Securing Embedded Linux with TPM

New to Advanced Security Training? New to Embedded Linux? Check out our FREE WEBINAR EMBEDDED LINUX FROM SCRATCH IN 30 MINS OR LESS

With more IoT platform requiring digital certificates, developers and pen testers must now be aware of topics like client certificates, PKCS#11, hardware support for keys, and how to create test environments.

Topics Covered during this course

• Introduction to X.509 Digital Certificates, digital signatures, and Public Key Infrastructure
• Trusted Platform Module 2.0 including hardware and software capabilities and its place in the Trusted Computing Group
• TPM support in Linux and uboot. Measured boot and trusted keys in the kernel key ring.
• PKCS#11: the standard by which most cryptographic hardware is used.
• TLS : Specifically client certificates and how the TLS handshake uses hardware-backed keys

Day 1 Introduction to hardware crypto concepts

Theory

We assume starting with zero knowledge of certificates, crypto or the TPM so today we will build up the basics. The main learning objects for this day are:

• Cryptographic basics to support Public Key Infrastructure
• Trusted Platform Module overview
• How the Trusted Platform Module is supported in Linux

Assignments

• PKI lab with openSSL. How to build and test certificate chains from scratch so you don't have to stack overflow anymore.
• TPM lab. We will be using the TPM simulator and we will explore many TPM2 commands and their uses.
• Linux Key Retention Service. We'll investigate trusted keys and what they enable for userspace services like LUKS, dm-crypt, dm-verity, and fs-verity.

Day 2 Build Day

Theory

The goal of today is to build a hardware-back client certificate working proof of concept using TLS. We will focus on the TPM but it really can be anything that has the glue interface of PKCS#11. We'll go over PKCS#11 and then spend the major of the day building this end-to-end example which you may use to develop a product or figure out how to hack one!

Assignments

PKCS#11 Lab - The joy and pain of PKCS#11, we will get to know it well. End-to-End working PoC. We are going to build, from scratch, a pretty epic project. We will make a new PKI with client and server certificates. We'll build a server to enforce client certificates. We'll integrate a PKCS#11 library with openSSL. We will issue client certificates from a Certificate Authority (simulating device registration). And we will but it all together.

Class Requirements

• Arty Z7020 (NOT THE Z7010, please do not buy the Z7010) or the Pynq Z1 or Z2.
• MicroSD card up from 4GB to 32GB.
• MicroUSB cable
• A device capable of "burning" a microSD card (i.e. a microSD reader/writer)
• A laptop or desktop that can communicate via a serial terminal (teraTerm, serial, tio, picocom etc...) to the board

Class Prerequisites

• Students will be coding in Python and bash and various configuration languages
• We will be reviewing many things in C, but students will not need to code in C
• No knowledge of cryptography, TLS, or the TPM. We'll go over all that.