Learn more about LinuxCon + ContainerCon + CloudOpen China, happening June 19-20. 

Customize your schedule by experience level and/or presentation language: Refer to the “Filter by Type” list on the right to find a session based on topic and/or experience level. Presentation Language - Sessions are categorized as [C] Chinese, [C,E] Chinese with English Slides or [E] English at the end of each talk title.
Back To Schedule
Monday, June 19 • 13:35 - 14:05
Enhancing Linux Security with TPM 2.0 [E] - James Bottomley, IBM

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Thanks to work by Intel and Microsoft, TPMs are ubiquitous in today’s hardware, from tablets all the way to servers, and Thanks to Microsoft, the most recent incarnation: TPM 2.0 is being deployed reasonably universally. TPMs can perform four essential functions: secure measurement and logging, secure signing, encryption, and private key escrow, data sealing, and attestation. (TPMs  can be divided into two classes: the modern 2.0 incarnation required by  Microsoft and used in the Surface and newer systems and the older (and much more common) 1.2 System.  Although his talk will mention the Older1.2 stack because it can do a significant subset of the 2.0 features, it will concentrate on 2.0 (because that's the one James has in his laptop).  Most people have heard (at length) about measurement and all its problems. Here, We will explain how secure signing can be made to function where an external key is irretrievably (so that neither hackers nor the cloud service provider can get it) placed into a TPM and used to perform a variety of RSA authentication operations. The useful target for this is VPN, but there are a variety of other authentication systems for which this can be made to work. We also demonstrate how an existing RSA key can be wrapped for secure transmission to the TPM and then used via the OpenSSL engine functions, how an agreed PCR  timer can make this key expire after an agreed interval, why it cannot ever be retrieved, and how the trust model actually works. And for the paranoid who don’t trust their own cloud provider, James covers how the TPM attestation functions can be used to verify exactly that you weren’t tricked into wrapping the key for a software-based TPM, which could allow the trickster to steal your private key. James then explains how sequestered trust models like the TPM can be used in the industry to enhance security even in an apparently insecure environment.

avatar for James Bottomley

James Bottomley

Distinguished Engineer, IBM
James Bottomley is a Distinguished Engineer at IBM Research where he works on Cloud and Container technology. He is also Linux Kernel maintainer of the SCSI subsystem. He has been a Director on the Board of the Linux Foundation and Chair of its Technical Advisory Board. He went to... Read More →

Monday June 19, 2017 13:35 - 14:05 HKT
Room 307A
  LinuxCon, Developer