Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-26-2021, 15:43
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 125
Rept. Given: 1
Rept. Rcvd 29 Times in 20 Posts
Thanks Given: 40
Thanks Rcvd at 268 Times in 84 Posts
DavidXanatos Reputation: 29
VMWare, emulated TPM without encryption

Hi,

VMWare requires a VM to be encrypted in order to add an emulated TPM,
for obvious reasons that might not be desirable.

Is there a known way to make the fake TPM work without encrypting the VM, i.e. a patch to bypass this requirement?

Cheers
David X.
Reply With Quote
  #2  
Old 06-26-2021, 17:24
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 282
Rept. Given: 104
Rept. Rcvd 62 Times in 40 Posts
Thanks Given: 132
Thanks Rcvd at 171 Times in 82 Posts
deepzero Reputation: 63
So what's happening is that the security of a TPM relies on the fact that it's not software but a physical chip. This is obv not the case for a virtual one, so they had to shift the security-anchor to somewhere else, in this case the encrypted VM. Indeed the entire TPM-config is contained encrypted in the encryption.data key of the .vmx file.
But you probably know all this already .. I am guessing this is related to Windows 11?

Technically all that should be necessary is to dump the encrypted TPM hw-settings on vm-hw initialization right after the password prompt. And then decrypt the VM, and inject the decrypted TPM-config in the right place on startup... (i wonder if they left behind some way to load a decrypted TPM for debugging...).


Any attempt will probably keep you busy for a solid weekend. I am not aware of any work on this so far. If it's an option for you, I think QEMU offers virtualized TPM without VM encryption. If it's really required for windows 11 to work, pressure will rise on virtualbox to add it. Which will be considerable easier to work around, even if they do tie it to VM encryption.
Reply With Quote
The Following 2 Users Say Thank You to deepzero For This Useful Post:
DavidXanatos (06-26-2021), tonyweb (06-27-2021)
  #3  
Old 06-26-2021, 21:00
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 125
Rept. Given: 1
Rept. Rcvd 29 Times in 20 Posts
Thanks Given: 40
Thanks Rcvd at 268 Times in 84 Posts
DavidXanatos Reputation: 29
Well encrypting the TPM itself, is fine with me, but they insist on encrypting the virtual drives as well and that's just overkill and moreover unnecessary.
This way I can not quickly add a TPM to a VM and later remove it without going through a long process or en- and then de-cryptionof the virtual drives.
That is imho unnecessary as if one wants the drive content to be secure one can use bit locker with the encrypted TPM or alike.

I would like to add some proper TPM support to disccryptor and for that I would need some quick way to test many things without risking to brick real hardware.

I'll check out QEMU it would be great if it would provide the needed functionality without all the hassle of VMware.
Reply With Quote
  #4  
Old 06-26-2021, 23:56
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 282
Rept. Given: 104
Rept. Rcvd 62 Times in 40 Posts
Thanks Given: 132
Thanks Rcvd at 171 Times in 82 Posts
deepzero Reputation: 63
Quote:
This way I can not quickly add a TPM to a VM and later remove it without going through a long process or en- and then de-cryptionof the virtual drives.
You should be able to remove it (and re-add it) without decrypting and reencrypting the VM.
The VM-encryption happens on the hypervisor level and is 100% invisible to the guest OS. So you can have Bitlocker full-disk active within an encrypted VM. The only danger is that you encrypt your guest OS with Bitlocker-on-TPM, then delete the virtual TPM -> now you have a very big problem...
Reply With Quote
The Following 2 Users Say Thank You to deepzero For This Useful Post:
DavidXanatos (06-27-2021), tonyweb (06-27-2021)
  #5  
Old 06-27-2021, 03:59
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 125
Rept. Given: 1
Rept. Rcvd 29 Times in 20 Posts
Thanks Given: 40
Thanks Rcvd at 268 Times in 84 Posts
DavidXanatos Reputation: 29
Quote:
Originally Posted by deepzero View Post
You should be able to remove it (and re-add it) without decrypting and re encrypting the VM.
Ok right... still I would like to skip the initial encryption step as I have a few 100gb large VM's, although yea for the testing i could use a fresh one that is much smaller.
Reply With Quote
  #6  
Old 06-27-2021, 17:21
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 619
Rept. Given: 17
Rept. Rcvd 41 Times in 25 Posts
Thanks Given: 566
Thanks Rcvd at 927 Times in 423 Posts
chants Reputation: 41
Is it using AES-256-GCM? Their are good fast hardware implementations of it so would make sense. Even for a VM it shouldn't have too high a cost given that intrinsic have been in modern processors for some time.

Interestingly enough, differential power analysis can dump the keys from the chip and wikipedia purports the CIA already did this a few years back
Reply With Quote
  #7  
Old 09-19-2021, 16:52
DominicCummings DominicCummings is offline
Friend
 
Join Date: Mar 2021
Posts: 12
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 23
Thanks Rcvd at 14 Times in 6 Posts
DominicCummings Reputation: 0
An update on this thread -- virtualbox devs are planning to pass through the physical TPM rather than emulating one to the guest -- www.virtualbox.org/changeset/90946/vbox -- which has just been pushed.

I don't get how that's supposed to work if two devices are trying to use it at the same time. Similarly, I don't like the idea of people using it to break VM isolation, or alternatively hide keys.

QEMU have already implemented tpm emulation but there are two currently "not supported" interrupts, fortunately not hugely relevant, but still -- https://qemu.readthedocs.io/en/latest/specs/tpm.html#. Fortunately, it's possible to directly inspect the TPM and its communication protocol (TIS) state by making a debug build:

Quote:
This patch uses the possibility to add a vendor-specific register and
adds a debug register useful for dumping the TIS's internal state. This
register is only active in a debug build (#define DEBUG_TIS).
Hopefully this won't last too long and won't protect too much...

Last edited by DominicCummings; 09-19-2021 at 17:24.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 21:01.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )