/
Forward Seal Test Procedures
Forward Seal Test Procedures
Objective:
To successfully upgrade an OpenXT system whereby the system calculates the seal measurements for the next boot and uses those to seal the system, a.k.a. forward seal.
Preconditions:
- OpenXT Stable-6 configured for Measured Launch
- OpenXT Stable-7 packages-main hosted on web server accessible by DUT.
Artifacts:
Artifact | Explanation |
---|---|
Forward Seal Record: /boot/system/tpm/forward_pcr.lst | This file contains a list of PCRs the foward seal operation sealed to, including any predicted values. |
Failed ML PCR State: /boot/system/tpm/bad.pcrs | This file contains a list of the PCRs at the time that the unseal operation was attempted. In the situation where the unseal failed after a OTA upgrade, this file can be compared with the "Forward Seal Record" to verify whether the predicted PCRs matched dynamic PCRs (15,17,18,19). |
Known Good PCR State: /config/good.pcrs | This file contains a list of the PCRs at the last "known good" state of the system. Anytime a ML fails, this file can be compared with the "Failed ML PCR State" to verify/compare both static and dynamic PCRs. |
Platform Sealing Utility: /usr/sbin/seal-system | This utility can be used to seal to the current state or to a predicted state. For troubleshooting and/or testing purposes, it is possible to forward seal to the current state by invoking seal-system -f on an existing system. |
Procedures:
Successful Seal
Step | Expected Result |
---|---|
| Will be presented with UIVM graphical display |
2. Click "Settings" button on the toolbar at the top of the screen | The "Settings" dialog box will appear |
3. Click "Software Update" from menu list on left hand side of "Settings" dialogue box | The right hand side of "Settings" dialogue will be display the "Update Software" form |
4. In the text field under "Update Software" enter the URL path that contains the packages-main folder on the web server | The text field will contain the URL path without an ending path separator, "/" |
5. Click the "Check for Update" button | A confirmation dialogue box will be presented informing that an update is available for download |
6. Click the "Download" button within the confirmation dialogue box that was presented |
|
7. Click "Okay" button within the notification box that was presented | The notification box will disappear |
8. Click "Power" button on the toolbar at the top of the screen | A drop-down list will be presented |
9. Click the "Restart" list item from the drop-down list that was presented |
|
OTA Upgrade Tamper Detection
Step | Expected Result |
---|---|
| Will be presented with UIVM graphical display |
2. Click "Settings" button on the toolbar at the top of the screen | The "Settings" dialog box will appear |
3. Click "Software Update" from menu list on left hand side of "Settings" dialogue box | The right hand side of "Settings" dialogue will be display the "Update Software" form |
4. In the text field under "Update Software" enter the URL path that contains the packages-main folder on the web server | The text field will contain the URL path without an ending path separator, "/" |
5. Click the "Check for Update" button | A confirmation dialogue box will be presented informing that an update is available for download |
6. Click the "Download" button within the confirmation dialogue box that was presented |
|
7. Click "Okay" button within the notification box that was presented | The notification box will disappear |
8. Click "Power" button on the toolbar at the top of the screen | A drop-down list will be presented |
9. Click the "Restart" list item from the drop-down list that was presented |
|
10. When BIOS/Firmware boot splash appears, interrupt the boot and power the SUT off | The SUT will be powered off |
11. Boot the device using a bootable USB stick with an OpenXT ISO image | The "Welcome to OpenXT" screen will be presented |
12. Press Alt+F3 | A shell login screen will be presented |
13. Enter "root" as the user name and press the enter key | A shell prompt will be presented |
14. Run the command "vgscan" | Should receive the message, "Found volume group "xenclient" using metadata type lvm2" |
15. Run the command "vgchange -ay" | Should receive the message, "8 logical volume(s) in volume group "xenclient" now active" |
16. Run the command "mount /dev/xenclient/root /mnt" | If successful, no messages will be received |
17. Run the command "ls -l /mnt/sbin/init.root-ro" | The file listing details should be presented, make note of the date/time stamp |
18. Run the command "touch /mnt/sbin/init.root-ro" | If successful, no messages will be received |
19. Run the command "ls -l /mnt/sbin/init.root-ro" | The file listing details should be presented. Compare the date/time stamp with the result from (17), they should be different |
20. Run the command "umount /mnt" | If successful, no messages will be received |
21. Run the command "poweroff" | The SUT should power off |
22. Remove the USB stick from the system | The SUT will be in its normal boot configuration with respect to external devices connected |
23. Power on the SUT |
|
, multiple selections available,
Related content
OpenXT 9.0 Measurement Test
OpenXT 9.0 Measurement Test
More like this
OpenXT 8.0 Measurement test
OpenXT 8.0 Measurement test
More like this
TPM 2.0
TPM 2.0
More like this
TPM PCRS Values
TPM PCRS Values
More like this
Stable-9 rc0 Test Matrix
Stable-9 rc0 Test Matrix
More like this
TXT Testing TBOOT 1.8.3
TXT Testing TBOOT 1.8.3
More like this