Skip to content

Dasharo Security: BIOS lock support

Test cases

BLS001.001 BIOS lock support (Ubuntu 22.04)

Test description

BIOS lock is a method to prevent flashing the firmware. This test aims to verify that the BIOS lock function works correctly - if it is turn on internal flashing should failed.

Test configuration data

  1. FIRMWARE = coreboot
  2. OPERATING_SYSTEM = Ubuntu 20.22

Test setup

  1. Proceed with the Generic test setup: firmware.
  2. Proceed with the Generic test setup: OS installer.
  3. Proceed with the Generic test setup: OS installation.
  4. Proceed with the Generic test setup: OS boot from disk.
  5. Disable Secure Boot.
  6. Obtain any other binary (e.g. vendor firmware or older Dasharo firmware).

Test steps

  1. Power on the DUT
  2. While the DUT is booting, hold the BIOS_SETUP_KEY to enter the UEFI Setup Menu.
  3. Enter the Dasharo System Feautures menu using the arrow keys and Enter.
  4. Enter the Dasharo Security Options submenu.
  5. Verify that the Lock the BIOS boot medium option is chosen - if not, press Enter and then F10 to save the changes.
  6. If it neccessary - press Y to confirm saving the changes.
  7. Go back to the main menu using the ESC key.
  8. Select the Reset option to apply the settings and reboot.
  9. Boot into the system.
  10. Log into the system by using the proper login and password.
  11. Open a terminal window and execute the following command:

    dmidecode -t bios
    
  12. Open a terminal window and run the following commands:

    flashrom -p internal -w [path_to_obtained_firmware]
    
  13. Reboot the system

  14. Open a terminal window and execute the following command:

    dmidecode -t bios
    

Expected result

  1. The output of the flashing command should contain the following information:

    SPI Configuration is locked down.
    PR0: Warning: 0x00c00000-0x00ffffff is read-only.
    At least some flash regions are write protected. For write operations,
    you should use a flash layout and include only writable regions. See
    manpage for more details.
    
  2. The output of the dmidecode command should show that the firmware version has not changed.