From ad45c9c7a04935ea569526401b84ff8f159effc7 Mon Sep 17 00:00:00 2001 From: Pierre Equoy Date: Fri, 23 Aug 2019 17:19:35 +0800 Subject: Add manual test to check decryption error when TPM data modified There is no easy way to automate a test to check that device data partition cannot be decrypted if TPM2 data is modified. The easiest way is to manually flash the BIOS after installing the OEM image. By doing so, the TPM data, including data used for data partition decryption, is modified, making it impossible to decrypt the partition and boot the device. --- units/disk/encryption.pxu | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'units/disk') diff --git a/units/disk/encryption.pxu b/units/disk/encryption.pxu index b7d41c8f..dea0637c 100644 --- a/units/disk/encryption.pxu +++ b/units/disk/encryption.pxu @@ -18,4 +18,31 @@ command: {%- else %} fde_tests.py desktop {% endif -%} -estimated_duration: 2.0 \ No newline at end of file +estimated_duration: 2.0 + +id: disk/encryption/check-fde-tpm +_summary: Disk decryption after TPM change +_description: + Check that the data partition cannot be decrypted (and therefore the device + cannot boot) if PCR7 value is modified. +category_id: com.canonical.plainbox::disk +estimated_duration: 45m +plugin: manual +_purpose: + The device partition is encrypted using TPM master key. To unseal the master + key from TPM, PCR7 (Platform Configuration Register 7) needs to be identical + to the value it had when the master key was sealed into TPM. Every time the + device boots, it checks PCR7 to unseal TPM and retrieves master key from TPM + to decrypt its data partition. If TPM PCR7 is modified (e.g. by flashing the + BIOS), the device won't be able to get the master key and decrypt its data + partition. +_steps: + 1. Install the image and make sure it boots and you can log in. + 2. Turn the device off and upgrade/downgrade the BIOS + 3. Make sure the BIOS is set up properly (e.g. TPM enabled, UEFI boot mode) + 4. Start the device +_verification: + Mark this test as "Passed" if the device cannot boot anymore. + Note: You must flash the BIOS back to the latest version and re-install the + image afterwards. + -- cgit v1.2.3