New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gathering TPM EK certificate chain sizes #50
Comments
NovaCustom NV4X ADL and NovaCustom NV4X TGL (the same exact output):
|
Ryzen 5 2600, fTPM
|
@macpijan this looks suspicious, is it possible that you've run previous version of |
Quite likely. |
Mine TPM lacks EK certificate. |
|
NovaCustom NS5x/7x TGL i ADL, Protectli VP4630/50/70 :
MSI PRO Z690-A (DDR4 i DDR5) :
|
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
docs/ek_certificates.md: gather information from issue #50
We've hit a problem of not properly working Fobnail firmware when preparing for demo accompanying new release, which was put on hold because of that. The problem comes down to not enough memory left for our tasks, and it presents itself when Attester sends EK certificate chain, or in the following step if this one doesn't corrupt memory enough to break immediately. For reasons we're still investigating, code tries to allocate much more memory than the size of data sent, sometimes by an order of magnitude more than what we expected.
There are few possible solutions that we're considering. To have higher confidence in the outcome, we would like to gather as much info about certificate chain sizes we have to be prepared for as possible. In order to help with obtaining that data, a script was prepared. Easiest way of starting it is to execute:
If you want to see what is being executed with root privileges you may download is manually or as part of repository. Alternatively adding user to group
tss
may also work, depending on system configuration.This is an example output, taken from PC Engines apu1, apu3 and apu4 platforms, each with SLB 9665TT2.0 TPM:
The script assumes that
tpm2-tools
(accessing the TPM),openssl
(parsing, converting and verification of certificates) andwget
(downloading CA certificates) are installed. As you can see, there is no personal data that could be used to identify your platform.I would like to ask anyone interested in helping this project to execute this script on your machines (only if they have TPM2.0, of course), and share your results in the comments. Platform and TPM model is nice to have for statistics and to check if sizes vary inside one family of TPMs, but if you feel that it can compromise your security, reports without that data are still welcome. If you decide to include that info but don't know what model of TPM is used, semi-useful vendor info can be obtained with:
The text was updated successfully, but these errors were encountered: