Ing. Ondřej Ševeček | GOPAS a.s.

MCSM:Directory | MVP:Security | CISA | CISM | CEH | CHFI

ondrej@sevecek.com | www.sevecek.com

relevantní kurzy:

GOC163 (Moderní bezpečnost), GOC169 (ISO 27001),

GOC165 (CISM), GOC163 (GDPR a ZaKB)

UEFI, SecureBoot, DeviceGuard, TPM a WHB(un)related technologies

GOLD PARTNER: Hlavní partner: Hlavní odborný partner:

Virtual MachineHardware

UEFI

Secure Boot

Device Guard

TPM WHB

UEFI

UEFI, SecureBoot, DeviceGuard, TPM a WHB

Unified Extensible Firmware Interface newer BIOS :-)

– backward compatible

can be x32/x64– BIOS was 16bit

– better code and "drivers", bigger RAM

two APIs– boot services

– runtime services

configurable from OS with a runtime service

NVRAM– non-volatile RAM

– config + OS variables

– accessible through runtime services from OS

Hyper-V VM generations– generation 1 = BIOS

– generation 2 = UEFI

UEFI knows its boot devices

UEFI boots from MBR and GPT disks

old MBR disks (dumb jump to MBR)– max 4 partitions, 2 TB

– sector 0 = MBR512 bytes of code to jump into the Active partition

– boot sector512+ bytes of code to find bootmgr on the partition (NTFS, FAT, ...)

GPT disks (understands)– sector 1+ = GPT

– max 127 partitions, 68 000 000 000 TB with 4kB sector disks

– partition GUIDS and types• EFI system partition (ESP) = C12A7328-F81F-11D2-BA4B-00A0C93EC93B

• no active partition

UEFI knows FAT32 and can read EFI system partition

EFI partition– FAT32 (up to 32 GB)

– FASTFAT if supported

can boot directly bootxxxxx.efi– faster and OS configurable

– can check digital signatures of boot files

removable media– CD/DVD, USB flash

– single UDF/CDFS/FAT32 partition• up to 32 GB

Firmware variables and UEFI locks

NVRAM

– non-volatile RAM storage

– accessible read/write over runtime services API

locking

– changes must be written during boot services phase by a trusted

UEFI application

– RunAsPPL, DeviceGuard

UEFI lock on RunAsPPL

SecureBoot

UEFI, SecureBoot, DeviceGuard, TPM a WHB

SecureBoot

UEFI only

GPT + EFI partition

checking signatures of boot components

– UEFI: boot sector + boot loader

– OS: winload, kernel, drivers, LSASS, ...

SecureBoot enabled on HW (msinfo32)

SecureBoot enabled on VM (msinfo32)

SecureBoot requirements

GPT + EFI disk

supporting OS

– 8.1/2012 x64 and newer

disabled CSM (compatibility support mode)

– plus disable any "legacy" options

password protected "BIOS"

OS vendor public signature verification keys (re)loaded

Enabling secure boot within "BIOS"

SecureBoot protection

protects against boot code modifications

– does not prevent booting "rogue OS" in itself

DeviceGuard

UEFI, SecureBoot, DeviceGuard, TPM a WHB

LSASS sensitive memory vulnerability

High-Level OS

ProcessProcess

ProcessLSASSProcess

NTLM

TGT

password

Process

Attacker

Smart card principle

CryptoCPU

public storage

memory

protected private

crypt memory

OS

firmware

ROM

API calls

PINmaster PIN

PC

Attacker

LSASS sensitive memory solution

Hypervisor

Secure Kernel

Isolate User Mode

(IUM)

High-Level OS

Process LSASSProcess

Process Process

NTLM

TGT

password

vmbustrustlet

Attacker

Requirements

SecureBoot => UEFI

– ensures that the secure kernel and lsass would load untouched

– the secure kernel ensures that only the first interface user (lsass)

can use it

(Non)Protection

long-term memory credential protection– does not protect BitLocker AES FVEK yet

vulnerabilities– can be disabled by Admins with restart remotely (without UEFI lock)

– can be disabled by Admins with restart attended (with UEFI lock)

– hardware keyloggers

– software keyloggers

– RDP + HTTP basic auth loggers

– SSO injections

– memory dumping

– local management

Disabling DeviceGuard with UEFI lock

TPM

UEFI, SecureBoot, DeviceGuard, TPM a WHB

Used by

BitLocker to store volume decryptor

TPM smart cards

Windows Hello for Business

Trusted Platform/Policy Module

on-board smart-card– or plug-in module if supported by motherboard and BIOS

– or VM emulated

unlocked with multiple entry-key-parts– UEFI NVRAM hash

– boot sector hash

– boot loader hash, ...

+PIN possibly

owner password for privileged operations– clear, export, ...

VM emulated TPM vs. hardware based

VM TPM emulation

does not require physical TPM on the host

data stored encrypted in the VM configuration file

– encrypted with HgsGuardian

– either local or remote if configured

TPM ownership always some password present

– maybe not known to us :-)

OS can store owner password– None– Delegated

• binary blob only (not easily remembered)• newer applications support only

– Full• plain-text password• any application support

reset ownership password always possible– must clear the TPM– requires physical presence (BIOS instead of UEFI application)

TPM owner information in registry

HKLM\System\CurrentControlSet\Service\TPM\WMI\Admin

TPM state and owner authorization in PowerShell

Get-TPM

Clearing TPM without owner password

TPM virtual smart-cards

smart-card logon

– Kerberos PKINIT

– enterprise PKI + client certificates

– change PIN with CTRL-ALT-DEL

– PIN length policy

binds user identity to the machine

Provisioning TPM virtual smart cardtpmvscmgr.exe create /name "userADlogon" /AdminKey PROMPT /PIN prompt

/generate /pinpolicy minlen 4

# AdminKey: 48 hexa-digits (0-9,A-F)

# PIN: 8 any-characters by default

certutil –csplist

# Microsoft Smart Card Key Storage Provider

certutil –scinfo

tpmvscmgr destroy /instance root\smartcardreader\0000

# if unknown, use Device Manager for lookup

Looking up virtual smart card device in devmgmt.msc

Attestation

AD CS can require hardware attestations for issued

certificates

certificate request is signed by a TPM internal private key

– public verification key imported into CA

manual enrollment by a RA registration authority?

autoenrollment into defined device with attestation

Windows Hello for Business

UEFI, SecureBoot, DeviceGuard, TPM a WHB

What?

Convenience PIN

– store password on the disk, protected with a simpler PIN

Windows Hello

– store password on the disk, protected with a thumbprint or

anything payed within Office365

Windows Hello for Business

– smart card logon mapped from anything

Multiple-multifactor-biometric authentication

maps to Kerberos PKINIT smart-card logon credentials

stored locally

– in TPM or in software

better then fingerprint-readers, ...

AD user, AAD user, ...

– shadow account in Active Directory

Requires Device Registration with ADFS

Enabled with Group Policy

Virtual MachineHardware

Nice to have UEFI

– GPT disks– NVRAM variable locking

SecureBoot– signed boot components– requires UEFI

DeviceGuard– isolated credential storage (secure kernel)– requires SecureBoot

TPM– stores BitLocker keys– provides virtual smart cards– provides WHB

UEFI

Secure Boot

Device Guard

TPM WHB

Ing. Ondřej Ševeček | GOPAS a.s.

MCSM:Directory | MVP:Security | CISA | CISM | CEH | CHFI

ondrej@sevecek.com | www.sevecek.com

relevantní kurzy:

GOC163 (Moderní bezpečnost), GOC169 (ISO 27001),

GOC165 (CISM), GOC163 (GDPR a ZaKB)

UEFI, SecureBoot, DeviceGuard, TPM a WHB

GOLD PARTNER: Hlavní partner: Hlavní odborný partner: