New issue
Advanced search Search tips

Issue 885358 link

Starred by 7 users
Status: Duplicate
Owner: ----
Closed: Oct 18
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature



Sign in to add a comment

Crostini: Support SSH keys in TPM on the host

Reported by alex.gay...@gmail.com, Sep 18 
UserAgent: Mozilla/5.0 (X11; CrOS x86_64 10895.56.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.95 Safari/537.36

Steps to reproduce the problem:
1. Use Crostini
2. Want to SSH places
3. Want to have hardware backed keys

What is the expected behavior?
There's an easy, out of the box, way to get SSH with a key set up in the TPM on the host.

The implementation is probably a PKCS#11 device that uses the kernel's crypto APIs, which in turn use virtio to have the parent provide the TPM.

This should _not_ result in the entire host TPM's keys being available to the guest!

What went wrong?
You have to have a file with a key in it, like some sort of person who doesn't care about security!

Did this work before? No 

Chrome version: 69.0.3497.95  Channel: stable
OS Version: 10895.56.0
Flash Version:

Comment 1 by vapier@chromium.org, Sep 18

Components: OS>Systems>Containers
Labels: -Pri-2 Pri-3
there's probably zero chance of us exposing the host TPM to the VM

we're investigating vtpm support, but i'm not sure we have a bug to track that.  maybe Tom has something offhand for it.

respect to having hardware back ssh keys, that's already possible in CrOS today without using Crostini:
https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/doc/hardware-keys.md

Comment 2 by alex.gay...@gmail.com, Sep 18 

vTPM meaning "it looks like a TPM inside the guest, but actually it's just a file on disk on the host"?

The support linked there is for the SSH app; for a variety of reasons I want to have hardware backed keys inside the VM, most importantly scripting and VCS integration.

Comment 3 by tbuckley@google.com, Oct 8

Labels: Proj-Containers

Comment 4 by adlr@chromium.org, Oct 17

Status: Available (was: Unconfirmed)

Comment 5 by vapier@google.com, Oct 17 

> vTPM meaning "it looks like a TPM inside the guest, but actually it's just a file on disk on the host"?

basically. the file would live in the user's encrypted storage which is backed by the real tpm.

Tom hasn't responded, so I'm just going to create a bug and dupe into that.

if you look through the docs I linked, the hwkeys work with any ssh client. so once we have USB pass thru, you can use that to pass the hwkey in. or if you're creative, could probably have an ssh-agent app expose access over the local network for the VM to use.

either way, direct access to the real TPM from VMs is off the table.

Comment 6 by vapier@chromium.org, Oct 18

Mergedinto: 896557
Status: Duplicate (was: Available)

Comment 7 by alex.gay...@gmail.com, Oct 18 

Ok. I think that reasonably meets my threat model -- I'd like to be resilient to path traversal and other arbitrary read vulnerabilities. Obviously doesn't protect against them on the host, but that should be a significantly thicker attack surface (no curl | bash there!).

Sign in to add a comment