Dasharo Security: UEFI Secure Boot
SBO001.001 Check Secure Boot default state (firmware)
Test description
Secure Boot is a verification mechanism for ensuring that code launched by firmware is trusted. This test aims to verify that the Secure Boot state after flashing the platform with the Dasharo firmware is correct.
Test configuration data
FIRMWARE
= Dasharo
Test setup
- Proceed with the Generic test setup: firmware.
Test steps
- Power on the DUT.
- While the DUT is booting, hold the
BIOS_SETUP_KEY
to enter the UEFI Setup Menu. - Enter the
Device Manager
menu using the arrow keys and Enter. - Enter the
Secure Boot Configuration
submenu. - Verify the
Current Secure Boot State
field.
Expected result
The Secure Boot State
field should inform that the current state of
Secure Boot is Disabled
.
SBO002.001 UEFI Secure Boot (Ubuntu 22.04)
Test description
This test verifies that Secure Boot can be enabled from the boot menu and, after the DUT reset, it is seen from the OS.
Test configuration data
FIRMWARE
= DasharoOPERATING_SYSTEM
= Ubuntu 22.04
Test setup
- Proceed with the Generic test setup: firmware.
- Proceed with the Generic test setup: OS installer.
- Proceed with the Generic test setup: OS installation.
- Proceed with the
Secure Boot Configuration
to enable the
Attempt Secure Boot
option in theSecure Boot Configuration
menu.
Test steps
- Power on the DUT.
- While the DUT is booting, hold the
BIOS_SETUP_KEY
to enter the UEFI Setup Menu. - Enter the
Device Manager
menu using the arrow keys and Enter. - Enter the
Secure Boot Configuration
submenu. - Verify that the
Current Secure Boot State
field saysEnabled
- if not, select theAttempt Secure Boot
option below. - Go back to the main menu using the
ESC
key. - Select the
Reset
option to apply the settings and reboot. - The DUT will now attempt to boot
OPERATING_SYSTEM
with Secure Boot enabled. - Log into the system by using the proper login and password.
-
Open a terminal window and run the following command:
sudo dmesg | grep secureboot
-
Note the results.
Expected result
The output of the command should contain the line:
secureboot: Secure boot enabled
SBO002.002 UEFI Secure Boot (Windows 11)
Test description
This test verifies that Secure Boot can be enabled from the boot menu and, after the DUT reset, it is seen from the OS.
Test configuration data
FIRMWARE
= DasharoOPERATING_SYSTEM
= Windows 11
Test setup
- Proceed with the Generic test setup: firmware.
- Proceed with the Generic test setup: OS installer.
- Proceed with the Generic test setup: OS installation.
- Proceed with the
Secure Boot Configuration
to enable the
Attempt Secure Boot
option in theSecure Boot Configuration
menu.
Test steps
- Power on the DUT.
- While the DUT is booting, hold the
BIOS_SETUP_KEY
to enter the UEFI Setup Menu. - Enter the
Device Manager
menu using the arrow keys and Enter. - Enter the
Secure Boot Configuration
submenu. - Verify that the
Current Secure Boot State
field saysEnabled
- if not, select theAttempt Secure Boot
option below. - Go back to the main menu using the
ESC
key. - Select the
Reset
option to apply the settings and reboot. - The DUT will now attempt to boot
OPERATING_SYSTEM
with Secure Boot enabled. - Log into the system by using the proper login and password.
-
Open Powershell as administrator and run the following command:
Confirm-SecureBootUEFI
-
Note the results.
Expected result
The output of the command should return the information, that Secure Boot is enabled:
True
SBO003.001 Attempt to boot file with the correct key from Shell (firmware)
Test description
This test verifies that Secure Boot allows booting a signed file with a correct key.
Test configuration data
FIRMWARE
= Dasharo- Additional
USB storage
- at least 1GB - for keeping files for booting
Test setup
- Proceed with the Generic test setup: firmware.
Test steps
- Download the signed with the correct key file from the cloud.
- Download the certificate from the cloud.
- Place the certificate and the file on the
USB storage
. - Plug the
USB storage
into DUT. - Power on the DUT.
- While the DUT is booting, hold the
BIOS_SETUP_KEY
to enter the UEFI Setup Menu. - Enter the
Device Manager
menu using the arrow keys and Enter. - Enter the
Secure Boot Configuration
submenu. - Set the
Secure Boot Mode
field toCustom Mode
. - Select options in the given order:
Custom Secure Boot Options
->DB Options
->Enroll Signature
->Enroll Signature Using File
- Select the certificate from the
USB storage
. - Select the
Commit Changes and Exit
option. - Press
ESC
until the setup menu. - Select the
Reset
option. - While the DUT is booting, hold the
BOOT_MENU_KEY
to enter the boot menu. - Select the
UEFI Shell
option using the arrow keys and pressEnter
. -
In the shell open the
USB storage
by executing the following command:FS0:
One of the filesystems in the FS list will be the USB storage - typically
FS0:
-
Boot the previously prepared file by typing its full name:
hello-valid-keys.efi
Expected result
- File boots correctly (no information:
Command Error Status: Access Denied
on the output). - The output of the command shows file content.
Example output:
Hello, world!
SBO004.001 Attempt to boot file without the key from Shell (firmware)
Test description
This test verifies that Secure Boot blocks booting a file without a key.
Test configuration data
FIRMWARE
= Dasharo- Additional
USB storage
- at least 1GB - for keeping files for booting
Test setup
- Proceed with the Generic test setup: firmware.
Test steps
- Download the not signed file from the cloud.
- Place the file on the
USB storage
. - Plug the
USB storage
into DUT. - Power on the DUT.
- While the DUT is booting, hold the
BOOT_MENU_KEY
to enter the boot menu. - Select the
UEFI Shell
option using the arrow keys and pressEnter
. -
In the shell open the
USB storage
by executing the following command:FS0:
One of the filesystems in the FS list will be the USB storage - typically
FS0:
-
Boot the previously prepared file by typing its full name:
hello.efi
Expected result
The output of the command doesn't show file content and information about access denied is displayed.
Example output:
Command Error Status: Access Denied
SBO005.001 Attempt to boot file with the wrong-signed key from Shell (firmware)
Test description
This test verifies that Secure Boot blocks booting a file with the wrong-signed key.
Test configuration data
FIRMWARE
= Dasharo- Additional
USB storage
- at least 1GB - for keeping files for booting
Test setup
- Proceed with the Generic test setup: firmware.
Test steps
- Download the signed with the incorrect key file from the cloud.
- Place the file on the
USB storage
. - Plug the
USB storage
into DUT. - Power on the DUT.
- While the DUT is booting, hold the
BOOT_MENU_KEY
to enter the boot menu. - Select the
UEFI Shell
option using the arrow keys and pressEnter
. -
In the shell open the
USB storage
by executing the following command:FS0:
One of the filesystems in the FS list will be the USB storage - typically
FS0:
-
Boot the previously prepared file by typing its full name:
hello-bad-keys.efi
Expected result
The output of the command doesn't show file content and information about access denied is displayed.
Example output:
Command Error Status: Access Denied
SBO006.001 Reset Secure Boot Keys option availability (firmware)
Test description
This test aims to verify, that the Reset Secure Boot Keys
option is available
after flashing the platform with the Dasharo firmware.
Test configuration data
FIRMWARE
= Dasharo
Test setup
- Proceed with the Generic test setup: firmware.
Test steps
- Power on the DUT.
- While the DUT is booting, hold the
BIOS_SETUP_KEY
to enter the UEFI Setup Menu. - Enter the
Device Manager
menu using the arrow keys and Enter. - Enter the
Secure Boot Configuration
submenu. - Verify the
Reset Secure Boot Keys
field.
Expected result
The Reset Secure Boot Keys
option should be listed after entering the
Secure Boot Configuration
submenu.
SBO007.001 Attempt to boot the file after restoring keys to default (firmware)
Test description
This test verifies that the Reset Secure Boot Keys
option works correctly.
Test configuration data
FIRMWARE
= Dasharo- Additional
USB storage
- at least 1GB - for keeping files for booting
Test setup
- Proceed with the Generic test setup: firmware.
Test steps
- Download the signed with the correct key file from the cloud.
- Download the certificate from the cloud.
- Place the certificate and the file on the
USB storage
. - Plug the
USB storage
into DUT. - Power on the DUT.
- While the DUT is booting, hold the
BIOS_SETUP_KEY
to enter the UEFI Setup Menu. - Enter the
Device Manager
menu using the arrow keys and Enter. - Enter the
Secure Boot Configuration
submenu. - Set the
Secure Boot Mode
field toCustom Mode
. - Select options in the given order:
Custom Secure Boot Options
->DB Options
->Enroll Signature
->Enroll Signature Using File
- Select the certificate from the
USB storage
. - Select the
Commit Changes and Exit
option. - Press
ESC
until the setup menu. - Select the
Reset
option. - While the DUT is booting, hold the
BOOT_MENU_KEY
to enter the boot menu. - Select the
UEFI Shell
option using the arrow keys and pressEnter
. -
In the shell open the
USB storage
by executing the following command:FS0:
One of the filesystems in the FS list will be the USB storage - typically
FS0:
-
Boot the previously prepared file by typing its full name:
hello-valid-keys.efi
-
Exit the shell by executing the following command:
exit
-
Press
ESC
until the setup menu. - Enter the
Device Manager
menu using the arrow keys and Enter. - Enter the
Secure Boot Configuration
submenu. - Select the
Reset Secure Boot Keys
option using the arrow keys and Enter. - If necessary - press
Y
to confirm saving the changes. - Press
ESC
until the setup menu. - Select the
Reset
option to apply the settings and reboot. - While the DUT is booting, hold the
BIOS_SETUP_KEY
to enter the UEFI Setup Menu. - Enter the
Device Manager
menu using the arrow keys and Enter. - Enter the
Secure Boot Configuration
submenu. - Verify that the
Current Secure Boot State
field saysEnabled
. - Press
ESC
until the setup menu. - Select the
One Time Boot
menu using the arrow keys and Enter. - Select the
UEFI Shell
option using the arrow keys and pressEnter
. -
In the shell open the
USB storage
by executing the following command:FS0:
One of the filesystems in the FS list will be the USB storage - typically
FS0:
-
Boot the previously prepared file by typing its full name:
hello-valid-keys.efi
Expected result
-
The first attempt to run the
hello-valid-keys.efi
script:- File boots correctly (no information:
Command Error Status: Access Denied
on the output). -
The output of the command shows file content.
Example output:
Hello, world!
- File boots correctly (no information:
-
The second attempt to run the
hello-valid-keys.efi
script:-
The output of the command doesn't show file content and information about access denied is displayed.
Example output:
Command Error Status: Access Denied
-
-
After selecting the
Reset Secure Boot Keys
option, the Secure boot state should be automatically enabled.
SBO008.001 Attempt to enroll the key in the incorrect format (firmware)
Test description
This test verifies that Secure Boot doesn't allow enrolling keys in the incorrect format.
Test configuration data
FIRMWARE
= Dasharo
Test setup
- Proceed with the Generic test setup: firmware.
- Additional
USB storage
- at least 1GB - for keeping files for booting
Test steps
- Place the file with the
.txt
extension on theUSB storage
. - Plug the
USB storage
into DUT. - Power on the DUT.
- While the DUT is booting, hold the
BIOS_SETUP_KEY
to enter the UEFI Setup Menu. - Enter the
Device Manager
menu using the arrow keys and Enter. - Enter the
Secure Boot Configuration
submenu. - Set the
Secure Boot Mode
field toCustom Mode
. - Select options in the given order:
Custom Secure Boot Options
->DB Options
->Enroll Signature
->Enroll Signature Using File
- Select the file with the
.txt
extension from theUSB storage
. - Select the
Commit Changes and Exit
option.
Expected result
The popup with information about ERROR: Unsupported file type!
should appear.