I use a TPM 2.0 with verified and measured boot. Now I read about external TPM modules for mainboards, which do not have a TPM module yet. I am a bit confused on how secure this is. I think a attack vector could look like this:
This way an attacker could exfiltrate e.g. windows bitlocker keys. Are there any methods to prevent such attacks? I am also interested about the security about TPM modules on motherboards, since there the same attack could be done. How is the firmware measured into the TPM? Does this rely on data from the TPM?
Yes such man-in-the-middle attacks against the TPM are well-known; articles describing them seem to come out with regularity, almost on an annual basis (see here for the latest one).
The way to protect against them is session-based encryption. (see section 21 here)
To present the simplest use case, where the session is not an authorization session and is not bound to a TPM object: basically, you would start a salted session, which will ensure that only you and the TPM have access to the salt. Interception of the session start message would not help, as the salt is encrypted with a TPM key.
Then the session key is computed:
sessionKey ≔ KDFa(sessionAlg, salt, “ATH”, nonceTPM, nonceCaller, bits)
Note that the TPM is going to have to decrypt the salt on its end. The XOR mask for encrypting the message is computed thusly for each exchange:
mask ≔ KDFa (hashAlg, sessionKey, “XOR”, nonce1, nonce2, data.size • 8)
The protected data is then encrypted by XORing it with the computed mask for parameter encryption. Note that the mask is going to be different for each encryption operation, as the nonces are constantly refreshed.
There is also an option to use CFB mode encryption on devices that support it.