Forward Seal Test Procedures

Objective:

To successfully upgrade an OpenXT system whereby the system calculates the seal measurements for the next boot and uses those to seal the system, a.k.a. forward seal.

Preconditions:

  1. OpenXT Stable-6 configured for Measured Launch
  2. OpenXT Stable-7 packages-main hosted on web server accessible by DUT.

Artifacts:

ArtifactExplanation

Forward Seal Record:

/boot/system/tpm/forward_pcr.lst

This file contains a list of PCRs the foward seal operation sealed to, including any predicted values.

Failed ML PCR State:

/boot/system/tpm/bad.pcrs

This file contains a list of the PCRs at the time that the unseal operation was attempted. In the situation where the unseal failed after a OTA upgrade, this file can be compared with the "Forward Seal Record" to verify whether the predicted PCRs matched dynamic PCRs (15,17,18,19).

Known Good PCR State:

/config/good.pcrs

This file contains a list of the PCRs at the last "known good" state of the system. Anytime a ML fails, this file can be compared with the "Failed ML PCR State" to verify/compare both static and dynamic PCRs.

Platform Sealing Utility:

/usr/sbin/seal-system

This utility can be used to seal to the current state or to a predicted state. For troubleshooting and/or testing purposes, it is possible to forward seal to the current state by invoking seal-system -f on an existing system.

Procedures:

Successful Seal

StepExpected Result
  1. Enter UIVM graphical display using key sequence Ctrl-0 if not already at that screen
Will be presented with UIVM graphical display

2. Click "Settings" button on the toolbar at the top of the screen

The "Settings" dialog box will appear
3. Click "Software Update" from menu list on left hand side of "Settings" dialogue boxThe right hand side of "Settings" dialogue will be display the "Update Software" form
4. In the text field under "Update Software" enter the URL path that contains the packages-main folder on the web serverThe text field will contain the URL path without an ending path separator, "/"
5. Click the "Check for Update" buttonA confirmation dialogue box will be presented informing that an update is available for download
6. Click the "Download" button within the confirmation dialogue box that was presented
  • The text field will be replaced with a progress bar that reflects download progress.
  • Upon download completion, a notification box will appear.
7. Click "Okay" button within the notification box that was presentedThe notification box will disappear
8. Click "Power" button on the toolbar at the top of the screenA drop-down list will be presented
9. Click the "Restart" list item from the drop-down list that was presented
  • The UIVM graphical display will disappear and an OpenXT splash screen will be present that has a status of "Upgrading"
  • The OpenXT splash screen will eventually disappear
  • The system will reboot
  • The system will boot to its normal state, the UIVM graphical display unless there are guest configured to auto start.

OTA Upgrade Tamper Detection

StepExpected Result
  1. Enter UIVM graphical display using key sequence Ctrl-0 if not already at that screen
Will be presented with UIVM graphical display

2. Click "Settings" button on the toolbar at the top of the screen

The "Settings" dialog box will appear
3. Click "Software Update" from menu list on left hand side of "Settings" dialogue boxThe right hand side of "Settings" dialogue will be display the "Update Software" form
4. In the text field under "Update Software" enter the URL path that contains the packages-main folder on the web serverThe text field will contain the URL path without an ending path separator, "/"
5. Click the "Check for Update" buttonA confirmation dialogue box will be presented informing that an update is available for download
6. Click the "Download" button within the confirmation dialogue box that was presented
  • The text field will be replaced with a progress bar that reflects download progress.
  • Upon download completion, a notification box will appear.
7. Click "Okay" button within the notification box that was presentedThe notification box will disappear
8. Click "Power" button on the toolbar at the top of the screenA drop-down list will be presented
9. Click the "Restart" list item from the drop-down list that was presented
  • The UIVM graphical display will disappear and an OpenXT splash screen will be present that has a status of
  • "Upgrading". The OpenXT splash screen will eventually disappear
  • The system will begin to shutdown
10. When BIOS/Firmware boot splash appears, interrupt the boot and power the SUT offThe SUT will be powered off
11. Boot the device using a bootable USB stick with an OpenXT ISO imageThe "Welcome to OpenXT" screen will be presented
12. Press Alt+F3A shell login screen will be presented
13. Enter "root" as the user name and press the enter keyA shell prompt will be presented
14. Run the command "vgscan"

Should receive the message, "Found volume group "xenclient" using metadata type lvm2"

15. Run the command "vgchange -ay"Should receive the message, "8 logical volume(s) in volume group "xenclient" now active"
16. Run the command "mount /dev/xenclient/root /mnt"If successful, no messages will be received
17. Run the command "ls -l /mnt/sbin/init.root-ro"The file listing details should be presented, make note of the date/time stamp
18. Run the command "touch /mnt/sbin/init.root-ro"If successful, no messages will be received
19. Run the command "ls -l /mnt/sbin/init.root-ro"The file listing details should be presented. Compare the date/time stamp with the result from (17), they should be different
20. Run the command "umount /mnt"If successful, no messages will be received
21. Run the command "poweroff"The SUT should power off
22. Remove the USB stick from the systemThe SUT will be in its normal boot configuration with respect to external devices connected
23. Power on the SUT
  • The SUT will begin to boot
  • The warning dialogue, "SECURITY WARNING: TXT measured boot FAILED", will appear



Copyright 2017 by Apertus Solutions, LLC. Created by Daniel P. Smith. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.