Forward Seal Test Procedures

Objective:

To successfully upgrade an OpenXT system whereby the system calculates the seal measurements for the next boot and uses those to seal the system, a.k.a. forward seal.

Preconditions:

OpenXT Stable-6 configured for Measured Launch
OpenXT Stable-7 packages-main hosted on web server accessible by DUT.

Artifacts:

Artifact	Explanation
Forward Seal Record: /boot/system/tpm/forward_pcr.lst	This file contains a list of PCRs the foward seal operation sealed to, including any predicted values.
Failed ML PCR State: /boot/system/tpm/bad.pcrs	This file contains a list of the PCRs at the time that the unseal operation was attempted. In the situation where the unseal failed after a OTA upgrade, this file can be compared with the "Forward Seal Record" to verify whether the predicted PCRs matched dynamic PCRs (15,17,18,19).
Known Good PCR State: /config/good.pcrs	This file contains a list of the PCRs at the last "known good" state of the system. Anytime a ML fails, this file can be compared with the "Failed ML PCR State" to verify/compare both static and dynamic PCRs.
Platform Sealing Utility: /usr/sbin/seal-system	This utility can be used to seal to the current state or to a predicted state. For troubleshooting and/or testing purposes, it is possible to forward seal to the current state by invoking seal-system -f on an existing system.

Procedures:

Successful Seal

Step	Expected Result
Enter UIVM graphical display using key sequence Ctrl-0 if not already at that screen	Will be presented with UIVM graphical display
2. Click "Settings" button on the toolbar at the top of the screen	The "Settings" dialog box will appear
3. Click "Software Update" from menu list on left hand side of "Settings" dialogue box	The right hand side of "Settings" dialogue will be display the "Update Software" form
4. In the text field under "Update Software" enter the URL path that contains the packages-main folder on the web server	The text field will contain the URL path without an ending path separator, "/"
5. Click the "Check for Update" button	A confirmation dialogue box will be presented informing that an update is available for download
6. Click the "Download" button within the confirmation dialogue box that was presented	The text field will be replaced with a progress bar that reflects download progress. Upon download completion, a notification box will appear.
7. Click "Okay" button within the notification box that was presented	The notification box will disappear
8. Click "Power" button on the toolbar at the top of the screen	A drop-down list will be presented
9. Click the "Restart" list item from the drop-down list that was presented	The UIVM graphical display will disappear and an OpenXT splash screen will be present that has a status of "Upgrading" The OpenXT splash screen will eventually disappear The system will reboot The system will boot to its normal state, the UIVM graphical display unless there are guest configured to auto start.

OTA Upgrade Tamper Detection

Step	Expected Result
Enter UIVM graphical display using key sequence Ctrl-0 if not already at that screen	Will be presented with UIVM graphical display
2. Click "Settings" button on the toolbar at the top of the screen	The "Settings" dialog box will appear
3. Click "Software Update" from menu list on left hand side of "Settings" dialogue box	The right hand side of "Settings" dialogue will be display the "Update Software" form
4. In the text field under "Update Software" enter the URL path that contains the packages-main folder on the web server	The text field will contain the URL path without an ending path separator, "/"
5. Click the "Check for Update" button	A confirmation dialogue box will be presented informing that an update is available for download
6. Click the "Download" button within the confirmation dialogue box that was presented	The text field will be replaced with a progress bar that reflects download progress. Upon download completion, a notification box will appear.
7. Click "Okay" button within the notification box that was presented	The notification box will disappear
8. Click "Power" button on the toolbar at the top of the screen	A drop-down list will be presented
9. Click the "Restart" list item from the drop-down list that was presented	The UIVM graphical display will disappear and an OpenXT splash screen will be present that has a status of "Upgrading". The OpenXT splash screen will eventually disappear The system will begin to shutdown
10. When BIOS/Firmware boot splash appears, interrupt the boot and power the SUT off	The SUT will be powered off
11. Boot the device using a bootable USB stick with an OpenXT ISO image	The "Welcome to OpenXT" screen will be presented
12. Press Alt+F3	A shell login screen will be presented
13. Enter "root" as the user name and press the enter key	A shell prompt will be presented
14. Run the command "vgscan"	Should receive the message, "Found volume group "xenclient" using metadata type lvm2"
15. Run the command "vgchange -ay"	Should receive the message, "8 logical volume(s) in volume group "xenclient" now active"
16. Run the command "mount /dev/xenclient/root /mnt"	If successful, no messages will be received
17. Run the command "ls -l /mnt/sbin/init.root-ro"	The file listing details should be presented, make note of the date/time stamp
18. Run the command "touch /mnt/sbin/init.root-ro"	If successful, no messages will be received
19. Run the command "ls -l /mnt/sbin/init.root-ro"	The file listing details should be presented. Compare the date/time stamp with the result from (17), they should be different
20. Run the command "umount /mnt"	If successful, no messages will be received
21. Run the command "poweroff"	The SUT should power off
22. Remove the USB stick from the system	The SUT will be in its normal boot configuration with respect to external devices connected
23. Power on the SUT	The SUT will begin to boot The warning dialogue, "SECURITY WARNING: TXT measured boot FAILED", will appear

Copyright 2017 by Apertus Solutions, LLC. Created by Daniel P. Smith. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.

Testing, Validation and Troubleshooting