not asking if it is supported: if vTPM is a full implementation of the TPM 2.0 standard then it should be possible. The question is if it works in vSphere 8U1 (that's where I'm at now with my lab where I am testing this) and if it does, what is really the trick to get the TPM to "read-write" mode?

 

Note1: I am testing this with a VM having a vTPM with Native Key Provider, the ESXi itself does not have a ESXi-supported TPM chip (whitebox)

Note2: I am aware of the possibility that I could just add my kernel signing key to the bootloader as MOK (Machine Owner Key) and boot via the grub shim, but it is not what I want. It has to have end-to-end security. The final product will run on baremetal so I am just using ESXi with vTPM for the PoC

Labels (4)
Reply
0 Kudos
1 Reply
vbalogh28
Contributor
Contributor

https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creat...

"1.3.3 Platform Key (PK)

...The platform owner enrolls the public half of the key (PKpub) into the platform firmware as specified in Section 7.2.1 of the UEFI 2.3.1 Errata C. This step moves the platform into user mode from setup mode.....
Enterprise customers or Server customers can also customize PK, replacing the OEM-trusted PK with a custom-proprietary PK to lock down the trust in UEFI Secure Boot firmware to itself."

This is exactly what I'm trying to do. Does anyone have a similar setup?

Reply
0 Kudos