Commit [0efdaf] default Maximize Restore History

Security Fix: TBOOT Argument Measurement Vulnerability for GRUB2 + ELF Kernels

Remove the first cmdline argument in GRUB2 and ELF kernel case, to avoid
passing unmeasured argument to ELF kernel like Xen. Below are the detailed
flaw report from James Blake.

One essential function TBOOT performs as part of a measured and verified
launch includes measuring the arguments passed to GRUB modules. However,
current versions of TBOOT used on systems loading an ELF kernel have a
vulnerability that allows the first argument to any GRUB module to go
unmeasured, which may result in undetected system compromise.

This vulnerability stems from TBOOT's official workaround for accommodating
GRUB2 multiboot behavior. Specifically, from the TBOOT README:

GRUB2 does not pass the file name in the command line field of the multiboot
entry (module_t::string). Since the tboot code is expecting the file name as
the first part of the string, it tries to remove it to determine the command
line arguments, which will cause a verification error. The "official"
workaround for kernels/etc. that depend on the file name is to duplicate the
file name in the grub.config file like below:

menuentry 'Xen w/ Intel(R) Trusted Execution Technology' {
insmod part_msdos
insmod ext2
set root='(/dev/sda,msdos5)'
search --no-floppy --fs-uuid --set=root 4efb64c6-7e11-482e-8bab-07034a52de39
multiboot /tboot.gz /tboot.gz logging=vga,memory,serial
module /xen.gz /xen.gz iommu=required dom0_mem=524288 com1=115200,8n1
module /vmlinuz-2.6.18-xen /vmlinuz-2.6.18-xen root=/dev/VolGroup...
module /initrd-2.6.18-xen.img /initrd-2.6.18-xen.img
module /Q35_SINIT_17.BIN

To illustrate the severity of the bug, consider that on affected distributions,
it would be possible to edit a GRUB command line from:

module /vmlinuz /vmlinuz normal-arguments


module /vmlinuz single normal-arguments

Where 'single' replaces the typical placeholder argument. This modification goes
undetected by TBOOT and consequently the assertion that the system has been
measured and verified is undermined. Namely, the final measurement shown in the
TPM PCR-18 does not change to reflect the modification.

Reported-by: James Blake <>
Signed-off-by: Gang Wei <>

Gang Wei Gang Wei 2014-07-24

changed tboot/common/loader.c
tboot/common/loader.c Diff Switch to side-by-side view