PIN timeout

DeletedUser43

If I can set a device clock to anything, how is PIN with timeouts safe?

I'm trying to deep dive into TPMs, so I could potentially start to use them on my PCs. If the answer is a lot of complicated reading material, that's fine.

other8026

DeletedUser43 I'm afraid I cannot directly answer this question with lots of examples or any of that, but I can share some info along the same lines as what you're asking.

This kind of functionality wouldn't rely on the time that people use like "no more PIN guesses until 6:01 PM." Instead, it would rely on a monotonic timer, one that starts counting from 0 when the device boots. So, for example, if someone guesses the wrong PIN too many times after the device has been booted for 1000 seconds and the timeout is set for 1 minute, the next PIN attempt will not be accepted until after the device has been booted for 1060 or more seconds.

So, as you can see, even if an attacker could adjust they system clock, it wouldn't make any difference.

Here's a quote from the project account answering a very similar question about GrapheneOS's automatic reboot feature:

It's based on a proper monotonic timer, not real time. Timers for intervals of time should never be based on real time.

You can check out the code for GrapheneOS's auto reboot feature here. Also, the top part of these docs talk about different clocks. You can see elapsedRealtime() returns the number of milliseconds since the device booted, which is what GrapheneOS's auto reboot feature uses.

DeletedUser43

other8026 So if I understand correctly, this means GrapheneOS relies fully on the device being locked down and very hard to change? I'm trying to understand it by applying the same to something I understand better: PCs. In case of PC that would not work, it's relatively easy to unlock BIOS, or even move the TPM chip to other board. In the phone everything is build into a single SoC, so this doesn't matter? Also, it probably won't be easy, but changing boot time on Linux should be totally doable, but this is because I have a root account, but again, in case of Graphene, I won't be able to root the device if I don't unlock first, right?

Side note: for some reason I was sure, that Titan TPM has an internal clock, but I tried to confirm this, and looks like it's not true.

PS. In your response "these docs" link have a duplicated link to a code.

other8026

DeletedUser43 Sorry, I'm not really all that knowledgeable about this kind of stuff. These kinds of hardware questions aren't really my forte. Hopefully someone who knows more can chime in.

In response to your questions, I think the biggest thing to consider is how a device is set up. Many traditional computers aren't all that secure for multiple reasons.

DeletedUser43 changing boot time on Linux should be totally doable

Sure, you can change the time, but changing the system time shouldn't change the time since boot since the device is using its own timer which doesn't rely on the system time, or at least that's my understanding.

DeletedUser43 Side note: for some reason I was sure, that Titan TPM has an internal clock, but I tried to confirm this, and looks like it's not true.

I'm not sure how this works exactly, just that there is a timer keeping track of elapsed nanoseconds (or something like that) since boot.

DeletedUser43 PS. In your response "these docs" link have a duplicated link to a code.

Oh. Sorry. I meant to link to this page: https://developer.android.com/reference/android/os/SystemClock