GRUB2 TPM-Based Auto-Decryption Vulnerability on LUKS-Encrypted Disks

A vulnerability exists in systems using LUKS-encrypted disks with GRUB2 configured for TPM-based auto-decryption. When GRUB2 automatically decrypts disks using TPM-stored keys, the decryption key is loaded into system memory. An attacker with physical access can corrupt the filesystem superblock, causing GRUB2 to enter rescue mode without a valid filesystem. In this state, the disk is decrypted, and the key remains in memory, potentially allowing access to unencrypted data without authentication, thus compromising data confidentiality. This exploitation also raises data integrity concerns.

Impact

Exploitation of this vulnerability could lead to unauthorized access to unencrypted data and the ability to manipulate filesystem metadata, causing data integrity issues.

Reproduction

To reproduce this vulnerability, configure GRUB2 to use TPM-based auto-decryption for LUKS-encrypted disks. Once this is set, an attacker with physical access can corrupt the filesystem superblock of an encrypted disk. GRUB2 will then fail to find a valid filesystem and switch to rescue mode. At this point, the disk will be decrypted, and the decryption key will be loaded in memory, allowing access to the unencrypted data through the GRUB command-line interface.