What kind of “actions” can a TPM2 policy authorize?

I’ve been instructed to use the state of our system’s TPM’s PCR registers to prevent the system we’re working on from booting if one of the PCR registers is different from what we expect. In service of that goal, I’m reading over this article: https://threat.tevora.com/secure-boot-tpm-2/

there is a paragraph near the middle that reads:

TPM2 has the ability to create policies based off of PCRs: If the PCR contents do not match expectations, the policy will not authorize the action.

What kind of actions are they talking about here? And what would be the immediate ramifications if the action was not authorized?


Some background: Before today, I was under the impression that the principle trick of the TPM was to encrypt or decrypt data using a key that the TPM holds securely. Now this article suggests that the TPM can also (two different functions) encrypt or decrypt data based on the current state of its’ PCR registers… this seems similar enough to my previous understanding that I can believe it.

If my understanding is correct, I can see how this would be useful to our project’s goals; encrypt a blob of data that is critical to the success of the boot (say… the kernel*) with the state of the PCR registers while the PCR registers are in a known-trustworthy state (i.e. while known-trustworthy software is loaded). If software that writes different PCR registers replaces the known-trustworthy software, then the kernel blob won’t decrypt properly, and execution “halts”. Presumably there are ways to handle this halting gracefully, like Bitlocker or LUKS; I imagine if I just encrypted executable code and then decrypted it with the wrong key, it would produce gibberish, and the machine would do unexpected things rather than halt gracefully when running that gibberish.

A co-worker has taken the position that there’s a simpler way; that a TPM can permit or refuse an action directly… so, like, it halts the processor or something, I guess? He doesn’t express himself very well, and when I tried to summarize his position he told me I got it wrong, so… I’m deliberately keeping the details of his position scant. Suffice it to say, my understanding of what a TPM does wouldn’t allow for what he describes…

You could interpret the two sentences from the article as supporting his position, or mine, depending on what actions it is possible to ask the TPM to authorize, and what the immediate consequences ramifications of the TPM denying you the authorization to do something. Does anyone here have an opinion?

*…how would I “encrypt the kernel”, exactly? :-p

To authorize an App Service to get keys from Key Vault, do I need to use the IAM blade or the Access Policies blade? [migrated]

I’m unclear about how I authorize an Azure App Service to get a key from Azure Key Vault using System Assigned Managed Service Identities. Do I use the IAM blade and give the App Service Identity the Reader role? Or do I got to the Access Policies blade and find the Principal for the App Services identity and give it key permissions? Or do I do both?

How to authorize a subkey using a primary master key pair?

I’m using webcrypto, not PGP/GPG.

I would like to use a key pair to create a “subkey” that is authorized by my primary key in a way anyone can publicly verify so I don’t need to expose the primary key’s private component to any web-facing systems.

My idea is to:

  • primary key signs a hash of subkeys public component
  • then use the subkeys private key (proving it has access) to encrypt this signed blob

Verification would be:

  • use the subkey public key to decrypt the signature
  • use the primary key’s public to verify the signature.

Would this be safe? Do I need to ad any tamper protection (AHEAD/HMAC)? I’m interested in an answer for both ECC and RSA.

Best way to authorize and authenticate a user on web API

I am doing a hypothetical web just for learn some security tips and the first problem I’ve found is the login, I’ve read like 40 articles, a lot of questions here on stackoverflow and I still don’t know which method is the best one (this is a non-real case, so we can assume we need a very high security)

most webs I’ve developed I use a expirable access token that I need to send on every call to the API via query param or via Authorization header, then I store the token on the local storage

I’ve read some articles that claims that way is unsecure and the best way is with cookies, I’ve read also that the best way is with sessions

Any hint? I’m a bit confused about which way is the best one to secure first the authentication and then the store of the access token to make the authorization

OAauth – Authorize Vs Token Routes

Although I read about the differences between the token rout and the authorized route I am not sure exactly when I need to use them If I understand correctly the /authorize will be used for clients that want to use my API, which is not part of the company clients(Company site, Company Mobile, etc..). If the user login to the company site with his credentials should I use the /token route or the /authorize route?

OAuth 2.0, what should it be returned in the authorize endpoint if the client_id is wrong and no redirect_uri is passed

We have been working on a OAuth 2.0 IDP implementation, and during the implementation of the authorize endpoint, i couldnt find in the RFC 6749, what should happen if the client_id is not passed in the request or is invalid, and there is no redirect_uri in the request also. Should the server return a 400, with no body, a 400 with json? Or is there a better approach?

How to authorize access to a resource when requested with CORS and validate the origin?

I’ll try to make the explanation simple and to the point (keyword try). And if that’s not sufficient, then maybe I can expand on the question.

Imagine two sites: resources.example.com and www.example.com. I only have direct control over resources.example.com. www.example.com ultimately wants access to resource.example.com/dashboard. The idea here is the resource should be protected; secured.

I also cannot validate www.example.com user credentials for authentication (i.e. username, password). I don’t have access to their user store. Ultimately, above all else, my priority is ensuring that www.example.com is the identity of the resource requester.

My first thought was having www.example.com issue a CORS request to resources.example.com for authorization and send back a token. Token expiry is small (<5 seconds). I check that the request is POST, validate the origin header and the referrer, if it exists. If no origin header is passed, authorization fails. User then passes back token with standard POST request to resources.example.com/dashboard.

The problem is this is a very bad authorization scheme. Origin header is resistant to spoofing but it absolutely can be spoofed. Referrer is even easier to bypass.

www.example.com wants to keep effort minimal, which probably means it’s up to me to code their piece because I don’t know if there’s a simple solution here. They are open to CORS request.

My question is how can I secure the resource on my site in a CORS request and ensure the identity of the client is www.example.com, knowing the origin header can be spoofed?

Is there some way I can possibly leverage, i.e. aJSON Web Token (JWT) using asymmetric cryptography in order to prove the identity of the requester is www.example.com, even if the origin header is compromised? If so, who would generate the JWT, me or www.example.com?

How to get access token programatically when we try to authorize by grand_type auth-code in the OAuth 2.0 like a user?

There is a bank service that provides API to do some operations with bank accounts. To perform a request to all endpoints of this service I, first of all, need to get auth token via grand_type=auth_code; I can easily get the auth code and then access token manually. When browser redirects me to bank auth page I just enter my credentials and then It redirects me to my predefined URL with auth_code.

But I need to write unit tests for my implementation of this API. And how can I perform this process with entering credentials and send request from the page programmatically to get auth code?