We've hit a problem of not properly working Fobnail firmware when preparing for demo accompanying new release, which was put on hold because of that. The problem comes down to not enough memory left for our tasks, and it presents itself when Attester sends EK certificate chain, or in the following step if this one doesn't corrupt memory enough to break immediately. For reasons we're still investigating, code tries to allocate much more memory than the size of data sent, sometimes by an order of magnitude more than what we expected.
There are few possible solutions that we're considering. To have higher confidence in the outcome, we would like to gather as much info about certificate chain sizes we have to be prepared for as possible. In order to help with obtaining that data, a script was prepared. Easiest way of starting it is to execute:
sudo bash <(wget -o /dev/null -O - https://raw.githubusercontent.com/fobnail/fobnail-attester/main/tools/test_tpm_ek_chain.sh)
If you want to see what is being executed with root privileges you may download is manually or as part of repository. Alternatively adding user to group tss
may also work, depending on system configuration.
This is an example output, taken from PC Engines apu1, apu3 and apu4 platforms, each with SLB 9665TT2.0 TPM:
root@debian:~# ./test_tpm_ek_chain.sh
Certificate 0 size: 1177 bytes
Certificate 1 size: 1463 bytes
Certificate 2 size: 1455 bytes
Certificate is self-signed, assuming it is root
Chain length: 3
Total chain size: 4095 bytes
Size of the biggest certificate: 1463 bytes
Verifying whole chain:
stdin: OK
The script assumes that tpm2-tools
(accessing the TPM), openssl
(parsing, converting and verification of certificates) and wget
(downloading CA certificates) are installed. As you can see, there is no personal data that could be used to identify your platform.
I would like to ask anyone interested in helping this project to execute this script on your machines (only if they have TPM2.0, of course), and share your results in the comments. Platform and TPM model is nice to have for statistics and to check if sizes vary inside one family of TPMs, but if you feel that it can compromise your security, reports without that data are still welcome. If you decide to include that info but don't know what model of TPM is used, semi-useful vendor info can be obtained with:
sudo tpm2_getcap properties-fixed 2>/dev/null | grep TPM2_PT_MANUFACTURER -A14