TPM2_Load failure about bitleaker HOT 14 OPEN

@edmcman, hopefully you got my message.

from bitleaker.

So I believe my hunch about the key sizes was correct. After I changed 220 to 0xfc and also adjusted the command size in the TPM2_Load header, it produced a command that the TPM 2.0 command parser was actually able to parse:

Command: 80020000011700000157810000010000000940000009000000000000aa00205d12f20370ef92d1a505e7c6a95f6f24e9d166c6be0aa8d9c60724cf579ecd4700107d34bbd951a9aaaa336b6cc7b1c6acae7b436680aba9cb5008f15384f5ac2fae0bd15460df71392b953199e3451bcca8f6dad4b005e06009ce895fc08e728603627d1c1d3eb59a02670b3523a1e833e6f0ef385d7de1bdce4832e9ca0affa887ab8953fad7eb510f9cc256b3b3f2a441507a5ad0b8067f848c591bc50569ed16f28549040603004e0008000b000004120020f510e7ebcba225bc2168c223d6eb841e7c032cf1281fe5ab23c3737e8ad2f7ef0010002075ffbf4ecdc76324ba6bb796e3b6ef36e88089fe57176dd2a2be4192426bd3cb

Header:
Tpm2Lib.CommandHeader
  Tag                   Sessions                  TpmSt
  CommandSize           279 (0x117)               uint
  CommandCode           Load                      TpmCc

Command Parameters:
Tpm2Lib.Tpm2LoadRequest
  parentHandle          -                         TpmHandle
    handle              2164260865 (0x81000001)   uint
  inPrivate             -                         TpmPrivate
    buffer              0x00205d12f20370ef..
                          ed16f28549040603        byte[170]
  inPublic              -                         TpmPublic
    type                Keyedhash                 TpmAlgId
    nameAlg             Sha256                    TpmAlgId
    objectAttributes    FixedTPM|
                          FixedParent|
                          NoDA                    ObjectAttr
    authPolicy          0xf510e7ebcba225bc..
                          23c3737e8ad2f7ef        byte[32]
    parameters          -                         KeyedhashParms
      schemeScheme      Null                      TpmAlgId
      scheme            -                         NullSchemeKeyedhash
    unique              -                         Tpm2bDigestKeyedhash
      buffer            0x75ffbf4ecdc76324..
                          a2be4192426bd3cb        byte[32]

Sessions [1]
0: 0xTpm2Lib.SessionIn
  handle                -                         TpmHandle
    handle              1073741833 (0x40000009)   uint
  nonceCaller           0x                        byte[0]
  attributes            None                      SessionAttr
  auth                  0x                        byte[0]

Unfortunately, the command still fails with the same error code 0x018b, suggesting that something is wrong with the handle.

from bitleaker.

If I carve out the pub and priv files, I can use tpm2_load successfully..... 🤔

m/e/e/bitleaker $ sudo tpm2_load -C 0x81000001 -u pub.bin -r priv.bin -c key.ctx                                                                                                                                                                                                                                                                                                   12:19:52
name: 000bf325093fd7907253ed86deecb9ca6dce799389bc85afc0858f78cc95149baaa9

from bitleaker.

I wonder if the error message is referencing the 0x40000009 handle (instead of 0x81000001, which was implied in #9)

from bitleaker.

So I was having the same problem as #3 in that the orderly bit was clear, and I guess that causes TPM2_Load to fail.

from bitleaker.

Yes. I had code to “clear” the flag in some instances, but Intel/Dell may have fixed that. Basically, it has to save the “empty” state to clear it. But I have found this doesn’t always work. If not, your device is ACTUALLY secure.

from bitleaker.

@roboknight Your trick seemed to work -- unloading the bitleaker kernel module and suspending again.

However my PolicyPCR command fails. One thing that has been confusing me is that Bitleaker appears to extend some PCRs -- I saw you post about this as well -- but these doesn't appear in Bitleaker's event log. Did you experience that?

Also, how did you know that your setup was using SHA1 hashes if you don't mind me asking?

Thanks, your notes, code and comments have been very helpful for me!

from bitleaker.

Although I got around the original TPM2_Load problem, PolicyPCR is failing.

I think I understand why now.

If I understand correctly, BitLocker with Secure Boot enabled uses PCRs 7 & 11. In #11 (comment), @roboknight noted that EV_Separator is extended to PCRS 0-7. Since this extending happens in BitLocker, BitLeaker's bootloader would not see it in the log. But that is OK since we have to manually set PCR 7 anyway. So basically BitLeaker only needs to leak PCR 11 correctly.

I do not have Secure Boot enabled, and per manage-bde -protectors -get C: my machine is using PCRs 0, 2, 4, and 11.

I think there are two problems:

• BitLocker extends PCRs itself, which BitLeaker would not see. I think this starts at 9 in #11 (comment).
• Something about booting BitLeaker seems to cause some other changes to PCRs. For example, BitLeaker sees PCR 5, Event 80000006, SHA256= d4 cb 1d 7f 9a 55 a4 c5 ba fa d4 17 ce ad d0 37 57 24 97 6a eb cf d5 a2 e5 df 3c df 51 de 41 7b but I see no sign of this when parsing the TPM event logs from Windows.

TLDR: Bitleaker will not work as is for my PCRs, because 0, 2, and 4 are extended by Bitlocker after Bitleaker reads the event log. Probably the easiest thing for me to do is try to extract the PCR values I need to extend from the TPM event logs from Windows rather than the ones in Bitleaker. And then figure out how to compute the differences, sort of how Bitleaker does now with PCR 7.

TLDR TLDR: Bitleaker won't work without secure boot.

from bitleaker.

After enabling secure boot and redoing bitlocker, I was able to get bitleaker to work. It was a bit of a pain because of the orderly TPM problem. I ended up running bitleaker in Ubuntu 18.04 to get the .bin TPM command files. I then booted into Ubuntu focal and used the following script to set my PCRs to the right values:

https://gist.github.com/edmcman/35c1b830854804a1847949795409d163

I then used tpm2_send to send the .bin TPM commands files that bitleaker produced. And then I manually carved out the key from the response and used it with dislocker.

Hopefully that helps someone in the future.

from bitleaker.

I have an updated Bitleaker that uses a later version of Ubuntu. I got it to work with EFI, so you don’t need the initial loader. It was a bit tricky, but it works and has some instructions. I have an image somewhere. As to the SHA1 question, it’s the hash lengths. They were 0x14 bytes, not 0x20 (SHA256).

from bitleaker.

PS: As you discovered, Bitleaker doesn’t manage non-secure boot Bitlocker. Only Bitlocker with secure boot. As for PCR11, its only purpose is to prevent someone from getting the key after Bitlocker. Bitlocker extends PCR11 after booting to lock the key in the TPM. You can’t replay the hashes for Bitlocker from recording them through Bitleaker if you don’t use secure boot because one of the PCRs deals with boot order I think. However, recording the PCRs from PCPTool should let you replay them.

from bitleaker.

I have an updated Bitleaker that uses a later version of Ubuntu. I got it to work with EFI, so you don’t need the initial loader. It was a bit tricky, but it works and has some instructions.

Oh cool! Can you point me to that? I don't think I found that in your repo.

from bitleaker.

It isn’t in there. I can see if my image is still in Google drive or Dropbox. I probably should update the repo, but I was working on this elsewhere offline for a while. Now I’m kinda on other things, so updating that fell off the priority bandwagon.

from bitleaker.

I have an updated Bitleaker that uses a later version of Ubuntu. I got it to work with EFI, so you don’t need the initial loader. It was a bit tricky, but it works and has some instructions. I have an image somewhere. As to the SHA1 question, it’s the hash lengths. They were 0x14 bytes, not 0x20 (SHA256).

@roboknight Can you please share your updated Bitleaker with me? I am attempting to recover my personal data, my system uses sha1.

from bitleaker.