TXT Testing TBOOT 1.8.3
Copyright 2015 by Assured Information Security, Inc. Created by Ross Philipson <philipsonr@ainfosec.com>. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
Test Instructions:
Use a build that has the new TBOOT 1.8.3 (currently http://openxt.ainfosec.com:81/builds/master/ext-dev-288-master).
In the systems's firmware/BIOS setup program, clear the TPM (the details are system specific). It may also require you to disable TXT. This may take a few reboots.
Ensure the TPM is active (after clearing it) and TXT is enabled before going on. Checking this then do a full power cycle (cold boot) before going on.
Install OpenXT using the "Advanced Install" option. Select the option to setup measured launch when asked. If the installer fails to boot (hangs/resets system) see "What To Do".
After reboot as OpenXT is starting, there should be a message box that says "Resealing...". If there is no error here, the system will reboot automatically. If there are errors see "What To Do".
After reboot, OpenXT should boot to the UIVM with no further messages or problems. If there are errors or problems see "What To Do".
The UIVM should have a green icon in the lower left corner. Hovering over it will report that "Measured Launch succeeded". If this is not the case or there are error messages see "What To Do".
Shut the system down and then start it back up (S5). If there are any hangs, reset or other problems, see "What To Do".
Put the system into hibernate then resume (S4). If there are any hangs, reset or other problems, see "What To Do".
Put the system to sleep and then resume (S3). If there are any hangs, reset or other problems, see "What To Do".
If all is well, put an entry in the table below - fill in the details as best as possible. Set all P/F fields to P.
What To Do:
Put an entry in the table below and mark what failed. P/F is for anything prior to step 7 or if there is an unsealing error during powering back on in step 7. S5 P/F is for step 7, S4 P/F is for S4 and S3 P/F is for step 9. In the details field, note what was observed. A decision will be made later if a ticket should be created, at which time more information about the failure(s) may be requested.
Test Results (w/ Workaround):
Vendor | Model | T | CPU Arch. | FW/BIOS Ver. | Processors(s) | Memory | P/F | S5 P/F | S4 P/F | S3 P/F | Details |
|---|---|---|---|---|---|---|---|---|---|---|---|
Dell | E6430 ATG | L | Ivy Bridge | A16 | Core i5-3360M | 8G | P | P | P | P | ext-300; |
Dell | Optiplex XE2 | D | Haswell | A10 | Core i5-4570S | 16G | P | P | P | P | ext-300; |
Dell | E7440 | L | Haswell | A08, A15 | Core i7-4600U | 8G | P | P |
| F | ext-300; "creation or verification of S3 measurements failed" - this is a different failure mode - needs investigation. Tried a firmware uprev but no luck. Earlier test below showed this was broken with 1.7.0 too. |
Lenovo | T440 | L | Haswell | GJET75WW (2.25) | Core i5-4300U | 4G | P | P | P | P | ext-300; |
Dell | E6540 | L | Haswell | A14 | Core i7-4800M | 8G | P | P | P | P | ext-300; |
HP | EliteBook 850 G1 | L | Haswell | L71 01.30 | Core i7-4600U | 16G | P | P |
| P | ext-300; |
HP | 800 G1 SFF | D | Haswell | L01 A.02.23 | Core i5-4570 | 8G | P | P | P | P | ext-300; |
HP | 8300 | D | Ivy Bridge | K01 02.51 | Core i5-3470 | 16G | P | P | P | F | ext-300; On resume, TXT reset the system during GETSEC[SENTER]. I don't think this is a regression - I think this system has always had problems. |
HP | EliteBook 2760p | L | Sandy Bridge | F.42 | Core i5-2540M | 4G | P | P | P | P | ext-300; |
HP | EliteBook 2170p | L | Ivy Bridge | F.00 | Core i5-3427U | 4G | P | P | P | F | ext-300; It looks like the system reset on resume from S3. Since I have no serial output it is hard to tell but I would bet it goes down during GETSEC[SENTER]. I tried to uprev the firmware to F.61 (latest) but short of installing Windows on it I can't manage to do the update. I believe the problem is the extremely old firmware though. |
Dell | Optiplex 9010 | D | Ivy Bridge | A05 -> A20 | Core i7-3770 | 8G | P | P | P | P | ext-300; The system originally had the Dell 0xffffffff TXT error code bug in firmware. The uprev to A20 fixed that. |
HP | Revolve 810 G2 | L | Haswell | L86 01.30 | Core i7-4600U | 8G | P | P |
| P | ext-300; |
HP | Z840 | W | Haswell? | M60 01.58 | Xeon E5-2630 v3 | 96GB | P | P | P | F | S3 failing with tboot error in Observation 1, similar observation on tboot 1.7 |
Dell | Latitude E7350 | T | Broadwell | A06 | Core M-5Y71 | 8GB | P | P | P | F | Sleep failures indeterminate due to lack of serial connection. Only get a black screen upon attempting to sleep, no current method to further diagnose. |
HP | ZBook 14 G2 | L | Broadwell | M71 1.09 | Core i7-5600U | 16GB | P | P | P | F | Sleep failures indeterminate due to lack of serial connection. Only get a black screen upon attempting to sleep, no current method to further diagnose. |
Dell | Dell Optiplex 980 | D | Ivy Bridge | A12 | Intel i7-3770 | 10GB | P | P |
| P | ext-300; |
Dell | Dell Latitude 14 7000 (e7450) | L | Broadwell | A03 | Intel 5th Gen i5-5200U | 8GB | P | P |
| F | ext-300; S3 failing, once the machine is put to sleep it can not be revived, without a force off, which then displays a TXT error. RJP: these 2 broadwells - are they coming back form S3 at all - is there any serial logging after the resume is initiated? |
Dell | Dell Latitude 14 7000 (e7450) | L | Broadwell | A03 | Intel 5th Gen i7-5600U | 8GB | P | P |
| F | ext-300; S3 failing, once the machine is put to sleep it can not be revived, without a force off, which then displays a TXT error. "TXT Measured boot failed" |
Dell | Dell Latitude E6540 | L | Haswell | A13 | Intel i7-4610M | 8GB | P | P |
| F | ext-300; S3 failing. once the machine is put to sleep it can not be revived, without a force off, which then displays a TXT error. "TXT Measured boot failed" RJP: I tested an E6540 above and it worked with a newer FW version - may want to try this. |
Dell | OptiPlex 7010 | D | Ivy Bridge | A20 | Intel i7-3770 | 8GB | P | P |
| P | ext-300; |
Dell | OptiPlex 9020 SFF | D | Haswell | A09 | Intel i5-4570 | 18GB | P | P |
| P | ext-300; |
Dell | OptiPlex 9020 MT | D | Haswell | A09 | Intel i7-4770 | 12GB | P | P |
| P | ext-300; |
HP | HP EliteDesk 800 G1 Tower | D | Haswell | L01 V02.53 RevA | Intel i7-4770 | 32GB | P | PWE |
| P | ext-300; Measure launch failed after shutdown and restart. The machine was then restarted again and measured launch was enabled. |
HP | HP Compaq Elite 8200 | D | Sandy Bridge | J01 V02.15 | Intel i5-2500 |