GHSA-xrv8-2pf5-f3q7: nitro-tpm-pcr-compute may allow kernel command line modification by an account operator
Adding default PCR12 validation to ensure that account operators can not modify kernel command line parameters, potentially bypassing root filesystem integrity validation.
Attestable AMIs are based on the systemd Unified Kernel Image (UKI) concept which uses systemd-boot to create a single measured UEFI binary from a Linux kernel, its initramfs, and kernel command line. The embedded kernel command line contains a dm-verity hash value that establishes trust in the root file system.
When UEFI Secure Boot is disabled, systemd-boot appends any command line it receives to the kernel command line. Account operators with the ability to modify UefiData can install a boot variable with a command line that deactivates root file system integrity validation, while preserving the original PCR4 value.
Systemd-boot provides separate measurement of command line modifications in PCR12.
References
- docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestable-ami.html
- docs.aws.amazon.com/AWSEC2/latest/UserGuide/uefi-secure-boot.html
- github.com/advisories/GHSA-xrv8-2pf5-f3q7
- github.com/aws/NitroTPM-Tools
- github.com/aws/NitroTPM-Tools/blob/main/CHANGELOG.md
- github.com/aws/NitroTPM-Tools/releases/tag/v1.1.0
- github.com/aws/nitrotpm-attestation-samples
- github.com/aws/nitrotpm-attestation-samples/security/advisories/GHSA-xrv8-2pf5-f3q7
- www.freedesktop.org/software/systemd/man/latest/systemd-stub.html
Code Behaviors & Features
Detect and mitigate GHSA-xrv8-2pf5-f3q7 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →