MARK One User Manual

Using MARK is currently only possible together with a new installation of your operating system. Do a backup of your current system if you have any valuable data on your hard disk.

Prepare a MARK drive consisting of a mass storage containing our software and a teensy device. You do not need to flash the teensy yourself as this is done within the installation process automatically. To prepare the mass storage you can either download a ready-to-use image and copy it onto the mass storage or build the software yourself and copy it afterwards. For instructions how to build MARK have a look at the manual for developers.

Assuming your USB mass storage occurs under /dev/sdf copying is very easy. The following command should do the job:

To use MARK your TPM has to be in an owned state. Unfortunately owning the TPM is currently not possible with our UI. Depending on your current configuration this might involve different steps. First you have to enable the TPM in your BIOS where it is often called Security Chip. To own the TPM you usually have to put it in an ownable state which has to be done in the BIOS as well. As this is highly vendor specific you should consult the manual of your mainboard manufacturer for further information.

If you are running a recent Windows operating system you are able to own your TPM by executing tpm.msc in the Windows Run-Dialog. An interface with various TPM actions shows up and you have to just follow the on-screen instructions to complete the owning process. This works very well for almost all TPM chips.

If you are running Linux you can try to own your TPM by executing

on the command line. Therefore you need the tpm-tools package. Depending on your TPM chip this might work or not. If it does not work try different tpm_* commands like tpm_setpresence first. It appeared, however, that owning the TPM with tpm-tools sometimes just does not work. If you have such a chip you have to stick with Windows for the owning process.

If you have no operating system at all on your computer you do not have to install Linux to own your TPM, but instead you can try the command above in the MARK ramdisk as well. After booting MARK change the physical console with Ctrl+Alt+F2, log in as root without password and proceed as explained above. If you are done change back to the MARK UI with Ctrl+Alt+F1.

In both cases, Windows and Linux, it does not matter what password you set in the owning process, because MARK does not use this feature anyway. You have to set just something for technical reasons. If you use the TPM with applications besides MARK you should remember the password you have set here.

The first thing that has to be done is configuring MARK. Select the menu entry Configuration or Recovery and follow the on-screen instructions. You have to set a new passphrase with at least eight characters. It is necessary to flash the firmware to the MARK drive and therefore you are asked to press and release the button on your drive two times. Finally a new data encryption key (DEK) has to be generated. Select Generate a random DEK and write the DEK down on a piece of paper or something else and store it at a secure location. You are done with the configuration.

After you have finished the configuration select the menu entry Install new System and follow the on-screen instructions. You have to enter your passphrase again and are asked to insert your installation media.

Currently only bootable USB sticks are supported. If you have just an ISO image jr a CD/DVD of your operating system you have to create a bootable USB stick in advance. If you want to install Windows, Microsoft offers a tool to prepare your USB stick. If you want to install Linux, it depends on your distribution but usually creating a bootable USB stick is very easy. For example there might be special images online, just check the homepage of your distribution.

Now you have to select your installation source and target device. Your source device should be your installation media, i.e. your bootable USB stick, and your target device is usually your hard disk. After that everything is done and your installation image will be copied onto the hard disk and encrypted. This may take some time, be patient.

In the last step your computer will boot into the installation of your operating system. Do not unplug your installation media and follow the installation instructions of your operating system like you would do without MARK. There are just two specialities:

You will face this message if MARK either cannot detect a TPM chip or if you have not owned your TPM. In the first case your computer is not capable of running MARK. In the second case you have to own your TPM. Read the corresponding section of this manual to learn how.

This is probably the most common error you will encounter. It means that your secret nonce cannot be unsealed because your platform configuration has changed in some way. This can have various reasons, e.g. your hardware changed, you did a BIOS update or you just changed your BIOS settings. It is even possible that a software or a operating system changed BIOS settings and with it the platform configuration.

It might be the case that Windows changes the boot order during installation and if you do not change it back yourself you might encounter this error directly after your installation of Windows.

If you do not manage to restore your platform configuration in exactly the same way you have to do a recovery. This is no big deal and you can boot your system the usual way afterwards. The integrity of your system, however, cannot be guaranteed for this single boot process.

If you boot your installation system or operating system and you have to select a menu entry in the bootloader you need a PS/2 keyboard. It does not work with USB keyboards. The reason for this is that the USB support is needed by the MARK UI and cannot be claimed by the BIOS again.

If you had some hardware failure, but your hard disk survived, you can put your hard disk into a different computer and boot this computer from the MARK drive. You have to do a recovery and are able to boot your system afterwards.

This is probably the worst case. If unsealing worked fine and you do a normal boot, but the LED is switched off during the passphrase prompt you might be a victim of some attack. It does not matter whether there shows up some dialog before the prompt appears or not, it only matters whether the LED is switched on or off.

It is up to you what to do now. You could proceed as usual, but therefore you probably need to do a recovery first. Proceeding, however, is NOT recommended as it is likely that someone is attacking you. If you have your data stored on a different machine as well, it would be the best solution to abort the booting and wipe your hard disk.