Skip to content

Commit

Permalink
Merge pull request #4 from TrenchBoot/drop_tboot_builderv2
Browse files Browse the repository at this point in the history
Drop tboot builderv2
  • Loading branch information
miczyg1 authored Oct 13, 2023
2 parents 0523b6e + c073ac9 commit 0eba092
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 20 deletions.
4 changes: 2 additions & 2 deletions README
Original file line number Diff line number Diff line change
Expand Up @@ -299,7 +299,7 @@ store your most intimate confessions. ;)
4) Reboot the system, choose one of the entries called "AEM Qubes". This will
attempt to perform a "measured launch" using tboot and the SINIT module you
downloaded, which records the Xen, kernel, and initrd versions used in PCRs
17-19 of the TPM for use in sealing and unsealing your secret. If the measured
17-18 of the TPM for use in sealing and unsealing your secret. If the measured
launch fails for any reason, tboot will fall back to a normal boot and AEM
will not function.

Expand All @@ -312,7 +312,7 @@ As the system continues booting, AEM will automatically seal your
secret(s). You should see a line, or multiple lines, like this one:

Sealed /var/lib/anti-evil-maid/aem/secret.txt using
--pcr 13 --pcr 17 --pcr 18 --pcr 19
--pcr 13 --pcr 17 --pcr 18

Debug output can be read using:

Expand Down
13 changes: 3 additions & 10 deletions anti-evil-maid.spec.in
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@ Name: anti-evil-maid
Version: @VERSION@
Release: 1%{?dist}
Summary: Anti Evil Maid for initramfs-based systems.
Requires: dracut grub2-tools parted tboot tpm-tools
Requires: dracut grub2-tools parted tpm-tools
Requires: tpm-extra >= 4.0.0
Requires: trousers-changer >= 4.0.0
Requires: systemd >= 227
Requires: coreutils >= 8.25-2
Requires: scrypt qrencode oathtool
Requires: tpm2-tools openssl
Requires(post): dracut grub2-tools tboot systemd
Requires(post): dracut grub2-tools systemd
Obsoletes: anti-evil-maid-dracut
Vendor: Invisible Things Lab
License: GPL
Expand Down Expand Up @@ -53,7 +53,7 @@ cp -r systemd $RPM_BUILD_ROOT/usr/lib
/usr/lib/systemd/system/tcsd.service.d/anti-evil-maid-seal.conf
/usr/lib/systemd/system/basic.target.wants/anti-evil-maid-seal.service
/etc/anti-evil-maid.conf
/etc/grub.d/19_linux_xen_tboot
/etc/grub.d/19_linux_xen_trenchboot
%dir /mnt/anti-evil-maid
%dir /var/lib/anti-evil-maid

Expand All @@ -64,25 +64,18 @@ cp -r systemd $RPM_BUILD_ROOT/usr/lib
/usr/lib/systemd/system/initrd.target.wants/anti-evil-maid-unseal.service
/usr/lib/systemd/system/initrd.target.requires/anti-evil-maid-check-mount-devs.service

%define tboot_grub /etc/grub.d/20_linux_tboot /etc/grub.d/20_linux_xen_tboot

%define refresh \
dracut --regenerate-all --force \
grub2-mkconfig -o /boot/grub2/grub.cfg \
systemctl daemon-reload

%post
chmod -x %tboot_grub
%refresh

%postun
if [ "$1" = 0 ]; then
%refresh
chmod -f +x %tboot_grub || true
fi

%triggerin -- tboot
chmod -x %tboot_grub

%changelog
@CHANGELOG@
4 changes: 2 additions & 2 deletions etc/anti-evil-maid.conf
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@
# 12: (SRTM) Xen/kernel params passed by TrustedGRUB1
# 13: LUKS header(s)
# 14: (SRTM) Xen/kernel/initrd loaded by TrustedGRUB1
# 17-19: (DRTM) TBoot
# 17-18: (DRTM) TrenchBoot
#
# SRTM = Static Root of Trust Measurement
# DRTM = Dynamic Root of Trust Measurement (Intel TXT)

# shellcheck disable=SC2034
SEAL="--pcr 13 --pcr 17 --pcr 18 --pcr 19"
SEAL="--pcr 13 --pcr 17 --pcr 18"
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ set -e

# grub-mkconfig helper script.
# Copyright (C) 2006,2007,2008,2009,2010 Free Software Foundation, Inc.
# Copyright (C) 2023 3mdeb Sp. z o.o.
#
# GRUB is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
Expand Down Expand Up @@ -117,28 +118,28 @@ linux_entry ()
prepare_boot_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | grub_add_tab)"
fi
printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/"
tmessage="$(gettext_printf "Loading tboot ...")"
tmessage="$(gettext_printf "Enabling slaunch ...")"
xmessage="$(gettext_printf "Loading Xen %s ..." ${xen_version})"
lmessage="$(gettext_printf "Loading Linux %s ..." ${version})"
sed "s/^/$submenu_indentation/" << EOF
echo '$(echo "$tmessage" | grub_quote)'
multiboot /tboot.gz placeholder logging=memory,serial ${GRUB_CMDLINE_TBOOT}
slaunch
echo '$(echo "$xmessage" | grub_quote)'
if [ "\$grub_platform" = "pc" -o "\$grub_platform" = "" ]; then
xen_rm_opts=
else
xen_rm_opts="no-real-mode edd=off"
fi
module ${rel_xen_dirname}/${xen_basename} placeholder ${xen_args} \${xen_rm_opts}
multiboot2 ${rel_xen_dirname}/${xen_basename} placeholder ${xen_args} \${xen_rm_opts}
echo '$(echo "$lmessage" | grub_quote)'
module ${rel_dirname}/${basename} placeholder root=${linux_root_device_thisversion} ro ${args} aem.uuid=${GRUB_DEVICE_BOOT_UUID} rd.luks.key=/tmp/aem-keyfile rd.luks.crypttab=no
module2 ${rel_dirname}/${basename} placeholder root=${linux_root_device_thisversion} ro ${args} aem.uuid=${GRUB_DEVICE_BOOT_UUID} rd.luks.key=/tmp/aem-keyfile rd.luks.crypttab=no
EOF
if test -n "${initrd}" ; then
# TRANSLATORS: ramdisk isn't identifier. Should be translated.
message="$(gettext_printf "Loading initial ramdisk ...")"
sed "s/^/$submenu_indentation/" << EOF
echo '$(echo "$message" | grub_quote)'
module ${rel_dirname}/${initrd}
module2 ${rel_dirname}/${initrd}
EOF
fi
if test -n "${sinit_module_list}" ; then
Expand All @@ -147,7 +148,7 @@ EOF
message="$(gettext_printf "Loading SINIT module %s ..." ${sinit_module})"
sed "s/^/$submenu_indentation/" << EOF
echo '$message'
module /${sinit_module}
slaunch_module /${sinit_module}
EOF
done
fi
Expand Down Expand Up @@ -188,11 +189,15 @@ xen_list=`for i in /boot/xen*; do
if grub_file_is_not_garbage "$i" && file_is_not_sym "$i" ; then echo -n "$i " ; fi
done`

# Ignore case of SINIT files
_shopt="$( shopt -p | grep nocaseglob)"
shopt -s nocaseglob
sinit_module_list=`for i in /boot/*SINIT*.BIN; do
if grub_file_is_not_garbage "$i"; then
echo "$i"
fi
done`
eval "$_shopt"

prepare_boot_cache=
boot_device_id=
Expand Down

0 comments on commit 0eba092

Please sign in to comment.