Skip to content

Dasharo Security: Measured Boot support

Test cases

MBO001.001 Measured Boot support (Ubuntu 20.04)

Test description

Measured Boot is a method for detecting changes to firmware by storing hashes of each firmware component into the TPM PCR registers. If a PCR changes value across reboots, a change to the firmware has been made. This test aims to verify that Measured Boot is functional and measurements are stored into the TPM.a

Test configuration data

  1. FIRMWARE = coreboot
  2. BOOT_MENU_KEY = F7

Test setup

  1. Proceed with the Generic test setup: firmware
  2. Proceed with the Generic test setup: OS installer
  3. Proceed with the Generic test setup: OS installation
  4. Proceed with the Generic test setup: OS boot from disk
  5. Download cbmem and flashrom from https://cloud.3mdeb.com/index.php/s/zTqkJQdNtJDo5Nd to the DUT
  6. Disable Secure Boot

Test steps

  1. Open a terminal window and execute the following command:
    sudo ./cbmem -c | grep -i PCR
    

Expected result

The output of the command should indicate that measurements of the coreboot components have been made:

TPM: Digest of FMAP: FW_MAIN_A CBFS: fallback/romstage to PCR 2 measured
TPM: Digest of FMAP: FW_MAIN_A CBFS: fspm.bin to PCR 2 measured
TPM: Digest of FMAP: FW_MAIN_A CBFS: fallback/postcar to PCR 2 measured
TPM: Digest of FMAP: FW_MAIN_A CBFS: fallback/ramstage to PCR 2 measured
TPM: Digest of FMAP: FW_MAIN_A CBFS: cpu_microcode_blob.bin to PCR 2 measured
TPM: Digest of FMAP: FW_MAIN_A CBFS: fsps.bin to PCR 2 measured
TPM: Digest of FMAP: FW_MAIN_A CBFS: vbt.bin to PCR 2 measured
TPM: Digest of FMAP: FW_MAIN_A CBFS: fallback/dsdt.aml to PCR 2 measured
TPM: Digest of FMAP: FW_MAIN_A CBFS: fallback/payload to PCR 2 measured

The output should also not contain the following message:

TPM: Extending hash into PCR failed.