I'm a senior security researcher at National Security Research Institute of
South Korea.
The current implementation of tboot does not measure function pointers of
TPM devices because the tpm_if structure has mutable values such as a locality,
an algorithm type, and indexes.
Therefore, the attacker can change them to hijack control flow of tboot and
can manipulate the PCR values of TPM by extending known hashes.
This is severe security vulnerability because we do not trust PCRs anymore.
To fix the vulnerability, I divide the tpm_if structure into two parts,
a mutable part, and an immutable part. The mutable part, tpm_if structure, has
only the data for TPM. The immutable part, tpm_if_fp structure, has only the
function pointers, so it can be measured.
I also change the type of g_tpm variable from structure to integer for fixing
the security vulnerability.
Signed-off-by: Seunghun Han <kkamagui@...>
Reviewed-by: Ning Sun <ning.sun@...>