Forward Seal Test Procedures
Objective:
To successfully upgrade an OpenXT system whereby the system calculates the seal measurements for the next boot and uses those to seal the system, a.k.a. forward seal.
Preconditions:
- OpenXT Stable-6 configured for Measured Launch
- OpenXT Stable-7 packages-main hosted on web server accessible by DUT.
Artifacts:
Artifact | Explanation |
---|---|
Forward Seal Record: /boot/system/tpm/forward_pcr.lst | This file contains a list of PCRs the foward seal operation sealed to, including any predicted values. |
Failed ML PCR State: /boot/system/tpm/bad.pcrs | This file contains a list of the PCRs at the time that the unseal operation was attempted. In the situation where the unseal failed after a OTA upgrade, this file can be compared with the "Forward Seal Record" to verify whether the predicted PCRs matched dynamic PCRs (15,17,18,19). |
Known Good PCR State: /config/good.pcrs | This file contains a list of the PCRs at the last "known good" state of the system. Anytime a ML fails, this file can be compared with the "Failed ML PCR State" to verify/compare both static and dynamic PCRs. |
Platform Sealing Utility: /usr/sbin/seal-system | This utility can be used to seal to the current state or to a predicted state. For troubleshooting and/or testing purposes, it is possible to forward seal to the current state by invoking seal-system -f on an existing system. |
Procedures:
Successful Seal
Step | Expected Result |
---|---|
| Will be presented with UIVM graphical display |
2. Click "Settings" button on the toolbar at the top of the screen | The "Settings" dialog box will appear |
3. Click "Software Update" from menu list on left hand side of "Settings" dialogue box | The right hand side of "Settings" dialogue will be display the "Update Software" form |
4. In the text field under "Update Software" enter the URL path that contains the packages-main folder on the web server | The text field will contain the URL path without an ending path separator, "/" |
5. Click the "Check for Update" button | A confirmation dialogue box will be presented informing that an update is available for download |
6. Click the "Download" button within the confirmation dialogue box that was presented |
|
7. Click "Okay" button within the notification box that was presented | The notification box will disappear |
8. Click "Power" button on the toolbar at the top of the screen | A drop-down list will be presented |
9. Click the "Restart" list item from the drop-down list that was presented |
|
OTA Upgrade Tamper Detection
Step | Expected Result |
---|---|
| Will be presented with UIVM graphical display |
2. Click "Settings" button on the toolbar at the top of the screen | The "Settings" dialog box will appear |
3. Click "Software Update" from menu list on left hand side of "Settings" dialogue box | The right hand side of "Settings" dialogue will be display the "Update Software" form |
4. In the text field under "Update Software" enter the URL path that contains the packages-main folder on the web server | The text field will contain the URL path without an ending path separator, "/" |
5. Click the "Check for Update" button | A confirmation dialogue box will be presented informing that an update is available for download |
6. Click the "Download" button within the confirmation dialogue box that was presented |
|
7. Click "Okay" button within the notification box that was presented | The notification box will disappear |
8. Click "Power" button on the toolbar at the top of the screen | A drop-down list will be presented |
9. Click the "Restart" list item from the drop-down list that was presented |
|
10. When BIOS/Firmware boot splash appears, interrupt the boot and power the SUT off | The SUT will be powered off |
11. Boot the device using a bootable USB stick with an OpenXT ISO image | The "Welcome to OpenXT" screen will be presented |
12. Press Alt+F3 | A shell login screen will be presented |
13. Enter "root" as the user name and press the enter key | A shell prompt will be presented |
14. Run the command "vgscan" | Should receive the message, "Found volume group "xenclient" using metadata type lvm2" |
15. Run the command "vgchange -ay" | Should receive the message, "8 logical volume(s) in volume group "xenclient" now active" |
16. Run the command "mount /dev/xenclient/root /mnt" | If successful, no messages will be received |
17. Run the command "ls -l /mnt/sbin/init.root-ro" | The file listing details should be presented, make note of the date/time stamp |
18. Run the command "touch /mnt/sbin/init.root-ro" | If successful, no messages will be received |
19. Run the command "ls -l /mnt/sbin/init.root-ro" | The file listing details should be presented. Compare the date/time stamp with the result from (17), they should be different |
20. Run the command "umount /mnt" | If successful, no messages will be received |
21. Run the command "poweroff" | The SUT should power off |
22. Remove the USB stick from the system | The SUT will be in its normal boot configuration with respect to external devices connected |
23. Power on the SUT |
|