Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-26-2021, 15:43
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
VMWare, emulated TPM without encryption

Hi,

VMWare requires a VM to be encrypted in order to add an emulated TPM,
for obvious reasons that might not be desirable.

Is there a known way to make the fake TPM work without encrypting the VM, i.e. a patch to bypass this requirement?

Cheers
David X.
Reply With Quote
  #2  
Old 06-26-2021, 17:24
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
So what's happening is that the security of a TPM relies on the fact that it's not software but a physical chip. This is obv not the case for a virtual one, so they had to shift the security-anchor to somewhere else, in this case the encrypted VM. Indeed the entire TPM-config is contained encrypted in the encryption.data key of the .vmx file.
But you probably know all this already .. I am guessing this is related to Windows 11?

Technically all that should be necessary is to dump the encrypted TPM hw-settings on vm-hw initialization right after the password prompt. And then decrypt the VM, and inject the decrypted TPM-config in the right place on startup... (i wonder if they left behind some way to load a decrypted TPM for debugging...).


Any attempt will probably keep you busy for a solid weekend. I am not aware of any work on this so far. If it's an option for you, I think QEMU offers virtualized TPM without VM encryption. If it's really required for windows 11 to work, pressure will rise on virtualbox to add it. Which will be considerable easier to work around, even if they do tie it to VM encryption.
Reply With Quote
The Following 3 Users Say Thank You to deepzero For This Useful Post:
binarylaw (02-22-2022), DavidXanatos (06-26-2021), tonyweb (06-27-2021)
  #3  
Old 06-26-2021, 21:00
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
Well encrypting the TPM itself, is fine with me, but they insist on encrypting the virtual drives as well and that's just overkill and moreover unnecessary.
This way I can not quickly add a TPM to a VM and later remove it without going through a long process or en- and then de-cryptionof the virtual drives.
That is imho unnecessary as if one wants the drive content to be secure one can use bit locker with the encrypted TPM or alike.

I would like to add some proper TPM support to disccryptor and for that I would need some quick way to test many things without risking to brick real hardware.

I'll check out QEMU it would be great if it would provide the needed functionality without all the hassle of VMware.
Reply With Quote
  #4  
Old 06-26-2021, 23:56
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
Quote:
This way I can not quickly add a TPM to a VM and later remove it without going through a long process or en- and then de-cryptionof the virtual drives.
You should be able to remove it (and re-add it) without decrypting and reencrypting the VM.
The VM-encryption happens on the hypervisor level and is 100% invisible to the guest OS. So you can have Bitlocker full-disk active within an encrypted VM. The only danger is that you encrypt your guest OS with Bitlocker-on-TPM, then delete the virtual TPM -> now you have a very big problem...
Reply With Quote
The Following 2 Users Say Thank You to deepzero For This Useful Post:
DavidXanatos (06-27-2021), tonyweb (06-27-2021)
  #5  
Old 06-27-2021, 03:59
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
Quote:
Originally Posted by deepzero View Post
You should be able to remove it (and re-add it) without decrypting and re encrypting the VM.
Ok right... still I would like to skip the initial encryption step as I have a few 100gb large VM's, although yea for the testing i could use a fresh one that is much smaller.
Reply With Quote
  #6  
Old 06-27-2021, 17:21
chants chants is online now
VIP
 
Join Date: Jul 2016
Posts: 724
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
Is it using AES-256-GCM? Their are good fast hardware implementations of it so would make sense. Even for a VM it shouldn't have too high a cost given that intrinsic have been in modern processors for some time.

Interestingly enough, differential power analysis can dump the keys from the chip and wikipedia purports the CIA already did this a few years back
Reply With Quote
  #7  
Old 09-19-2021, 16:52
DominicCummings DominicCummings is offline
Friend
 
Join Date: Mar 2021
Posts: 14
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 28
Thanks Rcvd at 17 Times in 8 Posts
DominicCummings Reputation: 0
An update on this thread -- virtualbox devs are planning to pass through the physical TPM rather than emulating one to the guest -- www.virtualbox.org/changeset/90946/vbox -- which has just been pushed.

I don't get how that's supposed to work if two devices are trying to use it at the same time. Similarly, I don't like the idea of people using it to break VM isolation, or alternatively hide keys.

QEMU have already implemented tpm emulation but there are two currently "not supported" interrupts, fortunately not hugely relevant, but still -- https://qemu.readthedocs.io/en/latest/specs/tpm.html#. Fortunately, it's possible to directly inspect the TPM and its communication protocol (TIS) state by making a debug build:

Quote:
This patch uses the possibility to add a vendor-specific register and
adds a debug register useful for dumping the TIS's internal state. This
register is only active in a debug build (#define DEBUG_TIS).
Hopefully this won't last too long and won't protect too much...

Last edited by DominicCummings; 09-19-2021 at 17:24.
Reply With Quote
  #8  
Old 10-01-2021, 19:14
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
Passing through is a terrible idea, as then the host PC must have a TPM also it violates privacy as than the host of a VM can be uniquely identified.

Still waiting for a solution to enable TPM on vmware without having to encrypt the entire VM
Reply With Quote
  #9  
Old 12-29-2021, 08:42
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 256
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 296
Thanks Rcvd at 179 Times in 89 Posts
Stingered Reputation: 2
I came across this Twitter thread and thought of your issue. Possibly this could be a solution?

https://twitter.com/mikeroySoft/status/1448675626714501122?ref_src=twsrc%5Etfw

VMX flag:
managedvm.autoAddVTPM="software"

Supposedly it only encrypts enough for the “secure enclave”, so perf should be way better, & no pwd.
Reply With Quote
The Following 2 Users Say Thank You to Stingered For This Useful Post:
DavidXanatos (12-29-2021), LaDidi (12-29-2021)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Password Encryption Dreamer General Discussion 4 10-19-2015 18:02
Issue: Programming a vUSB emulated dongle ZeNiX General Discussion 4 06-26-2009 10:11
Find out Encryption aldente General Discussion 9 01-07-2005 05:10


All times are GMT +8. The time now is 17:17.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )