Skip to content

Dasharo Security: UEFI Secure Boot

SBO001.001 Check Secure Boot default state (firmware)

Test description

Secure Boot is a verification mechanism for ensuring that code launched by firmware is trusted. This test aims to verify that the Secure Boot state after flashing the platform with the Dasharo firmware is correct.

Test configuration data

  1. FIRMWARE = Dasharo

Test setup

  1. Proceed with the Generic test setup: firmware.

Test steps

  1. Power on the DUT.
  2. While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
  3. Enter the Device Manager menu using the arrow keys and Enter.
  4. Enter the Secure Boot Configuration submenu.
  5. Verify the Current Secure Boot State field.

Expected result

The Secure Boot State field should inform that the current state of Secure Boot is Disabled.

SBO002.001 UEFI Secure Boot (Ubuntu 22.04)

Test description

This test verifies that Secure Boot can be enabled from the boot menu and, after the DUT reset, it is seen from the OS.

Test configuration data

  1. FIRMWARE = Dasharo
  2. OPERATING_SYSTEM = Ubuntu 22.04

Test setup

  1. Proceed with the Generic test setup: firmware.
  2. Proceed with the Generic test setup: OS installer.
  3. Proceed with the Generic test setup: OS installation.

Test steps

  1. Power on the DUT.
  2. While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
  3. Enter the Device Manager menu using the arrow keys and Enter.
  4. Enter the Secure Boot Configuration submenu.
  5. Verify that the Current Secure Boot State field says Enabled - if not, select the Attempt Secure Boot option below.
  6. Go back to the main menu using the ESC key.
  7. Select the Reset option to apply the settings and reboot.
  8. The DUT will now attempt to boot OPERATING_SYSTEM with Secure Boot enabled.
  9. Log into the system by using the proper login and password.
  10. Open a terminal window and run the following command:

    sudo dmesg | grep secureboot
    
  11. Note the results.

Expected result

The output of the command should contain the line:

secureboot: Secure boot enabled

SBO002.002 UEFI Secure Boot (Windows 11)

Test description

This test verifies that Secure Boot can be enabled from the boot menu and, after the DUT reset, it is seen from the OS.

Test configuration data

  1. FIRMWARE = Dasharo
  2. OPERATING_SYSTEM = Windows 11

Test setup

  1. Proceed with the Generic test setup: firmware.
  2. Proceed with the Generic test setup: OS installer.
  3. Proceed with the Generic test setup: OS installation.

Test steps

  1. Power on the DUT.
  2. While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
  3. Enter the Device Manager menu using the arrow keys and Enter.
  4. Enter the Secure Boot Configuration submenu.
  5. Verify that the Current Secure Boot State field says Enabled - if not, select the Attempt Secure Boot option below.
  6. Go back to the main menu using the ESC key.
  7. Select the Reset option to apply the settings and reboot.
  8. The DUT will now attempt to boot OPERATING_SYSTEM with Secure Boot enabled.
  9. Log into the system by using the proper login and password.
  10. Open Powershell as administrator and run the following command:

    Confirm-SecureBootUEFI
    
  11. Note the results.

Expected result

The output of the command should return the information, that Secure Boot is enabled:

True

SBO003.001 Attempt to boot file with the correct key from Shell (firmware)

Test description

This test verifies that Secure Boot allows booting a signed file with a correct key.

Test configuration data

  1. FIRMWARE = Dasharo
  2. Additional USB storage - at least 1GB - for keeping files for booting

Test setup

  1. Proceed with the Generic test setup: firmware.

Test steps

  1. Download the signed with the correct key file from the cloud.
  2. Download the certificate from the cloud.
  3. Place the certificate and the file on the USB storage.
  4. Plug the USB storage into DUT.
  5. Power on the DUT.
  6. While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
  7. Enter the Device Manager menu using the arrow keys and Enter.
  8. Enter the Secure Boot Configuration submenu.
  9. Set the Secure Boot Mode field to Custom Mode.
  10. Select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Enroll Signature Using File
  11. Select the certificate from the USB storage.
  12. Select the Commit Changes and Exit option.
  13. Press ESC until the setup menu.
  14. Select the Reset option.
  15. While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
  16. Select the UEFI Shell option using the arrow keys and press Enter.
  17. In the shell open the USB storage by executing the following command:

    FS0:
    

    One of the filesystems in the FS list will be the USB storage - typically FS0:

  18. Boot the previously prepared file by typing its full name:

    hello-valid-keys.efi
    

Expected result

  1. File boots correctly (no information: Command Error Status: Access Denied on the output).
  2. The output of the command shows file content.

Example output:

Hello, world!

SBO004.001 Attempt to boot file without the key from Shell (firmware)

Test description

This test verifies that Secure Boot blocks booting a file without a key.

Test configuration data

  1. FIRMWARE = Dasharo
  2. Additional USB storage - at least 1GB - for keeping files for booting

Test setup

  1. Proceed with the Generic test setup: firmware.

Test steps

  1. Download the not signed file from the cloud.
  2. Place the file on the USB storage.
  3. Plug the USB storage into DUT.
  4. Power on the DUT.
  5. While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
  6. Select the UEFI Shell option using the arrow keys and press Enter.
  7. In the shell open the USB storage by executing the following command:

    FS0:
    

    One of the filesystems in the FS list will be the USB storage - typically FS0:

  8. Boot the previously prepared file by typing its full name:

    hello.efi
    

Expected result

The output of the command doesn't show file content and information about access denied is displayed.

Example output:

Command Error Status: Access Denied

SBO005.001 Attempt to boot file with the wrong-signed key from Shell (firmware)

Test description

This test verifies that Secure Boot blocks booting a file with the wrong-signed key.

Test configuration data

  1. FIRMWARE = Dasharo
  2. Additional USB storage - at least 1GB - for keeping files for booting

Test setup

  1. Proceed with the Generic test setup: firmware.

Test steps

  1. Download the signed with the incorrect key file from the cloud.
  2. Place the file on the USB storage.
  3. Plug the USB storage into DUT.
  4. Power on the DUT.
  5. While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
  6. Select the UEFI Shell option using the arrow keys and press Enter.
  7. In the shell open the USB storage by executing the following command:

    FS0:
    

    One of the filesystems in the FS list will be the USB storage - typically FS0:

  8. Boot the previously prepared file by typing its full name:

    hello-bad-keys.efi
    

Expected result

The output of the command doesn't show file content and information about access denied is displayed.

Example output:

Command Error Status: Access Denied

SBO006.001 Reset Secure Boot Keys option availability (firmware)

Test description

This test aims to verify, that the Reset Secure Boot Keys option is available after flashing the platform with the Dasharo firmware.

Test configuration data

  1. FIRMWARE = Dasharo

Test setup

  1. Proceed with the Generic test setup: firmware.

Test steps

  1. Power on the DUT.
  2. While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
  3. Enter the Device Manager menu using the arrow keys and Enter.
  4. Enter the Secure Boot Configuration submenu.
  5. Verify the Reset Secure Boot Keys field.

Expected result

The Reset Secure Boot Keys option should be listed after entering the Secure Boot Configuration submenu.

SBO007.001 Attempt to boot the file after restoring keys to default (firmware)

Test description

This test verifies that the Reset Secure Boot Keys option works correctly.

Test configuration data

  1. FIRMWARE = Dasharo
  2. Additional USB storage - at least 1GB - for keeping files for booting

Test setup

  1. Proceed with the Generic test setup: firmware.

Test steps

  1. Download the signed with the correct key file from the cloud.
  2. Download the certificate from the cloud.
  3. Place the certificate and the file on the USB storage.
  4. Plug the USB storage into DUT.
  5. Power on the DUT.
  6. While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
  7. Enter the Device Manager menu using the arrow keys and Enter.
  8. Enter the Secure Boot Configuration submenu.
  9. Set the Secure Boot Mode field to Custom Mode.
  10. Select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Enroll Signature Using File
  11. Select the certificate from the USB storage.
  12. Select the Commit Changes and Exit option.
  13. Press ESC until the setup menu.
  14. Select the Reset option.
  15. While the DUT is booting, hold the BOOT_MENU_KEY to enter the boot menu.
  16. Select the UEFI Shell option using the arrow keys and press Enter.
  17. In the shell open the USB storage by executing the following command:

    FS0:
    

    One of the filesystems in the FS list will be the USB storage - typically FS0:

  18. Boot the previously prepared file by typing its full name:

    hello-valid-keys.efi
    
  19. Exit the shell by executing the following command:

    exit
    
  20. Press ESC until the setup menu.

  21. Enter the Device Manager menu using the arrow keys and Enter.
  22. Enter the Secure Boot Configuration submenu.
  23. Select the Reset Secure Boot Keys option using the arrow keys and Enter.
  24. If necessary - press Y to confirm saving the changes.
  25. Press ESC until the setup menu.
  26. Select the Reset option to apply the settings and reboot.
  27. While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
  28. Enter the Device Manager menu using the arrow keys and Enter.
  29. Enter the Secure Boot Configuration submenu.
  30. Verify that the Current Secure Boot State field says Enabled.
  31. Press ESC until the setup menu.
  32. Select the One Time Boot menu using the arrow keys and Enter.
  33. Select the UEFI Shell option using the arrow keys and press Enter.
  34. In the shell open the USB storage by executing the following command:

    FS0:
    

    One of the filesystems in the FS list will be the USB storage - typically FS0:

  35. Boot the previously prepared file by typing its full name:

    hello-valid-keys.efi
    

Expected result

  1. The first attempt to run the hello-valid-keys.efi script:

    1. File boots correctly (no information: Command Error Status: Access Denied on the output).
    2. The output of the command shows file content.

      Example output:

      Hello, world!
      
  2. The second attempt to run the hello-valid-keys.efi script:

    1. The output of the command doesn't show file content and information about access denied is displayed.

      Example output:

      Command Error Status: Access Denied
      
  3. After selecting the Reset Secure Boot Keys option, the Secure boot state should be automatically enabled.

SBO008.001 Attempt to enroll the key in the incorrect format (firmware)

Test description

This test verifies that Secure Boot doesn't allow enrolling keys in the incorrect format.

Test configuration data

  1. FIRMWARE = Dasharo

Test setup

  1. Proceed with the Generic test setup: firmware.
  2. Additional USB storage - at least 1GB - for keeping files for booting

Test steps

  1. Place the file with the .txt extension on the USB storage.
  2. Plug the USB storage into DUT.
  3. Power on the DUT.
  4. While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
  5. Enter the Device Manager menu using the arrow keys and Enter.
  6. Enter the Secure Boot Configuration submenu.
  7. Set the Secure Boot Mode field to Custom Mode.
  8. Select options in the given order: Custom Secure Boot Options -> DB Options -> Enroll Signature -> Enroll Signature Using File
  9. Select the file with the .txt extension from the USB storage.
  10. Select the Commit Changes and Exit option.

Expected result

The popup with information about ERROR: Unsupported file type! should appear.