TPM-Sniffing LUKS Keys on an Embedded Linux Device [CVE-2026-0714] (opens in new tab)

(cyloq.se)

22 pointsTiberium24d ago9 comments

9 comments

Relevant: https://lkml.org/lkml/2025/8/14/1583, https://lore.kernel.org/linux-integrity/20250825203223.62951... (Disables TCG_TPM2_HMAC by default)

eqvinox24d ago

Not exactly surprising; unless you establish some type of shared secret between the TPM and CPU (e.g. by burning it into fuses in both devices, or through some signature scheme), the bus connecting the two will always be a problem…

pseudohadamard23d ago

Also not exactly surprising: It requires direct physical access to the hardware, if an attacker has that level of control you're a goner no matter what you do. In any case since Moxa devices have historically been riddled with buffer overflows and XSS and RCEs and similar vulns, no attacker will ever need to use this attack because there's much, much easier ways to get in that don't require that you travel to where the device is, get past the physical security at the site, remove the device, dismantle it, and attach probes to internal buses.

Neywiny24d ago

I've thought about it but haven't checked too hard: can they not do a key exchange? In my existing research I've found no reason they can't, just that they don't.

jcalvinowens24d ago

They often do, but it can be MITM'd without some sort of authentication, which generally requires something to be installed in the factory.

2 more replies

j / k navigate · click thread line to collapse