2017 Baseline Release Test Criteria

(tick) Indication about requirements that could be added to Release Test list for 7.0.0

Functional Tests

Platform Installation

  1. Installation with an optical disk drive (tick)
  2. Installation with a USB optical disk drive (tick)
  3. Installation with a USB flash drive (tick)

Platform Upgrade

  1. OTA upgrade (tick)

Guest installation

  1. Installation with an existing vhd (tick)
  2. Installation from a virtual iso (tick)
  3. Installation from an optical disk drive (tick)
  4. PXE installation (tick)

Guest OS with Tools

  1. Windows 7 sp1 64-bit install and basic use (tick)

  2. Windows 10 (1511) 64-bit install and basic use

  3. Windows 10 (1607) 64-bit install and basic use

  4. Windows 10 (1703) 64-bit install and basic use (tick)

  5. Windows 7 to Windows 10 (1607) upgrade

  6. Windows 7 to Windows 10 (1703) upgrade

  7. Windows 10 (1511) to Windows 10 (1607) upgrade

  8. Windows 10 (1607) to Windows 10 (1703) upgrade

  9. RedHat Enterprise Linux 7 64-bit install and basic use

Windows basic use

  1. Burn a CD (tick)

Guest OS without Tools

  1. Windows 7 64-bit install and basic use

  2. Windows 10 64-bit install and basic use

PCI Passthrough

  1. Passthrough of PCIe NIC to NDVM (tick)

  2. Passthough of PCIe NIC to generic guest (tick)

  3. Passthrough of USB controller to generic guest (tick)

  4. Passthrough of PCIe audio controller to generic guest (tick)

  5. Passthrough of supported NVidia graphics card to generic guest (tick)

  6. Passthrough of supported AMD graphics card to generic guest (tick)

Virtual USB

  1. Assignment of policy-allowed USB device to guest (e.g. smart card reader) (tick)

  2. Intentional failure to assign policy-disallowed USB device to guest

  3. Ejection of assigned USB device from guest (no longer present, accessible, addressable)

  4. Re-assignment of ejected USB device to a guest

  5. Add USB policy to disallow previously-assignable device, then attempt to assign

  6. Add USB policy to automatically assign a specific USB device by {vendorID, productID, serial}

  7. Assign friendly name to USB device, verify consistency across reboot and device hotplug

  8. Devices:

    1. Smart card reader

    2. Mass storage device (tick)

    3. Webcam

    4. Audio headset

    5. Touchscreen

    6. Optical drive (tick)

Devices and Hardware

  1. USB optical drive as assignable optical drive (tick)

  2. SATA optical drive assignment (tick)

  3. Unplug and re-plug monitor

  4. Audio playback using speakers/headphones (tick)

  5. SATA hard disk for base system (tick)

  6. PCIe/NVMe hard disk for base system


  1. Verify virtual USB quality (e.g. writing large data blocks to mass storage)

  2. Verify audio playback quality

  3. Verify audio recording quality

  4. Run CPU stress tests

  5. Run disk I/O stress tests

  6. Run GPU stress test (3D VM only)

  7. Validate virtual network throughput and packet loss


  1. Create VM (tick)

  2. Start VM (tick)

  3. Shutdown VM (tick)

  4. Reboot VM (tick)

  5. Destroy VM instance (tick)

  6. Delete VM (tick)

  7. Switch running VM focus (tick)

  8. Shut down system (tick)

  9. View NDVM network connection status {link state, Address information}

  10. Connect NDVM to wireless network (tick)

  11. Change input device sensitivity (tick)

  12. Change wallpaper (tick)

  13. { Change VM settings }



With nilfvm template removed, there is not currently an example/reference ServiceVM outside of the always present NDVM and UIVM. Testing of this may not be able to occur until a new example/reference ServiceVM can be made available.

  1. Create a Service VM
  2. Configure guest to utilize a ServiceVM

Security Tests

Hypervisor and Tools

  1. Scrub guest RAM prior to launch

  2. EPT mapping isolation

  3. VT-d/AMD-Vi isolation

  4. Separate stubdom instance per guest

  5. Verify adding/removing V4V firewall rules (and ability to bind/use V4V sockets)

  6. Verify VMs will not start if insufficient memory for the instance

Virtual Storage

  1. Virtual disk encryption is truly AES-128/AES-256 (tick)

  2. Data changes in encrypted differential disk not reflected in unencrypted base disk

  3. Cannot write to read-only virtual disk

Measured Launch

  1. Seal the platform

    1. TPM 1.2 (tick)

    2. TPM 2.0 using SHA-256 (tick)

  2. PCR Usage

    1. Firmware

      1. Verify sane PCRs (e.g. different values in [0], [1], [2])

      2. Verify PCRs appropriately change per what they should measure (e.g. PCI devices, BIOS executable code)

    2. TXT

      1. PCRs 17, 18, and 19 populated

  3. PCR value change triggers admin unlock/reseal

    1. hardware/BIOS change (tick)

    2. bootloader/kernel change (tick)

    3. Xen hypervisor change (tick)

    4. Dom0 initramfs change (tick)

    5. Dom0 measured rootfs change (tick)

  4. Media-based upgrade (cd/usb/pxe) requires admin reseal

  5. OTA-based upgrade should forward seal (tick)

Hypervisor Access Control (XSM)

  1. Default operational status is for XSM to be enforced

  2. Dom0, UIVM, NDVM, stubdom, SyncVM instances each have appropriate XSM label

  3. { Need OpenXT-specific policy tests, success and intentional failure }


  1. SELinux in enforcing mode by default (tick)

  2. { Need OpenXT-specific Dom0 policy tests, success and intentional failure }

  3. {For privileged commands, must be run as sysadm_r}

  4. /config partition is encrypted with AES-256-XTS, using keys sealed to TPM

  5. Rootfs (/) mounted read-only by default

  6. Change Dom0 root password

  7. Verify rpc-proxy rules for dbus-over-V4V (and ability to make calls/receive signals)


  1. Policy to enable/disable UIVM->Dom0 sshv4v

  2. Policy to enable/disable end-user VM creation

  3. Policy to enable/disable end-user VM deletion

  4. Policy to show/hide Settings tab

  5. Policy to show/hide Services tab

  6. Policy to enable/disable changing VM settings

Devices and Hardware

  1. Relay of keyboard input only to in-focus guest

  2. Relay of mouse input only to in-focus guest

  3. Keyboard and mouse focus not split among different guests


  1. Verify cannot write to read-only dom-store

  2. Verify cannot read no-access dom-store

  3. Verify can only record optical media if policy allows

  4. Verify can only see allowed and assigned USB devices

  5. VM sleep (S3) and resume (tick)

  6. VM hibernate (S4) and resume

  7. Verify can only record audio if policy allows

  8. Verify can only playback audio if policy allows

  9. Verify control-platform-power-state (e.g. VM shutdown shuts system down)

  10. Verify start-on-boot

Copyright 2017 by Apertus Solutions, LLC. Created by Daniel P. Smith. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.