Ultrablue: User-friendly Lightweight TPM Remote Attestation over Bluetooth
2023-07-03, 14:50–15:25 (Europe/Paris), Amphitheater

During the boot of a PC, it is now common to have each stage involved in the booting process to store measurements of the next component to be loaded into a Trusted Platform Module (TPM), in order to keep a tamper-proof log of the boot chain.
Those measurements are then leveraged to seal secrets, e.g. a disk encryption key, or to report the state of the device to a remote server in a cryptographically secure way, using a procedure known as remote attestation.

Remote attestation has slowly gained traction over the last few years, most notably among cloud providers such as Azure, to guard access to online resources.
It is also a key element in validating Dynamic Root-of-Trust Measurements (DRTM), which reduce the Trusted Computing Base (TCB) compared to traditional UEFI-based boot chains,
but require a trusted third-party to validate the final state of the system.
Unfortunately, little progress has been made recently to enable individual users without access to server resources to reap the benefits of remote attestation.
This is particularly frustrating considering that almost everybody carries a small trusted server with them all the time: smartphones.

Building upon an idea by Matthew Garrett[^1], we introduce Ultrablue (User-friendly Lightweight TPM Remote Attestation over Bluetooth), a solution to securely inspect and validate a TPM event log from a phone.
Ultrablue consists of a command-line attester, running on a computer, and an Android graphical application, running on a trusted phone, communicating over encrypted Bluetooth low-energy (BLE).
Pairing the phone and computer is made easier and more secure through the use of a QR Code.
After a trust-on-first-use provisioning phase to enroll the computer on the phone, the phone can check that the boot chain has not been compromised in later boots.
Sample scripts and a self-contained virtual machine are also provided as a reference of how to integrate Ultrablue in the boot process to guard disk encryption by a secret delivered by the phone. A practical session will demonstrate this process during the conference.

Future work includes improving the user interface to inspect and validate unexpected event logs, adding support for more versatile verification policies,
and integrating Ultrablue into existing hardened systems such as Safeboot (safeboot.dev).

The Ultrablue project has been developped at ANSSI (ssi.gouv.fr) by Loïc Falkau--Buckwell, under the supervision of Nicolas Bouchinet and Gabriel Kerneis.

[^1]: Linux Conference Australia, 2020. https://www.youtube.com/watch?v=FobfM9S9xSI

See also: slides

Nicolas Bouchinet works as a Security Researcher at ANSSI, the National Cybersecurity Agency of France. His research focuses on the Linux kernel, userspace and boot chain.

Loic is the main developer of the Ultrablue project, under the supervision of Nicolas Bouchinet and Gabriel Kerneis from ANSSI.

Gabriel works as a Security Researcher at ANSII, the National Cybersecurity Agency of France. His research focuses on firmwares, trusted environment and secure boot mechanisms.