Page 1
Ing. Ondřej Ševeček | GOPAS a.s.
MCSM:Directory | MVP:Security | CISA | CISM | CEH | CHFI
[email protected] | www.sevecek.com
relevantní kurzy:
GOC163 (Moderní bezpečnost), GOC169 (ISO 27001),
GOC165 (CISM), GOC163 (GDPR a ZaKB)
UEFI, SecureBoot, DeviceGuard, TPM a WHB(un)related technologies
GOLD PARTNER: Hlavní partner: Hlavní odborný partner:
Page 2
Virtual MachineHardware
UEFI
Secure Boot
Device Guard
TPM WHB
Page 3
UEFI
UEFI, SecureBoot, DeviceGuard, TPM a WHB
Page 4
Unified Extensible Firmware Interface newer BIOS :-)
– backward compatible
can be x32/x64– BIOS was 16bit
– better code and "drivers", bigger RAM
two APIs– boot services
– runtime services
configurable from OS with a runtime service
NVRAM– non-volatile RAM
– config + OS variables
– accessible through runtime services from OS
Hyper-V VM generations– generation 1 = BIOS
– generation 2 = UEFI
Page 5
UEFI knows its boot devices
Page 6
UEFI boots from MBR and GPT disks
old MBR disks (dumb jump to MBR)– max 4 partitions, 2 TB
– sector 0 = MBR512 bytes of code to jump into the Active partition
– boot sector512+ bytes of code to find bootmgr on the partition (NTFS, FAT, ...)
GPT disks (understands)– sector 1+ = GPT
– max 127 partitions, 68 000 000 000 TB with 4kB sector disks
– partition GUIDS and types• EFI system partition (ESP) = C12A7328-F81F-11D2-BA4B-00A0C93EC93B
• no active partition
Page 7
UEFI knows FAT32 and can read EFI system partition
EFI partition– FAT32 (up to 32 GB)
– FASTFAT if supported
can boot directly bootxxxxx.efi– faster and OS configurable
– can check digital signatures of boot files
removable media– CD/DVD, USB flash
– single UDF/CDFS/FAT32 partition• up to 32 GB
Page 8
Firmware variables and UEFI locks
NVRAM
– non-volatile RAM storage
– accessible read/write over runtime services API
locking
– changes must be written during boot services phase by a trusted
UEFI application
– RunAsPPL, DeviceGuard
Page 9
UEFI lock on RunAsPPL
Page 10
SecureBoot
UEFI, SecureBoot, DeviceGuard, TPM a WHB
Page 11
SecureBoot
UEFI only
GPT + EFI partition
checking signatures of boot components
– UEFI: boot sector + boot loader
– OS: winload, kernel, drivers, LSASS, ...
Page 12
SecureBoot enabled on HW (msinfo32)
Page 13
SecureBoot enabled on VM (msinfo32)
Page 14
SecureBoot requirements
GPT + EFI disk
supporting OS
– 8.1/2012 x64 and newer
disabled CSM (compatibility support mode)
– plus disable any "legacy" options
password protected "BIOS"
OS vendor public signature verification keys (re)loaded
Page 15
Enabling secure boot within "BIOS"
Page 16
SecureBoot protection
protects against boot code modifications
– does not prevent booting "rogue OS" in itself
Page 17
DeviceGuard
UEFI, SecureBoot, DeviceGuard, TPM a WHB
Page 18
LSASS sensitive memory vulnerability
High-Level OS
ProcessProcess
ProcessLSASSProcess
NTLM
TGT
password
Process
Attacker
Page 19
Smart card principle
CryptoCPU
public storage
memory
protected private
crypt memory
OS
firmware
ROM
API calls
PINmaster PIN
PC
Attacker
Page 20
LSASS sensitive memory solution
Hypervisor
Secure Kernel
Isolate User Mode
(IUM)
High-Level OS
Process LSASSProcess
Process Process
NTLM
TGT
password
vmbustrustlet
Attacker
Page 21
Requirements
SecureBoot => UEFI
– ensures that the secure kernel and lsass would load untouched
– the secure kernel ensures that only the first interface user (lsass)
can use it
Page 22
(Non)Protection
long-term memory credential protection– does not protect BitLocker AES FVEK yet
vulnerabilities– can be disabled by Admins with restart remotely (without UEFI lock)
– can be disabled by Admins with restart attended (with UEFI lock)
– hardware keyloggers
– software keyloggers
– RDP + HTTP basic auth loggers
– SSO injections
– memory dumping
– local management
Page 23
Disabling DeviceGuard with UEFI lock
Page 24
TPM
UEFI, SecureBoot, DeviceGuard, TPM a WHB
Page 25
Used by
BitLocker to store volume decryptor
TPM smart cards
Windows Hello for Business
Page 26
Trusted Platform/Policy Module
on-board smart-card– or plug-in module if supported by motherboard and BIOS
– or VM emulated
unlocked with multiple entry-key-parts– UEFI NVRAM hash
– boot sector hash
– boot loader hash, ...
+PIN possibly
owner password for privileged operations– clear, export, ...
Page 27
VM emulated TPM vs. hardware based
Page 28
VM TPM emulation
does not require physical TPM on the host
data stored encrypted in the VM configuration file
– encrypted with HgsGuardian
– either local or remote if configured
Page 29
TPM ownership always some password present
– maybe not known to us :-)
OS can store owner password– None– Delegated
• binary blob only (not easily remembered)• newer applications support only
– Full• plain-text password• any application support
reset ownership password always possible– must clear the TPM– requires physical presence (BIOS instead of UEFI application)
Page 30
TPM owner information in registry
HKLM\System\CurrentControlSet\Service\TPM\WMI\Admin
Page 31
TPM state and owner authorization in PowerShell
Get-TPM
Page 32
Clearing TPM without owner password
Page 33
TPM virtual smart-cards
smart-card logon
– Kerberos PKINIT
– enterprise PKI + client certificates
– change PIN with CTRL-ALT-DEL
– PIN length policy
binds user identity to the machine
Page 34
Provisioning TPM virtual smart cardtpmvscmgr.exe create /name "userADlogon" /AdminKey PROMPT /PIN prompt
/generate /pinpolicy minlen 4
# AdminKey: 48 hexa-digits (0-9,A-F)
# PIN: 8 any-characters by default
certutil –csplist
# Microsoft Smart Card Key Storage Provider
certutil –scinfo
tpmvscmgr destroy /instance root\smartcardreader\0000
# if unknown, use Device Manager for lookup
Page 35
Looking up virtual smart card device in devmgmt.msc
Page 36
Attestation
AD CS can require hardware attestations for issued
certificates
certificate request is signed by a TPM internal private key
– public verification key imported into CA
manual enrollment by a RA registration authority?
autoenrollment into defined device with attestation
Page 37
Windows Hello for Business
UEFI, SecureBoot, DeviceGuard, TPM a WHB
Page 38
What?
Convenience PIN
– store password on the disk, protected with a simpler PIN
Windows Hello
– store password on the disk, protected with a thumbprint or
anything payed within Office365
Windows Hello for Business
– smart card logon mapped from anything
Page 39
Multiple-multifactor-biometric authentication
maps to Kerberos PKINIT smart-card logon credentials
stored locally
– in TPM or in software
better then fingerprint-readers, ...
AD user, AAD user, ...
– shadow account in Active Directory
Page 40
Requires Device Registration with ADFS
Page 41
Enabled with Group Policy
Page 42
Virtual MachineHardware
Nice to have UEFI
– GPT disks– NVRAM variable locking
SecureBoot– signed boot components– requires UEFI
DeviceGuard– isolated credential storage (secure kernel)– requires SecureBoot
TPM– stores BitLocker keys– provides virtual smart cards– provides WHB
UEFI
Secure Boot
Device Guard
TPM WHB
Page 43
Ing. Ondřej Ševeček | GOPAS a.s.
MCSM:Directory | MVP:Security | CISA | CISM | CEH | CHFI
[email protected] | www.sevecek.com
relevantní kurzy:
GOC163 (Moderní bezpečnost), GOC169 (ISO 27001),
GOC165 (CISM), GOC163 (GDPR a ZaKB)
UEFI, SecureBoot, DeviceGuard, TPM a WHB
GOLD PARTNER: Hlavní partner: Hlavní odborný partner: