v0.3.0: detect-tee.sh writes unquoted TEE_DETAIL with spaces; sourcing tee.env errors with 'SEV: command not found'

[Moonwolf711]

Summary

/usr/libexec/secure-ai/detect-tee.sh writes a TEE_DETAIL=... line into /var/lib/secure-ai/tee.env without quoting the value. The string contains spaces (e.g. AMD SEV capable but not active), so when the env file is sourced, the shell parses everything after the first space as a command → SEV: command not found.

Reproduction

sudo /usr/libexec/secure-ai/detect-tee.sh
cat /var/lib/secure-ai/tee.env
. /var/lib/secure-ai/tee.env
# → SEV: command not found

Root cause

The script uses an unquoted heredoc-style write:

cat > /var/lib/secure-ai/tee.env <<EOF
TEE_TYPE=${TEE_TYPE}
MEM_ENCRYPT=${MEM_ENCRYPT}
TEE_DETAIL=${TEE_DETAIL}
EOF

When TEE_DETAIL="AMD SEV capable but not active", the resulting line is:

TEE_DETAIL=AMD SEV capable but not active

This is valid env-file syntax for TEE_DETAIL=AMD, after which the shell encounters SEV as a command.

Suggested fix

Either:

(a) Quote on write:

printf 'TEE_DETAIL=%q\n' "$TEE_DETAIL" >> /var/lib/secure-ai/tee.env

(%q shell-quotes safely.)

(b) Or write deliberate quotes:

cat > /var/lib/secure-ai/tee.env <<EOF
TEE_TYPE="${TEE_TYPE}"
MEM_ENCRYPT="${MEM_ENCRYPT}"
TEE_DETAIL="${TEE_DETAIL}"
EOF

Same pattern is wrong in detect-vm.sh (filed separately) and likely elsewhere — a grep for cat > /var/lib/secure-ai/.*\.env should surface them.

My local workaround

Replaced with a stub:

TEE_TYPE=none
MEM_ENCRYPT=false
TEE_DETAIL="No hardware memory encryption"

🤖 Generated with claude-flow