Summary
Adding default PCR12 validation to ensure that account operators can not modify modify kernel command line parameters, potentially bypassing root filesystem integrity validation.
Attestable AMIs are based on the systemd Unified Kernel Image (UKI) concept which uses systemd-boot to create a single measured UEFI binary from a Linux kernel, its initramfs, and kernel command line. The embedded kernel command line contains a dm-verity hash value that establishes trust in the root file system.
When UEFI Secure Boot is disabled, systemd-boot appends any command line it receives to the kernel command line. Account operators with the ability to modify UefiData can install a boot variable with a command line that deactivates root file system integrity validation, while preserving the original PCR4 value.
Systemd-boot provides separate measurement of command line modifications in PCR12.
Impact
In line with the TPM 2.0 specification and systemd-stub logic, KMS policies that do not include validation for PCR12 (command line measurement) or PCR7 (enabled Secure Boot) may allow kernel command line modification by an account operator.
Patches
Version 1.1.0 of nitro-tpm-pcr-compute has been updated to include PCR12 with a static zero value. The updated tool now outputs PCR12 in the JSON measurements:
{
"Measurements": {
"HashAlgorithm": "SHA384",
"PCR4": "<hex string>",
"PCR7": "<hex string>",
"PCR12": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
}
}Workarounds
For users who cannot upgrade to version 1.1.0 of nitro-tpm-pcr-compute immediately, the following workarounds are available:
- Manually add PCR12 to KMS policies: Add PCR12 with a static zero value to your AWS KMS key policies:
kms:RecipientAttestation:NitroTPMPCR12:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
- Enable and validate UEFI Secure Boot: Configure your Attestable AMI to use UEFI Secure Boot and validate its enablement via PCR7 in your KMS policy. When UEFI Secure Boot is active, the command line cannot be overwritten.
References
agraf Reporter
mariusknaust Remediation developer
Summary
Adding default PCR12 validation to ensure that account operators can not modify modify kernel command line parameters, potentially bypassing root filesystem integrity validation.
Attestable AMIs are based on the systemd Unified Kernel Image (UKI) concept which uses systemd-boot to create a single measured UEFI binary from a Linux kernel, its initramfs, and kernel command line. The embedded kernel command line contains a dm-verity hash value that establishes trust in the root file system.
When UEFI Secure Boot is disabled, systemd-boot appends any command line it receives to the kernel command line. Account operators with the ability to modify UefiData can install a boot variable with a command line that deactivates root file system integrity validation, while preserving the original PCR4 value.
Systemd-boot provides separate measurement of command line modifications in PCR12.
Impact
In line with the TPM 2.0 specification and systemd-stub logic, KMS policies that do not include validation for PCR12 (command line measurement) or PCR7 (enabled Secure Boot) may allow kernel command line modification by an account operator.
Patches
Version 1.1.0 of nitro-tpm-pcr-compute has been updated to include PCR12 with a static zero value. The updated tool now outputs PCR12 in the JSON measurements:
{ "Measurements": { "HashAlgorithm": "SHA384", "PCR4": "<hex string>", "PCR7": "<hex string>", "PCR12": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" } }Workarounds
For users who cannot upgrade to version 1.1.0 of nitro-tpm-pcr-compute immediately, the following workarounds are available:
References