Dasharo Security: UEFI Secure Boot

SBO001.001 Check Secure Boot default state (firmware)

Test description

Secure Boot is a verification mechanism for ensuring that code launched by firmware is trusted. This test aims to verify that the Secure Boot state after flashing the platform with the Dasharo firmware is correct.

Test configuration data

FIRMWARE = Dasharo

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Verify the Current Secure Boot State field.

Expected result

The Secure Boot State field should inform that the current state of Secure Boot is Disabled.

SBO002.001 UEFI Secure Boot (Ubuntu)

Test description

This test verifies that Secure Boot can be enabled from the boot menu and, after the DUT reset, it is seen from the OS.

Test configuration data

FIRMWARE = Dasharo
OPERATING_SYSTEM = Ubuntu

Test setup

Proceed with the Generic test setup: firmware.
Proceed with the Generic test setup: OS installer.
Proceed with the Generic test setup: OS installation.
Proceed with the Secure Boot Configuration to enable the Attempt Secure Boot option in the Secure Boot Configuration menu.

Test steps

Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
If a message To enable Secure Boot, set Secure Boot Mode to Custom and enroll the keys/PK first appears:
1. Set Secure Boot Mode to Custom Mode
2. Enter Advanced Secure Boot Keys Management submenu
3. Select Reset to default Secure Boot Keys
4. If a pop-up appears to confirm the selection, select Yes
5. Press Esc to go back
Verify that the Current Secure Boot State field says Enabled - if not, select the Attempt Secure Boot option below.
Go back to the main menu using the ESC key.
Select the Reset option to apply the settings and reboot.
The DUT will now attempt to boot OPERATING_SYSTEM with Secure Boot enabled.
Log into the system by using the proper login and password.
Open a terminal window and run the following command:
```
sudo dmesg | grep "Secure boot"
```
Note the results.

Expected result

The output of the command should contain the line:

secureboot: Secure boot enabled

SBO002.002 UEFI Secure Boot (Windows)

Test description

This test verifies that Secure Boot can be enabled from the boot menu and, after the DUT reset, it is seen from the OS.

Test configuration data

FIRMWARE = Dasharo
OPERATING_SYSTEM = Windows

Test setup

Proceed with the Generic test setup: firmware.
Proceed with the Generic test setup: OS installer.
Proceed with the Generic test setup: OS installation.
Proceed with the Secure Boot Configuration to enable the Attempt Secure Boot option in the Secure Boot Configuration menu.

Test steps

Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Verify that the Current Secure Boot State field says Enabled - if not, select the Attempt Secure Boot option below.
Go back to the main menu using the ESC key.
Select the Reset option to apply the settings and reboot.
The DUT will now attempt to boot OPERATING_SYSTEM with Secure Boot enabled.
Log into the system by using the proper login and password.
Open Powershell as administrator and run the following command:
```
Confirm-SecureBootUEFI
```
Note the results.

Expected result

The output of the command should return the information, that Secure Boot is enabled:

True

SBO003.001 Attempt to boot file with the correct key from Shell (firmware)

Test description

This test verifies that Secure Boot allows booting a signed file with a correct key.

Test configuration data

FIRMWARE = Dasharo
Additional USB storage - at least 1GB - for keeping files for booting

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Run sb-img-wrapper.sh script to generate keys and sign efi file.
Flash generated GOOD_KEYS.img into USB storage using the following command:
```
sudo dd if=path/to/GOOD_KEYS.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Secure Boot Mode field to Custom Mode.
Select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Enroll Signature Using File
Select the certificate from the USB storage.
Select the Commit Changes and Exit option.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
signed-hello.efi
```

Expected result

File boots correctly (no information: Command Error Status: Access Denied on the output) and the output of the command shows file content. Example output:

Hello, world!

SBO004.001 Attempt to boot file without the key from Shell (firmware)

Test description

This test verifies that Secure Boot blocks booting a file without a key.

Test configuration data

FIRMWARE = Dasharo
Additional USB storage - at least 1GB - for keeping files for booting

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Run sb-img-wrapper.sh script to generate keys and sign efi file.
Flash generated NOT_SIGNED.img into USB storage using the following command:
```
sudo dd if=path/to/NOT_SIGNED.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
hello.efi
```

Expected result

The output of the command doesn't show file content and information about access denied is displayed. Example output:

Command Error Status: Access Denied

SBO005.001 Attempt to boot file with the wrong-signed key from Shell (firmware)

Test description

This test verifies that Secure Boot blocks booting a file with the wrong-signed key.

Test configuration data

FIRMWARE = Dasharo
Additional USB storage - at least 1GB - for keeping files for booting

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Run sb-img-wrapper.sh script to generate keys and sign efi file.
Flash generated BAD_KEYS.img into USB storage using the following command:
```
sudo dd if=path/to/BAD_KEYS.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
signed-hello.efi
```

Expected result

The output of the command doesn't show file content and information about access denied is displayed. Example output:

Command Error Status: Access Denied

SBO006.001 Reset Secure Boot Keys option availability (firmware)

Test description

This test aims to verify, that the Reset Secure Boot Keys option is available after flashing the platform with the Dasharo firmware.

Test configuration data

FIRMWARE = Dasharo

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set Advanced Secure Boot Keys Management submenu.
Verify the Reset to default Secure Boot Keys field.

Expected result

The Reset Secure Boot Keys option should be listed after entering the key management submenu.

SBO007.001 Attempt to boot the file after restoring keys to default (firmware)

Test description

This test verifies that the Reset Secure Boot Keys option works correctly.

Test configuration data

FIRMWARE = Dasharo
Additional USB storage - at least 1GB - for keeping files for booting

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Run sb-img-wrapper.sh script to generate keys and sign efi file.
Flash generated GOOD_KEYS.img into USB storage using the following command:
```
sudo dd if=path/to/GOOD_KEYS.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Secure Boot Mode field to Custom Mode.
Select options in the given order: Advanced Secure Boot Keys Management -> DB Options -> Enroll Signature -> Enroll Signature Using File
Select the certificate from the USB storage.
Select the Commit Changes and Exit option.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
signed-hello.efi
```
Exit the shell by executing the following command:
```
exit
```
Press ESC until the setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Enter the Advanced Secure Boot Keys Management submenu.
Select the Reset to default Secure Boot keys option using the arrow keys and Enter.
If necessary - press Y to confirm saving the changes.
Press ESC until the setup menu.
Select the Reset option to apply the settings and reboot.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Verify that the Current Secure Boot State field says Enabled.
Press ESC until the setup menu.
Select the One Time Boot menu using the arrow keys and Enter.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
signed-hello.efi
```

Expected result

The first attempt to run the signed-hello.efi file will results with file boots correctly (no information: Command Error Status: Access Denied on the output). The output of the command shows file content. Example output:

Hello, world!

The second attempt to run the signed-hello.efi file will ends with information about access denied displayed. Example output:

Command Error Status: Access Denied

After selecting the Reset Secure Boot Keys option, the Secure boot state should be automatically enabled.

SBO008.001 Attempt to enroll the key in the incorrect format (firmware)

Test description

This test verifies that Secure Boot doesn't allow enrolling keys in the incorrect format.

Test configuration data

FIRMWARE = Dasharo

Test setup

Proceed with the Generic test setup: firmware.
Additional USB storage - at least 1GB - for keeping files for booting

Test steps

Run sb-img-wrapper.sh script to generate certificate in wrong format.
Flash generated BAD_FORMAT.img into USB storage using the following command:
```
sudo dd if=path/to/BAD_FORMAT.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Secure Boot Mode field to Custom Mode.
Select options in the given order: Advanced Secure Boot Keys Management -> DB Options -> Enroll Signature -> Enroll Signature Using File
Select the file with the .der extension from the USB storage.
Select the Commit Changes and Exit option.

Expected result

The popup with information about ERROR: Unsupported file type! should appear.

SBO009.001 Attempt to boot file signed for intermediate certificate

Test description

This test verifies that a file signed with an intermediate certificate can be executed.

Test configuration data

FIRMWARE = Dasharo.
Additional USB storage - at least 1GB - for keeping files for booting.

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Run sb-img-wrapper.sh script to generate keys and sign efi file.
Flash generated INTERMEDIATE.img into USB storage using the following command:
```
sudo dd if=path/to/INTERMEDIATE.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Current Secure Boot State field to Enabled.
Set the Secure Boot Mode field to Custom Mode.
Select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Enroll Signature Using File.
Select the certificate from the USB storage.
Select the Commit Changes and Exit option.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
signed-hello.efi
```

Expected result

File boots correctly (no information: Command Error Status: Access Denied on the output) and the output of the command shows file content. Example output:

Hello, world!

SBO010.001 Check support for rsa2k signed certificates

Test description

This test verifies that a file can be booted via Secure Boot using an RSA2048 signed certificate.

Test configuration data

FIRMWARE = Dasharo.
Additional USB storage - at least 1GB - for keeping files for booting.

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Run sb-img-wrapper.sh script to generate keys and sign efi file.
Flash generated RSA2048.img into USB storage using the following command:
```
sudo dd if=path/to/RSA2048.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Current Secure Boot State field to Enabled.
Set the Secure Boot Mode field to Custom Mode.
Select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Enroll Signature Using File
Select the certificate from the USB storage.
Select the Commit Changes and Exit option.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
signed-hello.efi
```

Expected result

File boots correctly (no information: Command Error Status: Access Denied on the output) and the output of the command shows file content. Example output:

Hello, world!

SBO010.002 Check support for rsa3k signed certificates

Test description

This test verifies that a file can be booted via Secure Boot using an RSA3072 signed certificate.

Test configuration data

FIRMWARE = Dasharo.
Additional USB storage - at least 1GB - for keeping files for booting.

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Run sb-img-wrapper.sh script to generate keys and sign efi file.
Flash generated RSA3072.img into USB storage using the following command:
```
sudo dd if=path/to/RSA3072.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Current Secure Boot State field to Enabled.
Set the Secure Boot Mode field to Custom Mode.
Select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Enroll Signature Using File
Select the certificate from the USB storage.
Select the Commit Changes and Exit option.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
signed-hello.efi
```

Expected result

File boots correctly (no information: Command Error Status: Access Denied on the output) and the output of the command shows file content. Example output:

Hello, world!

SBO010.003 Check support for rsa4k signed certificates

Test description

This test verifies that a file can be booted via Secure Boot using an RSA4096 signed certificate.

Test configuration data

FIRMWARE = Dasharo.
Additional USB storage - at least 1GB - for keeping files for booting.

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Run sb-img-wrapper.sh script to generate keys and sign efi file.
Flash generated RSA4096.img into USB storage using the following command:
```
sudo dd if=path/to/RSA4096.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Current Secure Boot State field to Enabled.
Set the Secure Boot Mode field to Custom Mode.
Select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Enroll Signature Using File
Select the certificate from the USB storage.
Select the Commit Changes and Exit option.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
signed-hello.efi
```

Expected result

File boots correctly (no information: Command Error Status: Access Denied on the output) and the output of the command shows file content. Example output:

Hello, world!

SBO010.004 Check support for ecdsa256 signed certificates

Test description

This test verifies that a file can be booted via Secure Boot using an ESCDA256 signed certificate.

Test configuration data

FIRMWARE = Dasharo.
Additional USB storage - at least 1GB - for keeping files for booting.

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Run sb-img-wrapper.sh script to generate keys and sign efi file.
Flash generated ECDSA256.img into USB storage using the following command:
```
sudo dd if=path/to/ECDSA256.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Current Secure Boot State field to Enabled.
Set the Secure Boot Mode field to Custom Mode.
Select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Enroll Signature Using File
Select the certificate from the USB storage.
Select the Commit Changes and Exit option.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
signed-hello.efi
```

Expected result

File boots correctly (no information: Command Error Status: Access Denied on the output) and the output of the command shows file content. Example output:

Hello, world!

SBO010.005 Check support for ecdsa384 signed certificates

Test description

This test verifies that a file can be booted via Secure Boot using an ESCDA384 signed certificate.

Test configuration data

FIRMWARE = Dasharo.
Additional USB storage - at least 1GB - for keeping files for booting.

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Run sb-img-wrapper.sh script to generate keys and sign efi file.
Flash generated ECDSA384.img into USB storage using the following command:
```
sudo dd if=path/to/ECDSA384.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Current Secure Boot State field to Enabled.
Set the Secure Boot Mode field to Custom Mode.
Select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Enroll Signature Using File
Select the certificate from the USB storage.
Select the Commit Changes and Exit option.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
signed-hello.efi
```

Expected result

File boots correctly (no information: Command Error Status: Access Denied on the output) and the output of the command shows file content. Example output:

Hello, world!

SBO010.006 Check support for ecdsa521 signed certificates

Test description

This test verifies that a file can be booted via Secure Boot using an ESCDA521 signed certificate.

Test configuration data

FIRMWARE = Dasharo.
Additional USB storage - at least 1GB - for keeping files for booting.

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Run sb-img-wrapper.sh script to generate keys and sign efi file.
Flash generated ECDSA521.img into USB storage using the following command:
```
sudo dd if=path/to/ECDSA521.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Current Secure Boot State field to Enabled.
Set the Secure Boot Mode field to Custom Mode.
Select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Enroll Signature Using File
Select the certificate from the USB storage.
Select the Commit Changes and Exit option.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
signed-hello.efi
```

Expected result

File boots correctly (no information: Command Error Status: Access Denied on the output) and the output of the command shows file content. Example output:

Hello, world!

SBO011.001 Attempt to enroll expired certificate and boot signed image

Test description

This test verifies that an expired certificate cannot be used to verify a booted image.

Test configuration data

FIRMWARE = Dasharo.
Additional USB storage - at least 1GB - for keeping files for booting.

Test setup

Proceed with the Generic test setup: firmware.

Test steps

Run sb-img-wrapper.sh script to generate keys and sign efi file.
Flash generated EXPIRED.img into USB storage using the following command:
```
sudo dd if=path/to/EXPIRED.img of=/dev/sdx
```
Plug the USB storage into DUT.
Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Current Secure Boot State field to Enabled.
Set the Secure Boot Mode field to Custom Mode.
Select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Enroll Signature Using File
Select the certificate from the USB storage.
Select the Commit Changes and Exit option.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Select the UEFI Shell option using the arrow keys and press Enter.
In the shell open the USB storage by executing the following command:
```
FS0:
```
One of the filesystems in the FS list will be the USB storage - typically FS0:
Boot the previously prepared file by typing its full name:
```
signed-hello.efi
```

Expected result

File does not boot correctly: Command Error Status: Access Denied.

SBO012.001 Boot OS Signed And Enrolled From Inside System (Ubuntu)

Test description

This test verifies that OS boots after enrolling keys and signing system from inside.

Test configuration data

FIRMWARE = Dasharo.
OPERATING_SYSTEM = Ubuntu.

Test setup

Proceed with the Generic test setup: firmware.
Proceed with the Generic test setup: OS installer.
Proceed with the Generic test setup: OS installation.
Install the sbctl package through git by following installation guide.

Test steps

Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Secure Boot Mode field to Custom Mode.
Erase Secure Boot keys select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Erase all Secure Boot Keys
Press F10 to save changes.
Press ESC until the setup menu.
Select the Reset option.
The DUT will now attempt to boot OPERATING_SYSTEM.
Login to OPERATING_SYSTEM.
Remove Old Secure Boot keys:
```
rm -rf /usr/share/secureboot
```
Note: root right might be needed.
Generate new Secure Boot keys:
```
sbctl create-keys
```
Note: root rights might be needed.
Enroll generated Secure Boot keys:
```
sbctl enroll-keys --yes-this-might-brick-my-machine
```
Note: root rights might be needed.

Sign all components in OPERATING_SYSTEM:

sbctl verify | awk -F ' ' '{print $2}' | tail -n+2 | xargs -I "#" sbctl sign "#"

Note: root rights might be needed.

Reboot OPERATING_SYSTEM.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Current Secure Boot State field to Enabled.
Press F10 to save changes.
Press ESC until the setup menu.
Select the Reset option.
The DUT will now attempt to boot OPERATING_SYSTEM.
Login to OPERATING_SYSTEM.
Check if Secure Boot is enabled:
```
dmesg | grep secureboot
```
Note: root rights might be needed.

Expected result

In dmesg output should be a line informing that Secure Boot is enabled.

SBO013.001 Check automatic certificate provisioning

Test description

This test verifies that the automatic certificate provisioning will install custom keys which will make Ubuntu unbootable. Before launching test, make sure that DTS with automatic certificate provisioning is attached and can be booted on DUT.

Test configuration data

FIRMWARE = Dasharo.
OPERATING_SYSTEM = Ubuntu.
Additional USB storagefor keeping Dasharo Tools Suite.
Dasharo Tools Suite with UEFI secure boot support.

Test setup

Proceed with the Generic test setup: firmware.
Proceed with the Generic test setup: OS installer.
Proceed with the Generic test setup: OS installation.
Proceed with the DTS: Build image with UEFI Secure Boot support.

Test steps

Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Secure Boot Mode field to Custom Mode.
Erase Secure Boot keys select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Erase all Secure Boot Keys.
Press F10 to save changes.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Boot Dasharo Tools Suite from USB Storage.
Wait until Dasharo Tools Suite enrolls keys and resets the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Current Secure Boot State field to Enabled.
Press F10 to save changes.
Press ESC until the setup menu.
Select the Reset option.
Verify by booting signed Dasharo Tools Suite:
1. While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
2. Boot Dasharo Tools Suite from USB Storage.
Reboot the DUT.
Verify by booting unsigned Ubuntu:
1. While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
2. Boot OPERATING_SYSTEM.

Expected result

Dasharo Tools Suite system signed with custom keys should boot while Ubuntu should not boot as it is signed with Microsoft keys.

SBO013.002 Check automatic certificate provisioning KEK certificate

Test description

This test verifies that the automatic certificate provisioning installs the expected KEK certificate. Before launching test, make sure that DTS with automatic certificate provisioning is attached and can be booted on DUT.

Test configuration data

FIRMWARE = Dasharo.
OPERATING_SYSTEM = Dasharo Tools Suite.
Additional USB storagefor keeping Dasharo Tools Suite.
Dasharo Tools Suite with UEFI secure boot support.

Test setup

Proceed with the Generic test setup: firmware.
Proceed with the Generic test setup: OS installer.
Proceed with the Generic test setup: OS installation.
Proceed with the DTS: Build image with UEFI Secure Boot support.

Test steps

Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Secure Boot Mode field to Custom Mode.
Erase Secure Boot keys select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Erase all Secure Boot Keys.
Press F10 to save changes.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Boot Dasharo Tools Suite from USB Storage.
Wait until Dasharo Tools Suite enrolls keys and resets the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Current Secure Boot State field to Enabled.
Press F10 to save changes.
Press ESC until the setup menu.
Select the Reset option.
While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
Boot Dasharo Tools Suite from USB Storage.
Enter shell in Dasharo Tools Suite by pressing 9.

Compare the current KEK certificate with the certificate that should be enrolled:

Download the sample certificate:

wget https://cloud.3mdeb.com/index.php/s/FGdaGq2QqnGWQew/download/KEK.crt -O /tmp/first_certificate.crt

Convert the sample certificate:

openssl x509 -in /tmp/first_certificate.crt -noout -text > /tmp/first_certificate.crt

Export already enrolled certificate:

mokutil --kek > /tmp/second_certificate.crt

Compare the certificates:

diff /tpm/first_certificate.crt /tmp/second_certificate.crt

Expected result

The data provided by both certificates should be equal, the form of the compared data might differ.

SBO014.001 Enroll certificates using sbctl

Test description

This test erases Secure Boot keys from the BIOS menu and verifies if new keys can be enrolled from the operating system using sbctl.

Test configuration data

FIRMWARE = Dasharo.
OPERATING_SYSTEM = Ubuntu.

Test setup

Proceed with the Generic test setup: firmware.
Proceed with the Generic test setup: OS installer.
Proceed with the Generic test setup: OS installation.
Install the sbctl package through git by following installation guide.

Test steps

Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Secure Boot Mode field to Custom Mode.
Erase Secure Boot keys select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Erase all Secure Boot Keys
Press F10 to save changes.
Press ESC until the setup menu.
Select the Reset option.
The DUT will now attempt to boot OPERATING_SYSTEM.
Login to OPERATING_SYSTEM.
Remove old Secure Boot keys:
```
rm -rf /usr/share/secureboot
```
Note: root rights might be needed.
Generate new Secure Boot keys:
```
sbctl create-keys
```
Note: root rights might be needed.
Enroll generated Secure Boot keys:
```
sbctl enroll-keys --yes-this-might-brick-my-machine
```
Note: root rights might be needed.
Restart the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Current Secure Boot State field to Enabled.
Press F10 to save changes.
Press ESC until the setup menu.
Select the Reset option.

Expected result

You should not be able to boot the system after enrolling the keys and enabling Secure Boot.

SBO015.001 Attempt to enroll the key in the incorrect format (OS)

Test description

This test verifies that it is impossible to load a certificate in the wrong file format from the operating system while using sbctl.

Test configuration data

FIRMWARE = Dasharo.
OPERATING_SYSTEM = Ubuntu.

Test setup

Proceed with the Generic test setup: firmware.
Proceed with the Generic test setup: OS installer.
Proceed with the Generic test setup: OS installation.
Install the sbctl package through git by following installation guide.

Test steps

Power on the DUT.
While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI setup menu.
Enter the Device Manager menu using the arrow keys and Enter.
Enter the Secure Boot Configuration submenu.
Set the Secure Boot Mode field to Custom Mode.
Erase Secure Boot keys select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Erase all Secure Boot Keys
Press F10 to save changes.
Press ESC until the setup menu.
Select the Reset option.
The DUT will now attempt to boot OPERATING_SYSTEM.
Login to OPERATING_SYSTEM.
Remove Old Secure Boot keys:
```
rm -rf /usr/share/secureboot
```
Note: root rights might be needed.
Generate new Secure Boot keys:
```
sbctl create-keys
```
Note: root rights might be needed.

Generate wrong format keys and move them to the appropriate locations:

openssl ecparam -genkey -name secp384r1 -out db.key && openssl req -new -x509 -key db.key -out db.pem -days 365 -subj "/CN=3mdeb_test"
openssl ecparam -genkey -name secp384r1 -out PK.key && openssl req -new -x509 -key PK.key -out PK.pem -days 365 -subj "/CN=3mdeb_test"
openssl ecparam -genkey -name secp384r1 -out KEK.key && openssl req -new -x509 -key KEK.key -out KEK.pem -days 365 -subj "/CN=3mdeb_test"
mv db.key /usr/share/secureboot/keys/db/
mv PK.key /usr/share/secureboot/keys/PK/
mv KEK.key /usr/share/secureboot/keys/KEK/

Note: root rights might be needed.

Attempt to enroll generated Secure Boot keys:
```
sbctl enroll-keys --yes-this-might-brick-my-machine
```
Note: root rights might be needed.

Expected result

Utility sbctl should fail while enrolling keys.