====== Research: Analysis of Trusted Platform Module chips ======
~~NOTOC~~
This guide is already out of date. Please use the version on page [[https://crocs.fi.muni.cz/tpm |
https://crocs.fi.muni.cz/tpm]].
The goal of the research is to get a better understanding of the Trusted Platform Modules ecosystem. Such information is vital for the designers and developers using this technology, allowing then to answer questions like: What fraction of devices has TPM chip? Which cryptographic algorithms are widely supported? What is the overhead of computing a digital signature?
The research consist of two primary steps:
- **Collection of raw data about TPM chips** deployed in real-world devices like notebooks, desktops, and servers (the part we are asking you for kind help).
- **Analysis of the data collected to provide insight into the TPM ecosystem** (done by us, resulting in a summary of the most important findings, scientific paper, and research dataset available for replicability and further research).
\_
===== How to collect data via Live Bootable Image =====
The data collection consists of 3 principal steps:
- Preparation of bootable USB drive (20 minutes to download image and 10 minutes to setup)
- TPM data collection (1-3 hours) using live image
- Send collected data (anonymous upload, email)
* (step 2., and 3., can be repeated for multiple computers, no need to create USB drive again)
----
Duration: Preparation of bootable device will take approximately 20 minutes to download image and 10 minutes to setup.
- Prepare an empty USB drive with at least 4GB size (IMPORTANT: all content will be erased)
- Download live USB image: [[https://drive.google.com/file/d/1szV-cMR2k7Ag93lpv7hdGpMG6UykZzle/view?usp=sharing|algtest-usb-disk.img]] and save to disk (e.g., folder C:\TPM\)
- Download and install [[https://www.balena.io/etcher/|Balena Etcher]] (Windows, Linux, Mac) to create bootable USB drive. (Alternatively, you may use [[https://rufus.ie/|Rufus]] instead (Windows only)).
- Run Balena Etcher, click //Select image// and browse for previously downloaded algtest-usb-disk.img on your disk
- Insert empty USB drive, click //Select target// and pick the USB disk
* (double-check that displayed drive is your intended USB drive – check the label, check size)
- Click //Flash!// and wait approximately 5 minutes until flashing is completed.
\_\_\_ \_\_\_[[https://www.fi.muni.cz/~xsvenda/algtest-usb-disk_v0.1.1.img|Secondary mirror]] \_\_\_ [[https://drive.google.com/drive/folders/1rrzuAhf4v-98SvaSLWdl9Hnx1O2N36GF?usp=sharing | GPG signature]] \_ [[https://keybase.io/petrs#show-public | (key)]]
{{ :public:research:balena1.png?direct&400&link |}}//Click to enlarge the image.//
{{ :public:research:balena2.png?direct&400 |}}//Click to enlarge the image.//
Duration: Running Fedora-based system from the bootable device and data collection will take approximately 2-3 hours.
* Place your computer to steady location (on the desk) and plug in power cable.
* Insert installed USB drive from step 1 into the computer and restart your machine.
* If prompted, select boot from USB device instead of standard disk. Select //Start Fedora-algtest-Live 32// boot option.
{{ :public:research:tpm_bootmenu_1280.jpg?direct&400 |}}
//Click to enlarge the image.//
* Wait until Fedora-based TPM testing system is booted. Read the summary of the data we are collecting.
{{ :public:research:tpm_info_1280.JPG?direct&400 |}}
//Click to enlarge the image.//
* Press the //Start// button
* Check that test started and is running (Log window contains 'XX:YY:ZZ Collecting basic TPM info...').
{{ :public:research:tpm_run.jpg?direct&400 |}}
//Click to enlarge the image.//
* Wait for 2–3 hours until the test is finished (100% Test progess).
* IMPORTANT: If test will not finish even **after 5 hours** and no visible progress is seen, please press the //Stop// button and continue to upload the partial results.
* Press the //Shutdown PC// button; wait until your machine is stopped. Unplug the USB drive.
* Restart your computer to your standard environment
- Make sure the USB drive is unplugged.
- Start into your standard environment (e.g., Windows, Linux).
- Plug the USB drive, new drive with label ''algtest_res'' is mounted (e.g., 'E:\').
- Locate file(s) with a file name in the form of ''algtest_result_xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx.zip''.
- Visit page ''https://is.muni.cz/dok/depository_in?lang=en;vybos_vzorek=4085'' and follow instructions how to upload the file (no authentication required, just drop the files). Alternatively, send email to Petr Svenda with file ''algtest_result_xxx.zip'' attached.
\_
or send data by email to %%<%%%%>%%.
{{ :public:research:tpm_upload.png?direct&600 |}}
//Click to enlarge the image.//You are now all good and helped research – **Thank you a LOT!**
=== Issue: Solutions below does not solve the problem ===
**Solution:** If you have any issue which solutions below will not help with, please notify us at .
=== Issue: The bootable image cannot be downloaded ===
**Solution:** Download from the secondary backup location. Please notify us at tpm.crocs@gmail.com.
----
=== Issue: The live Fedora system will not start to boot ===
**Solution:** Go to BIOS (press F1, F8, F12, Enter or special button depending on your computer), select alternative boot device (USB you flashed) and continue
----
=== Issue: The live Fedora system will stop with error during boot ===
**Solution:** Try to change USB slot used to insert bootable USB disk, try to put device into stable position to prevent interruption of communication to USB disk
----
=== Issue: The TPM data collection will start, but finish very quickly (less than 10 seconds) with error 'Cannot collect TPM 2.0 info. Your TPM may probably be disabled in BIOS or you do not have a TPM 2.0.'===
**Solution 1:** Restart your computer, enter BIOS (press F1, F8, F12, Enter or special button right), enable option named as 'TPM chip', 'Security chip' or similar. Then try to boot from USB again.
**Solution 2:** Try to update your BIOS if possible (older BIOSes are known to have incompatibility with some TPM chips under Linux). Then restart and boot from USB again.
Please submit the results even if the error persists.
----
=== Issue: I want to see the source code and build live image myself ===
**Solution:** You are more than welcome, please visit https://github.com/danzatt/tpm2_algtest_live for live image builder repository and https://github.com/danzatt/tpm2-algtest (collection tool itself).
----
======= Research details =======
{{fa>flask}}\_//Experiment:// Analysis of Trusted Platform Modules
{{fa>user-circle-o}}\_//Primary contact:// doc. Petr Svenda %%<%%%%>%%
{{fa>university}}\_//Research institute:// [[https://crocs.fi.muni.cz | CRoCS laboratory]], [[https://muni.cz | Masaryk University ]] and [[https://research.redhat.com/blog/research_project/trusted-computing-ecosystem/ | Red Hat Czech]]
{{fa>database}}\_//Collected data://
**We do not collect any personal data.** We collect only the TPM chip metadata, performance measurements and temporary cryptographic keys generated by TPM chip and product name of your device (e.g., Lenovo ThinkBook 15). We plan to release the data collected later as an open research dataset.
**Data we collect:**
* Device vendor, type (e.g., ''Lenovo ThinkBook 15'') and BIOS version.
* TPM vendor, firmware version (e.g., ''Intel 401.1.0.0'') and TPM version-related information.
* TPM metadata (''TPM_PT_xxx'' properties like ''TPM_PT_REVISION'', ''TPM_PT_MANUFACTURER'' or ''TPM_PT_PCR_COUNT'' – see file ''Quicktest_properties-fixed.txt'' and ''Quicktest_properties-variable.txt'' for full list).
* Algorithms and commands supported by TPM (''TPMA_ALGORITHM'' and ''TPMA_CC properties'', see ''Quicktest_algorithms.txt'' and ''Quicktest_commands.txt'' for full list).
* Performance measurements for various cryptographic algorithms (see ''Perf_xxx.csv'' files).
* Freshly generated, transient keys for ECC and RSA (see ''Keygen_ECC_xxx.csv'' and ''Keygen_RSA_xxx.csv'').
* //Note: All mentioned files are stored inside the ''algtest_result_xxx.zip'' file.//
**Data we do NOT collect:**
* Personal information about the user of the computer analyzed.
* Endorsement key.
* Attestation key(s).
* User-specific content of the non-volatile TPM memory (NVRAM).
**Data retention:**
* We plan to release the data collected as open research dataset to enable wider research cooperation.
* The data collected will be first analyzed by CRoCS research team for the purpose of analysis current TPM chip ecosystem. We plan to release the data collected together with the research findings.