Attacking the kernel via its command line

And by the way, for the Android (one of the Nexus devices) example where the bootloader had a bug allowing kernel command-line injection, changing the initial root and init is all that's needed to bypass it. Those kernels don't use modules and are perfectly capable of booting from USB, at which point the attacker has full control over the kernel since it's init that's responsible for loading the SELinux policy. There are so many other things that can be messed with like memory layout and the IOMMU though, and there has never been any real attempt to make the kernel line untrusted. There was a more serious effort to start the process of not trusting *module* parameters which makes more sense but is just *barely* a meaningful defense in depth mechanism, not some critical part of enforcing a meaningful security boundary and not something that's sensible to tie to verified boot. It's a false connection being drawn between unrelated features, due to a desperate attempt to give a totally incomplete implementation of verified boot some meaning.