CVE-2021-3505: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in libtpms versions prior to 0.8.0, identified as CVE-2021-3505. The TPM 2 implementation returns 2048-bit RSA keys with approximately 1984-bit strength due to a bug in the key creation algorithm specified in the TCG specification. The flaw specifically occurs in the RsaAdjustPrimeCandidate() function, which is called before the prime number check (RedHat Bugzilla, Github Issue).

The vulnerability stems from a bug in the RsaAdjustPrimeCandidate function where on 64-bit systems, the MASK definition incorrectly handles bit operations. The issue causes prime numbers to have 32 bits always set to zero, resulting in weaker than expected RSA keys. The bug was present in the TCG specification and was later updated in the current version. The vulnerability has a CVSS v3.1 base score of 5.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The primary impact of this vulnerability is on data confidentiality, as the generated RSA keys are weaker than their intended strength. Instead of true 2048-bit strength, the keys effectively provide only about 1984-bit security due to the predictable zero bits in the prime numbers (RedHat Bugzilla).

The vulnerability was fixed in libtpms version 0.8.0. However, upgrading to the fixed version alone is not sufficient. To fully mitigate the issue, users must unseal all data, delete the old TPM state file, generate a new one with the fixed key generation algorithm, and then reseal the data (RedHat Bugzilla).