Dasharo Security: Boot Guard support
BGS001.001 Boot Guard support (Ubuntu 22.04)
Intel Boot Guard is a hardware-based technology intended to protect the device against executing non-genuine firmware, which could happen when a possible attacker has bypassed protection against modification of BIOS. This test aims to verify that the implemented Boot Guard mechanism works correctly.
Test configuration data
OPERATING_SYSTEM= Ubuntu 22.04
- Proceed with the Generic test setup: firmware.
- Proceed with the Generic test setup: OS installer.
- Proceed with the Generic test setup: OS installation.
- Proceed with the Generic test setup: OS boot from disk.
cbmemfrom the cloud to the DUT.
- Power on the DUT.
- Boot into the system.
- Log into the system by using the proper login and password.
Open a terminal window and execute the following command:
sudo ./cbmem -1 | grep CBnT
Analyze the output from the command.
The output of the command should indicate the state of the Boot Guard.
CBnT: SACM INFO MSR (0x13A) raw: 0x000000130000007d CBnT: NEM status: 1 CBnT: TPM type: TPM 2.0 CBnT: TPM success: 1 CBnT: FACB: 1 CBnT: measured boot: 1 CBnT: verified boot: 1 CBnT: revoked: 0 CBnT: BtG capable: 1 CBnT: Server TXT capable: 0 CBnT: BOOTSTATUS (0xA0) raw: 0x1840000080000000 CBnT: TXT startup success: 0 CBnT: BtG startup success: 1 CBnT: Block boot enabled: 0 CBnT: PFR startup success: 0 CBnT: Memory power down executed: 0 CBnT: BtG thread sync failed: 0 CBnT: Bios trusted: 1 CBnT: TXT disabled by policy: 1 CBnT: Bootguard startup error: 0 CBnT: TXT ucode or ACM error: 0 CBnT: S-ACM success: 0 CBnT: ERRORCODE (0x30) raw: 0x00000000 CBnT: TXT disabled in Policy CBnT: BIOSACM_ERRORCODE (0x328) raw: 0xc000acf0 CBnT: BIOSACM_ERRORCODE: TXT ucode or ACM error CBnT: AC Module Type: BIOS ACM Error CBnT: class: 0xf CBnT: major: 0xb CBnT: External: 0x1
During the analyzing process, the main thing is to pay attention to the following:
- The field
NEM statusshould have the value 1.
- If the Boot Guard profile is 4 or 5, the field
FACBshould have the value 1.
- If the Boot Guard profile is 3 or 5, the fields
verified bootshould have the value 1.
- If TPM is physically mounted on the platform, the
TPM typefield should contain information about the type of the mounted TPM; also, in that situation, field
TPM successshould have the value 1.