Skip to content

Add comment about using TPM based RNG for start auth nonce #478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dgarske wants to merge 1 commit into
base: master
Choose a base branch
from
+19 −3
Open

Add comment about using TPM based RNG for start auth nonce #478

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions wolftpm/tpm2.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1933,6 +1933,15 @@ typedef int (*TPM2HalIoCb)(struct TPM2_CTX*, const BYTE* txBuf, BYTE* rxBuf,
UINT16 xferSz, void* userCtx);
#endif

/* Use local wolfCrypt RNG for nonce generation by default.
* This is recommended because nonces generated via TPM2_GetRandom travel over
* the SPI/I2C bus unprotected (no session exists yet), making them vulnerable
* to physical bus tampering (e.g., an attacker driving MISO to force a known
* nonce value). A known or attacker-controlled nonceCaller in an unsalted
* session can undermine session security and enable active manipulation.
* Even with a salted session, it violates the TPM 2.0
* spec assumption that nonces are unpredictable (Part 1, Section 19.6).
* Only define WOLFTPM2_USE_HW_RNG if the bus is physically secure. */
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(WC_NO_RNG) && \
!defined(WOLFTPM2_USE_HW_RNG)
#define WOLFTPM2_USE_WOLF_RNG
Expand Down Expand Up @@ -3596,8 +3605,11 @@ WOLFTPM_API TPMI_ALG_HASH TPM2_GetTpmHashType(int hashType);
\ingroup TPM2_Proprietary
\brief Generate a fresh nonce of random numbers
\note Can use the TPM random number generator if WOLFTPM2_USE_HW_RNG is defined.
To force use of the TPM's RNG use WOLFTPM2_USE_HW_RNG. Please make sure you
have parameter encryption enabled to protect the RNG data over the bus.
WARNING: Using WOLFTPM2_USE_HW_RNG exposes nonces to physical bus tampering
(SPI/I2C). An attacker with bus access can force a known nonce, which
can significantly weaken session security, especially for unsalted
sessions. Use the default local wolfCrypt RNG unless the bus is
physically secure.

\return TPM_RC_SUCCESS: successful
\return TPM_RC_FAILURE: generic failure (TPM IO issue or wolfcrypt configuration)
Expand Down
6 changes: 5 additions & 1 deletion wolftpm/tpm2_wrap.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2651,7 +2651,11 @@ WOLFTPM_API struct WC_RNG* wolfTPM2_GetRng(WOLFTPM2_DEV* dev);
/*!
\ingroup wolfTPM2_Wrappers
\brief Get a set of random number, generated with the TPM RNG or wolfcrypt RNG
\note Define WOLFTPM2_USE_HW_RNG to use the TPM RNG source
\note Define WOLFTPM2_USE_HW_RNG to use the TPM RNG source.
\warning When using WOLFTPM2_USE_HW_RNG, random data travels over the
SPI/I2C bus unprotected. If this data is used for session nonces, an
attacker with physical bus access can force known values. Use default
local RNG unless the bus is physically secure.

\return TPM_RC_SUCCESS: successful
\return TPM_RC_FAILURE: generic failure (check TPM IO and TPM return code)
Expand Down
Loading