From b46c938bb1bde7317015fc562f7b25b45513b917 Mon Sep 17 00:00:00 2001 From: Filene Taylor <122162867+PhilienTaylor@users.noreply.github.com> Date: Thu, 25 Sep 2025 15:32:50 -0400 Subject: [PATCH 1/2] Update Heads-threat-model.md Included more clear formatting of how Heads can produce a TPMTOTP or a TPMHOTP, and how the former requires users to monitor the same system time synchronicity between machines. --- About/Heads-threat-model.md | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/About/Heads-threat-model.md b/About/Heads-threat-model.md index 81f03b0..ff20f82 100644 --- a/About/Heads-threat-model.md +++ b/About/Heads-threat-model.md @@ -26,9 +26,9 @@ For these reasons, Tails is not sufficient for many users who want a laptop that won't be able to modify the hardware underneath them. Complicating this goal is that modern x86 hardware is full of modifiable state - [State considered harmful, Rutkowska 2015]({{ site.baseurl }}/PDFs/state_harmful.pdf) + ([State considered harmful, Rutkowska 2015]({{ site.baseurl }}/PDFs/state_harmful.pdf)) and it is full of dusty corners that can hide malware or unauthorized code. - Additionally there is unverifiable code running in the Intel Management Engine, + Additionally, there is *unverifiable* code running in the Intel Management Engine, which has access to memory, to the network and various other peripherals. As a result we must trust certain entities more than others and this does affect our threat model. @@ -94,6 +94,7 @@ As we consider building secure hardware, it is very important to keep in mind * System Administrators * Protection of Key escrow for storage keys * Deliberate tampering with HW/SW config + * For TOTP: Time Synchronization on Motherboard Time VS TOTP Provider * Can we implement two-key authentication to reduce chance of backdoors? System Firmware @@ -118,12 +119,23 @@ Before the user enters a disk decryption password it must prove to the user that the Measured Boot process has started the expected firmware. This presents a problem: the system can't simply display a secret message since that could be replayed by an attacker's firmware and the user doesn't want to enter the - password without knowing that the system is in a safe state. TPMTOTP - [Anti Evil maid 2 Turbo Edition, Matthew Garret 2015](https://mjg59.dreamwidth.org/35742.html) - and [Beyond anti evil maid](https://media.ccc.de/v/32c3-7343-beyond_anti_evil_maid) - addresses this by using the Time-based One-time Password Algorithm (TOTP) to - compute a function on a shared secret and the current time, which allows the - user to verify the output on a second mobile device or TOTP display token. + password without knowing that the system is in a safe state. The answer Heads + uses, is inspired by work on Anti Evil Maid software; [Anti Evil maid 2 Turbo Edition, Matthew Garret 2015](https://mjg59.dreamwidth.org/35742.html) and [Beyond anti evil maid](https://media.ccc.de/v/32c3-7343-beyond_anti_evil_maid). + Heads computes a value using data stored in the TPM, producing a One-Time-Code + measured boot code that you verify by matching this to a Time-based One Time + Password based on device time or Hardware-based One Time Password based on boots. + +Validating boots using TPMTOTP, TPM-based TOTP in Heads, requires a threat model including user error for time. + The TPM and Heads addresses a change in boot media by using a One-time Password Algorithm (OTP) to + compute a function made from a shared secret and one other piece of information: the *current + UTC time*, or *the bootcount*, the former allows the user to verify the output on a second + mobile device or TOTP display token, and the latter verifies using a Hardware-based OTP provider. + ***_TOTP requires time security and synchronicity between your booting Heads machine time + and your TOTP device's UTC hardware time_***, _which may be changed intentionally or automatically_ + using a cellphone or secure remote authenticator service. Without this time synchronization + *within seconds*, the Measured Boot will estimate a different TOTP code than matches your device. + Hardware-based OTP providers are excluded from this time requirement, as they calculate + calculate the secret as your Heads device by HOTP secrets using the bootcounts. Trammell Hudson ported [mjg59's tpmtotp](https://mjg59.dreamwidth.org/35742.html) to run from inside the boot ROM of a Thinkpad x230 using CoreBoot with a Linux @@ -266,7 +278,7 @@ Goals of the attacker * Monitor the user's communications * Exfiltrate data from running system * Recover data from a shutdown system -* Masquarade as the user +* Masquerade as the user * Install unauthorized software Capabilities of the attacker From 1bb4fe5fd41a9ca79831b741aac553f1f43e5849 Mon Sep 17 00:00:00 2001 From: Filene Taylor <122162867+PhilienTaylor@users.noreply.github.com> Date: Thu, 25 Sep 2025 15:37:08 -0400 Subject: [PATCH 2/2] Update Heads-threat-model.md I did it >u> --- About/Heads-threat-model.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/About/Heads-threat-model.md b/About/Heads-threat-model.md index ff20f82..ffa9207 100644 --- a/About/Heads-threat-model.md +++ b/About/Heads-threat-model.md @@ -135,7 +135,7 @@ Validating boots using TPMTOTP, TPM-based TOTP in Heads, requires a threat model using a cellphone or secure remote authenticator service. Without this time synchronization *within seconds*, the Measured Boot will estimate a different TOTP code than matches your device. Hardware-based OTP providers are excluded from this time requirement, as they calculate - calculate the secret as your Heads device by HOTP secrets using the bootcounts. + the secret as your Heads device by HOTP secrets using the bootcounts. Trammell Hudson ported [mjg59's tpmtotp](https://mjg59.dreamwidth.org/35742.html) to run from inside the boot ROM of a Thinkpad x230 using CoreBoot with a Linux