New issue
Advanced search Search tips

Issue 835324 link

Starred by 4 users

Issue metadata

Status: Verified
Owner:
Closed: May 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Feature



Sign in to add a comment

Create attestation-based data if there is no stable device secret

Project Member Reported by drcrash@chromium.org, Apr 20 2018

Issue description

Description:
When there is no stable device secret on the device, use other characteristics of the device to generate the attestation-based data needed to compute enrollment identifiers.

Use case:
This will allow Auto Re-Enrollment (Auto RE) to work for devices that do not have a stable device secret (e.g. samus and others).

Motivation:
Allow every Chrome OS device to use Auto RE.

Existing workarounds:
Remove the device write protection and generate a stable device secret. So, practically, nothing an admin would do for Auto RE.

 
Blocking: 840496
Project Member

Comment 2 by bugdroid1@chromium.org, May 24 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/4a25d627ce6310fefb40325eb42ba705d9323233

commit 4a25d627ce6310fefb40325eb42ba705d9323233
Author: Yves Arrouye <drcrash@google.com>
Date: Thu May 24 07:23:17 2018

cryptohome, attestation: Generate attestation-based data as needed.

If there is no device stable secret, use other data (SN and RLZ code)
to generate attestation-based data.

Use get_vpd_value to read the VPD. Note that as a side effect of using
get_vpd_value we now allow the device stable secret to be in the RW VPD,
but that is okay. Also get_vpd_value adds a trailing newline that the
vpd command doe not have.

To test, deploy on devices with the following properties, before the
device is owned:

1. A stable secret in the RO VPD, e.g. a device where:

  # vpd -g device_stable_secret_DO_NOT_SHARE

returns a value (64 hex characters).

2. No stable secret (e.g. the command in 1 returns an empty string). On
that device, write a secret in the RW VPD and reboot:

  # vpd -i RW_VPD -s device_stable_secret_DO_NOT_SHARE=$(openssl
      rand -hex 32) && reboot

3. No stable secret. Just do not generate one.

Test by enrolling each device with the PCA and requesting an enrollment
certificate. Obtention of that certificate means that the secret was
properly read.

Because this is cryptohomed, you will need a device with a TPM 1.2 (e.g.
a veyron_minnie or samus, not an eve or gru etc.).

Initialize:

  # cryptohome --action=tpm_take_ownership
  # cryptohome --action=tpm_clear_stored_password

Wait until there is no owner password shown when asking for status,
e.g.:

  # cryptohome --action=tpm_more_status
  [cryptohome.GetTpmStatusReply.reply] {
    enabled: true
    owned: true
    initialized: true
    attestation_prepared: true
    attestation_enrolled: true
    dictionary_attack_counter: 0
    dictionary_attack_threshold: 10
    dictionary_attack_lockout_in_effect: false
    dictionary_attack_lockout_seconds_remaining: 0
    install_lockbox_finalized: false
    boot_lockbox_finalized: false
    verified_boot_measured: false
  }
  GetTpmStatus success.

Then enroll:

  # cryptohome --action=tpm_attestation_start_enroll \
      --output=/tmp/enroll3552_request
  # curl -s -H Content-Type: application/octet-stream \
      --data-binary @/tmp/enroll3552_request \
      -o /tmp/enroll3552_response https://chromeos-ca.gstatic.com/enroll
  # cryptohome --action=tpm_attestation_finish_enroll \
      --input=/tmp/enroll3552_response --output=/tmp/enroll3552_result
  # rm /tmp/enroll3552_*

Then request an enrollment certificate:

  # cryptohome --action=tpm_attestation_start_cert_request
      --profile=enrollment --output=/tmp/cert4990_request
  # curl -s -H Content-Type: application/octet-stream \
      --data-binary @/tmp/cert4990_request -o /tmp/cert4990_response
      https://chromeos-ca.gstatic.com/sign
  # cryptohome --action=tpm_attestation_finish_cert_request \
      --name=attest-4990-enrollment --input=/tmp/cert4990_response
      --output=/tmp/cert4990_result
  # cat /tmp/cert4990_result && echo
  -----BEGIN CERTIFICATE-----

If the last cryptohome gives an error, this is not working.

BUG= chromium:835324 
TEST=See detailed steps above.

Change-Id: If542268583dba12589bca361d953f12770711130
Reviewed-on: https://chromium-review.googlesource.com/1022078
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/4a25d627ce6310fefb40325eb42ba705d9323233/cryptohome/init/cryptohomed.conf
[modify] https://crrev.com/4a25d627ce6310fefb40325eb42ba705d9323233/attestation/server/attestationd.conf

Status: Verified (was: Assigned)
Blocking: -840496
Labels: M-68

Sign in to add a comment