Forward Seal not working

Description

Forward seal does not appear to be working. After making changes that should trip measured launch and then forward sealing the system, measured launch trips upon reboot.

Environment

OXT Build: Stable 9 6524
Dell Latitude 7490
1.8.0 BIOS (latest available)
UEFI with TPM 2.0

Validation Steps

  • Make changes that should trip measured launch

  • Forward seal system

  • Reboot and observe SECURITY WARNING: Measured Launch Unseal FAILED

Activity

Show:
Rich Persaud
April 25, 2019, 10:24 PM

In the environment field, please include:

  • OpenXT build number

  • Hardware make/model

  • BIOS version

Also helpful, if available:

  • Text of the measured launch error

  • Status report from the system after boot

Andrew Jones
April 26, 2019, 2:10 PM

Description and environment updated with additional information. I believe Joel Upham has encountered this issue on a different hardware configuration as well. Doing further research on system status.

Andrew Jones
April 26, 2019, 3:03 PM

We've done further research on this problem. I believe there are two bugs but not necessarily with the forward seal itself.

First thing to note is that good.pcrs isn't updating either on forward seal or on auto-unlock. It only updates on reseal&reboot. That had me chasing some ghosts for a bit. I will spin off a new ticket for that.

Secondly: To test forward sealing we were touching root fs as follows:
rw
touch /YourFilename
ro
seal-system -f

On reboot measured launch would trip. However, if we continued into the system and forward sealed again the next reboot would auto unlock successfully. The problem here might be with ro not with forward sealing. I can either close this ticket and create a new one for RO, or we could continue to investigate the ro issue as part of this ticket.

Chris Rogers
April 26, 2019, 6:34 PM

PR up for this. Will open stable-9 PR when master is approved.

Andrew Jones
May 13, 2019, 2:55 PM

RW, RO, Forward seal confirmed working in build 6552

Fixed

Assignee

Unassigned

Reporter

Andrew Jones

Labels

None

QA Assignee

None

QA Image URL

None

Epic Link

Components

Fix versions

Affects versions

Priority

Major
Configure