Remove the first cmdline argument in GRUB2 and ELF kernel case, to avoid
passing unmeasured argument to ELF kernel like Xen. Below are the detailed
flaw report from James Blake.
One essential function TBOOT performs as part of a measured and verified
launch includes measuring the arguments passed to GRUB modules. However,
current versions of TBOOT used on systems loading an ELF kernel have a
vulnerability that allows the first argument to any GRUB module to go
unmeasured, which may result in undetected system compromise.
This vulnerability stems from TBOOT's official workaround for accommodating
GRUB2 multiboot behavior. Specifically, from the TBOOT README:
GRUB2 does not pass the file name in the command line field of the multiboot
entry (module_t::string). Since the tboot code is expecting the file name as
the first part of the string, it tries to remove it to determine the command
line arguments, which will cause a verification error. The "official"
workaround for kernels/etc. that depend on the file name is to duplicate the
file name in the grub.config file like below:
To illustrate the severity of the bug, consider that on affected distributions,
it would be possible to edit a GRUB command line from:
module /vmlinuz /vmlinuz normal-arguments
module /vmlinuz single normal-arguments
Where 'single' replaces the typical placeholder argument. This modification goes
undetected by TBOOT and consequently the assertion that the system has been
measured and verified is undermined. Namely, the final measurement shown in the
TPM PCR-18 does not change to reflect the modification.
Reported-by: James Blake <firstname.lastname@example.org>
Signed-off-by: Gang Wei <email@example.com>