Skip to content

Dasharo Security: Measured Boot support

MBO001.001 Measured Boot support (Ubuntu 22.04)

Test description

Measured Boot is a method for detecting changes to the firmware by storing hashes of each firmware component in the TPM PCR registers. If a PCR changes value across reboots, a change to the firmware has been made. This test aims to verify that Measured Boot is functional and that measurements are stored in the TPM.a.

Test configuration data

  1. FIRMWARE = Dasharo
  2. OPERATING_SYSTEM = Ubuntu 22.04

Test setup

  1. Proceed with the Generic test setup: firmware.
  2. Proceed with the Generic test setup: OS installer.
  3. Proceed with the Generic test setup: OS installation.
  4. Proceed with the Generic test setup: OS boot from disk.
  5. Download cbmem from the cloud to the DUT.
  6. Disable Secure Boot.

Test steps

  1. Power on the DUT.
  2. Boot into the system.
  3. Log into the system by using the proper login and password.
  4. Open a terminal window and execute the following command:
sudo ./cbmem -c | grep -i PCR

Expected result

  1. The output of the command should indicate that measurements of the coreboot components have been made.

    Example output:

    TPM: Extending digest for `VBOOT: boot mode` into PCR 0
TPM: Digest of `VBOOT: boot mode` to PCR 0 measured
TPM: Extending digest for `VBOOT: GBB HWID` into PCR 1
TPM: Digest of `VBOOT: GBB HWID` to PCR 1 measured
TPM: Extending digest for `FMAP: FMAP` into PCR 2
TPM: Digest of `FMAP: FMAP` to PCR 2 measured
TPM: Extending digest for `CBFS: bootblock` into PCR 2
TPM: Digest of `CBFS: bootblock` to PCR 2 measured
TPM: Extending digest for `CBFS: fallback/romstage` into PCR 2
TPM: Digest of `CBFS: fallback/romstage` to PCR 2 measured
TPM: Extending digest for `CBFS: fspm.bin` into PCR 2
TPM: Digest of `CBFS: fspm.bin` to PCR 2 measured
TPM: Extending digest for `CBFS: fallback/postcar` into PCR 2
TPM: Digest of `CBFS: fallback/postcar` to PCR 2 measured
TPM: Extending digest for `CBFS: fallback/ramstage` into PCR 2
TPM: Digest of `CBFS: fallback/ramstage` to PCR 2 measured
...

  2. The output shouldn't contain the following message:

    TPM: Extending hash into PCR failed.