Procedures

Install

1. Boot OpenXT installer;
2. Follow the installation steps, if an existing OpenXT installation is detected choose "Erase and Install";
3. When asked to configure "OpenXT Measured Launch", answer "Yes";
4. (Optional) When asked to "Enable external SSH access", answer "Yes";
5. When prompted "Installation succeeded", accept and reboot in OpenXT;
6. Success:
   1. Platform reboots to OpenXT UIVM;
   2. At the bottom-right corner, the "XT shield" is green.

OTA upgrade

1. Focus UIVM (Ctrl+0)
2. Open "Settings" window from the top-right corner;
3. Open "Software Update" tab;
4. Fill the "Update Software" field with the URL of the upgrade hit the "Check for Update" button next to it;
5. Should an update be available, choose "Download" on the next pop-up window;
6. Once the update download is complete, use the "Power" button to "Restart" the platform;
7. Success:
   1. OpenXT update is installed;
   2. OpenXT reboots to UIVM;
   3. Measurement did not break at reboot;
   4. At the bottom-right corner, the "XT shield" is green.
   5. file /boot/system/tpm/formward_pcr.lst exists and match the PCRs values.

Known Issues

1. UEFI upgrade from 8.0.1 to 9.0 is known to fail measurement on reboot because of re-addition of DRTM.  In 8.0, the host UEFI case did not support DRTM+SRTM, it only supports SRTM.  Therefore, PCRs 17,18,19 are
   empty.  When the OTA goes to forward seal, it correctly detects we are not DRTM booted and omits predictions for PCRs 17,18,19 from the sealing blob. The issue is then seen on reboot, since 9.0 does support DRTM+SRTM, it attempts
   to unseal the key with PCRs 17,18,19 as part of the sealing blob, which predictably fails to unseal, because they aren't just all f's.  Since one requires the existing DRTM PCRs to predict what the future DRTM PCRs will be, one cannot forward seal from an
   SRTM-only boot to a DRTM+SRTM boot.  The user must manually reseal.  This is the reason for the Failures listed in the UEFI 8.0.1 → 9.0 upgrade column.

OpenXT 9.0.2

Legacy:

EFI: