CVE-2023-43630

PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but<br /> due to the change that was implemented in commit<br /> “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the<br /> problem of the config partition not being measured correctly.<br /> <br /> Also, the “vault” key is sealed/unsealed with SHA1 PCRs instead of<br /> SHA256. <br /> This issue was somewhat mitigated due to all of the PCR extend functions<br /> updating both the values of SHA256 and SHA1 for a given PCR ID.<br /> <br /> However, due to the change that was implemented in commit<br /> “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, this is no longer the case for PCR14, as<br /> the code in “measurefs.go” explicitly updates only the SHA256 instance of PCR14, which<br /> means that even if PCR14 were to be added to the list of PCRs sealing/unsealing the “vault”<br /> key, changes to the config partition would still not be measured.<br /> <br /> <br /> <br /> An attacker could modify the config partition without triggering the measured boot, this could<br /> result in the attacker gaining full control over the device with full access to the contents of the<br /> encrypted “vault” <br /> <br /> <br /> <br /> <br />