docs/ek_certificates.md: gather information from issue #50

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
fobnail · Apr 20, 2023 · dd34c58 · dd34c58
1 parent 09d5629
commit dd34c58
Show file tree

Hide file tree

Showing 2 changed files with 104 additions and 1 deletion.
diff --git a/docs/ek_certificates.md b/docs/ek_certificates.md
@@ -0,0 +1,102 @@
+# Research of EK certificate chain sizes
+
+This document combines results gathered from [this issue](https://github.com/fobnail/docs/issues/50).
+It was created to set expectations about size of data that has to be sent to and
+parsed by Fobnail Token.
+
+## SLB 9665TT2.0 TPM
+
+Used on PC Engines apu platforms:
+
+```text
+Certificate 0 size: 1177 bytes
+Certificate 1 size: 1463 bytes
+Certificate 2 size: 1455 bytes
+Certificate is self-signed, assuming it is root
+
+Chain length: 3
+Total chain size: 4095 bytes
+Size of the biggest certificate: 1463 bytes
+```
+
+## SLB 9670
+
+Used on Raspberry Pi. Two different specimens had slightly different chains:
+
+```text
+Certificate 0 size: 1422 bytes
+Certificate 1 size: 1705 bytes
+Certificate 2 size: 1455 bytes
+Certificate is self-signed, assuming it is root
+
+Chain length: 3
+Total chain size: 4582 bytes
+Size of the biggest certificate: 1705 bytes
+```
+
+```text
+Certificate 0 size: 1171 bytes
+Certificate 1 size: 1449 bytes
+Certificate 2 size: 1455 bytes
+Certificate is self-signed, assuming it is root
+
+Chain length: 3
+Total chain size: 4075 bytes
+Size of the biggest certificate: 1455 bytes
+```
+
+Same TPM on NovaCustom NS5x/7x and Protectli VP4630/50/70 platforms:
+
+```text
+Certificate 0 size: 1171 bytes
+Certificate 1 size: 1449 bytes
+Certificate 2 size: 1455 bytes
+Certificate is self-signed, assuming it is root
+
+Chain length: 3
+Total chain size: 4075 bytes
+Size of the biggest certificate: 1455 bytes
+```
+
+## Unknown TPM (probably also SLB 9670)
+
+Found in NovaCustom NV4X laptops:
+
+```text
+Certificate 0 size: 1171 bytes
+Certificate 1 size: 1449 bytes
+Certificate 2 size: 1455 bytes
+Certificate is self-signed, assuming it is root
+
+Chain length: 3
+Total chain size: 4075 bytes
+Size of the biggest certificate: 1455 bytes
+```
+
+## Unknown TPM
+
+[Reported by 0xDen](https://github.com/fobnail/docs/issues/50#issuecomment-1484607790)
+
+```text
+Certificate 0 size: 1184 bytes
+Certificate 1 size: 1463 bytes
+Certificate 2 size: 1455 bytes
+Certificate is self-signed, assuming it is root
+
+Chain length: 3
+Total chain size: 4102 bytes
+Size of the biggest certificate: 1463 bytes
+```
+
+## fTPM found in AMD processors
+
+These TPMs don't have EK certificates.
+
+## Summary
+
+All encountered EK certificate chains have the same length - 3 certificates
+including EK and root. Total size of chain oscillates around 4KB. Certificate
+sizes are similar across all collected data, with EK being slightly smaller than
+root and intermediate certificates. Biggest certificate in chain usually has
+around 1460 bytes, but there was one TPM with significantly larger maximal size
+of certificate - 1705 bytes.
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -29,10 +29,11 @@ nav:
       - 'Architecture': architecture.md
       - 'Keys and certificates': keys_and_certificates.md
       - 'Fobnail API': fobnail-api.md
+      - 'EK certificate chain sizes': ek_certificates.md
       - 'Ethernet over USB':
         - 'Research': eth-over-usb-research.md
         - 'Implementation': implementing-eth-over-usb.md
-      - 'Minimal OSes for Fobnail Token':
+      - 'Minimal OSes used with Fobnail Token':
         - 'Research': minimal-os-for-fobnail.md
         - 'meta-fobnail PoC': meta-fobnail-in-dlme.md
         - 'Zephyr PoC': zephyr-in-dlme.md