Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tpm [2020-02-19 07:36] – [Pro uživatele Linux] xsvendatpm [2023-02-16 09:37] (current) xdufka1
Line 1: Line 1:
-====== Sběr TPM dat 2019 ====== +====== Research: Analysis of Trusted Platform Module chips ====== 
-<callout type="success" icon="true">Předem děkujeme MOC za pomoc s výzkumem! Sbíráme jen veřejná/testovací data</callout>+~~NOTOC~~ 
 +<text size="large"> 
 +The goal of the research is to get a better understanding of the Trusted Platform Modules ecosystemSuch information is vital for the designers and developers using this technology, allowing them to answer questions like What fraction of devices has a TPM chip? Which cryptographic algorithms are widely supported? What is the overhead of computing a digital signature?
  
-<callout type="primary" icon="true">Pokud by něco nefungovalonapište mi prosím na Petr Švenda <svenda@fi.muni.cz> </callout>+The research consists of two primary steps: 
 +  - **Collection of raw data about TPM chips** deployed in real-world devices like notebooksdesktops, and servers (the part we are asking you for kind help with). 
 +  - **Analysis of the data collected to provide insight into the TPM ecosystem** (done by us, resulting in a summary of the most important findings, scientific paper, and research dataset available for replicability and further research). 
 +</text>
  
-===== Pro uživatele MS Windows ===== +<TEXT align="center"> 
-**Výzkumný cíl:** Dlouhodobý sběr PCR registrů a jejich vývoj v čase+<button type="success" icon="fa fa-fw fa-upload">[[https://is.muni.cz/dok/depository_in?lang=en;vybos_vzorek=4085|Upload collected data here]]</button>\_ 
 +<button type="primary" icon="fa fa-fw fa-info">[[#research_details|What data do we collect?]]</button> 
 +</TEXT> 
 +===== How to collect data via Live Bootable Image  =====
  
-Postup+The data collection consists of 3 principal steps
-  * Stáhněte si [[https://github.com/petrs/TPM_PCR/releases/download/v0.1.7/TPM_PCR.exe|TPM_PCR.exe v0.1.6]] z https://github.com/petrs/TPM_PCR/releases (k dispozici jsou i zdrojové kódy+  - Preparation of bootable USB drive (20 minutes to download image and 10 minutes to setup
-  * Uložte do libovolného vhodného adresáře (např. Dokumenty\TPM)spusťte, potvrďte Y(es)  +  - TPM data collection (typically 1-3 hours5 hours at mostusing a live image  
-    * Spuštění vytvoří pravidelně spouštěnou úlohu (task scheduler) +  - Send collected data (anonymous uploademail
-    * 1x denně (19:00) uloží PCR vašeho počítače do souboru (nechte prosím běžetmáme zájem o co nejdelší časový úsek) +  * (step 2., and 3., can be repeated for multiple computers; no need to create a USB drive again)
-    * Vytváří soubory ve tvaru PCR_datum_čas.txt, které můžete prostudovat +
-    * Vytváří soubor PCR_measurements_náhodnéčíslo.zip, které obsahuje zaziopované včechny soubory PCR_datum_čas.txt +
-  * Po prvním spuštění prosím zašlete PCR_measurements.zip na svenda@fi.muni.cz (Petr Svenda) +
-  * Po 2-týdnech vás poprosím zaslání dodatečného meření (opět soubor PCR_measurements.zip)+
  
-Dodatečný sběr veřejných klíčů:  +----
-  * Informace jsou dostupné zde: https://crocs.fi.muni.cz/public/research/tpm_data+
  
-===== Pro uživatele Linux ===== +<panel type="info" title="1. Preparation of bootable USB drive">
-**Výzkumný cíl:** Analýza rychlosti TPM čipu a testovacích klíčů+
  
-Postup: +<text type="muted"> 
-  * Přečtěte si návod na https://github.com/simon-struk/tpm2-algtest +DurationThe preparation of a bootable device will take approximately 20 minutes to download the image and 10 minutes to set up
-    * Pokud nemáte, nainstalujte si docker +</text>
-    * Stáhněte si [[https://github.com/simon-struk/tpm2-algtest/blob/master/run_image.py|run_image.py]] z https://github.com/simon-struk/tpm2-algtest +
-    * Spusťte 'python3 -m run_image fulltest'  +
-    * Nástroj provede analýzu rychlosti vašeho TPM čipu a vygeneruje sadu testovacích klíčů (RSA/ECC) +
-  * Po dokončení běhu scriptu (cca 2-3 hodiny, ale velmi malé zatížení CPU) zašlete out.zip na svenda@fi.muni.cz (Petr Svenda) +
-  * Měření je jednorázové, nespouští se opakovaně +
-   +
  
 +  - Prepare an empty USB drive with at least 4GB size (IMPORTANT: all content will be erased)
 +  - Download live USB image: [[https://is.muni.cz/go/tpm-algtest-image|algtest-usb-disk.img]] and save to disk
 +  - Download and install [[https://www.balena.io/etcher/|Balena Etcher]] (Windows, Linux, Mac) to create a bootable USB drive. (Alternatively, you may use [[https://rufus.ie/|Rufus]] instead (Windows only)).
 +  - Run Balena Etcher, click //Select image// and browse for previously downloaded algtest-usb-disk.img on your disk
 +  - Insert empty USB drive, click //Select target//, and pick the USB disk 
 +    * (double-check that the displayed drive is your intended USB drive – check the label and check size)
 +  - Click //Flash!// and wait approximately 5 minutes until flashing is completed.
  
 +<TEXT align="center">
 +<button>[[https://www.balena.io/etcher/|Download Balena Etcher]]</button>\_\_\_<button>[[https://is.muni.cz/go/tpm-algtest-image|Download USB image]] </button> \_\_\_[[https://owncloud.cesnet.cz/index.php/s/kV4JAmtH9Hhc5r4/download?path=%2F&files=algtest-usb-disk-v0.5.3.img |Secondary mirror]] \_\_\_ [[https://owncloud.cesnet.cz/index.php/s/kV4JAmtH9Hhc5r4/download?path=%2F&files=algtest-usb-disk-v0.5.3.img.sig | GPG signature]] \_ [[https://keybase.io/petrs#show-public | (key)]]
 +</TEXT>
  
 +<row>
 +<col xs="12" md="6">{{ :public:research:balena1.png?direct&400&link |}}<TEXT align="center" type="muted">//Click to enlarge the image.//</TEXT></col>
 +<col xs="12" md="6">{{ :public:research:balena2.png?direct&400 |}}<TEXT align="center" type="muted">//Click to enlarge the image.//</TEXT></col> 
 +</row>
 +</panel>
 +
 +
 +<panel type="primary" title="2. Data collection">
 +
 +<text type="muted">
 +Duration: Running the Fedora-based system from the bootable device and data collection will take approximately 1-3 hours (8 at most).
 +</text>
 +  * Place your computer in a steady location (on the desk) and plug-in the power cable.
 +  * Insert the installed USB drive from step 1 into the computer and restart your machine.
 +  * If prompted, select boot from USB device instead of standard disk. Select //Start Fedora-algtest-Live 37// boot option.
 +{{ :public:research:tpm_bootmenu_v2.jpg?direct&400 |}}
 +<TEXT align="center" type="muted">//Click to enlarge the image.//</TEXT>
 +  * Wait until the Fedora-based TPM testing system is booted. Read the summary of the data we are collecting. 
 +{{ :public:research:tpm_info_v2.jpg?direct&400 |}}
 +<TEXT align="center" type="muted">//Click to enlarge the image.//</TEXT>
 +  * Press the //Start basic test// button 
 +    * Check that test has started and is running (Log window contains 'XX:YY:ZZ Starting TPM test...').
 +{{ :public:research:tpm_run_v2.jpg?direct&400 |}}
 +<TEXT align="center" type="muted">//Click to enlarge the image.//</TEXT>
 +  * Wait for 1-3 (5 at most) hours until the test is finished (100% Test progress).
 +    * <text type="warning">IMPORTANT: If the test will not finish even **after 5 hours** and no visible progress is seen, please press the //Stop// button and continue to upload the partial results.</text>
 +  * Press the //Upload results// button (if network is configured)
 +{{ :public:research:tpm_upload_v2.jpg?direct&400 |}}
 +<TEXT align="center" type="muted">//Click to enlarge the image.//</TEXT>
 +  * Press the //Shutdown PC// button; wait until your machine is stopped. Unplug the USB drive.
 +  * Restart your computer to your standard environment 
 +</panel>
 +
 +<panel type="success" title="3. Submit collected data">
 +  - Make sure the USB drive is unplugged.
 +  - Start into your standard environment (e.g., Windows, Linux). 
 +  - Plug the USB drive, new drive with label ''ALGTEST_RES'' is mounted (e.g., 'E:\').
 +  - Locate file(s) with a file name in the form of ''algtest_result_xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx.zip''.
 +  - Visit the page ''https://is.muni.cz/dok/depository_in?lang=en;vybos_vzorek=4085'' and follow instructions on how to upload the file (no authentication required, just drop the files). Alternatively, send an email to Petr Svenda <tpm.crocs@gmail.com> with the file ''algtest_result_xxx.zip'' attached. 
 +
 +
 +<TEXT align="center">
 +<button type="success" icon="fa fa-fw fa-upload">[[https://is.muni.cz/dok/depository_in?lang=en;vybos_vzorek=4085|Upload collected data here]]</button>\_
 +or send data by email to %%<%%<tpm.crocs@gmail.com>%%>%%.
 +</TEXT>
 +
 +
 +{{ :public:research:tpm_upload.png?direct&600 |}}
 +<TEXT align="center" type="muted">//Click to enlarge the image.//</TEXT>
 +
 +<TEXT size="large" align="center">You are now all good and helped research – **Thank you a LOT! 🎉**</TEXT>
 +
 +</panel>
 +
 +<panel type="info" title="Troubleshooting ">
 +
 +<text type="muted"></text>
 +
 +=== Issue: Solutions below do not solve the problem ===
 +**Solution:** If you have any issue that the solutions below will not help with, please notify us at <tpm.crocs@gmail.com>.
 +
 +----
 +
 +=== Issue: The bootable image cannot be downloaded ===
 +**Solution:** Download from the secondary backup location. Please notify us at <tpm.crocs@gmail.com>
 +
 +----
 +
 +=== Issue: The live Fedora system will not start to boot ===
 +**Solution:** Go to BIOS (press F1, F8, F12, Enter, or a special button depending on your computer), select the alternative boot device (USB you flashed), and continue 
 +
 +----
 +
 +=== Issue: The live Fedora system will stop with an error during boot ===
 +**Solution:** Try to change the USB slot used to insert the bootable USB disk, and try to put the device into a stable position to prevent interruption of communication to the USB disk. 
 +
 +----
 +
 +=== Issue: The TPM data collection will start but finish very quickly (less than 10 seconds) with the error 'Cannot collect TPM 2.0 info. Your TPM may probably be disabled in BIOS, or you do not have a TPM 2.0.'===
 +
 +**Solution 1:** Restart your computer, enter BIOS (press F1, F8, F12, Enter or special button right), and enable option named 'TPM chip,' 'Security chip,' or similar. Then try to boot from USB again. 
 +
 +**Solution 2:** Try to update your BIOS if possible (older BIOSes are known to have incompatibility with some TPM chips under Linux). Then restart and boot from USB again. 
 +
 +Please submit the results even if the error persists.
 +
 +----
 +=== Issue: I want to see the source code and build a live image myself ===
 +**Solution:** You are more than welcome, please visit https://github.com/danzatt/tpm2_algtest_live for live image builder repository and https://github.com/crocs-muni/tpm2-algtest (collection tool itself).
 +
 +</panel>
 +
 +======= Research details =======
 +
 +<TEXT size="large">
 +{{fa>flask}}\_//Experiment:// Analysis of Trusted Platform Modules
 +
 +{{fa>user-circle-o}}\_//Primary contact:// doc. Petr Svenda %%<%%<svenda@fi.muni.cz>%%>%%
 +
 +{{fa>university}}\_//Research institute:// [[https://crocs.fi.muni.cz | CRoCS laboratory]], [[https://muni.cz | Masaryk University ]] and [[https://research.redhat.com/blog/research_project/trusted-computing-ecosystem/ | Red Hat Czech]]
 +
 +{{fa>database}}\_//Collected data://
 +</TEXT>
 +**We do not collect any personal data.** We collect only the TPM chip metadata, PCR registers, supported cryptographic algorithms, output of random number generator, performance measurements and temporary cryptographic keys generated by TPM chip, product name of your device (e.g., Lenovo ThinkBook 15) and anonymized endorsement key certificates. We plan to release the data collected later as an open research dataset. 
 +
 +**Data we collect:**
 +  * Device vendor, type (e.g., ''Lenovo ThinkBook 15'') and BIOS version.
 +  * TPM vendor, firmware version (e.g., ''Intel 401.1.0.0'') and TPM version-related information.
 +  * TPM PCR registers (see ''Capability_pcrread.txt'').
 +  * TPM metadata (''TPM2_PT_xxx'' properties like ''TPM2_PT_REVISION'', ''TPM2_PT_MANUFACTURER'' or ''TPM2_PT_PCR_COUNT'' – see file ''Capability_properties-fixed.txt'' and ''Capability_properties-variable.txt'' for full list).
 +  * Algorithms and commands supported by TPM (see ''Capability_algorithms.txt'' and ''Capability_commands.txt'' for full list).
 +  * Performance measurements for various cryptographic algorithms (see ''Perf_xxx.csv'' files).
 +  * Freshly generated transient keys and signatures for ECC and RSA (see ''Keygen_xxx.csv'' and ''Cryptoops_xxx.csv'').
 +  * Generated random data (see ''Rng.bin'').
 +  * Anonymized endorsement key (EK) certificates (see ''Capability_ek-xxx.txt''').
 +  * //Note: All mentioned files are stored inside the ''algtest_result_xxx.zip'' file.//
 +  
 +**Data we do NOT collect:**
 +  * Personal information about the user of the analyzed computer.
 +  * Full endorsement keys (we collect only the first and the last two bytes).
 +  * Attestation key(s).
 +  * User-specific content of the non-volatile TPM memory (NVRAM).
 +
 +**Data Retention:**
 +  * We plan to release the data collected as open research dataset to enable wider research cooperation. 
 +  * The CRoCS research team will first analyze the data collected for the purpose of analyzing the current TPM chip ecosystem. We plan to release the data collected together with the research findings.