diff --git a/README b/README index d8dd4b2..fa36925 100644 --- a/README +++ b/README @@ -299,7 +299,7 @@ store your most intimate confessions. ;) 4) Reboot the system, choose one of the entries called "AEM Qubes". This will attempt to perform a "measured launch" using tboot and the SINIT module you downloaded, which records the Xen, kernel, and initrd versions used in PCRs -17-19 of the TPM for use in sealing and unsealing your secret. If the measured +17-18 of the TPM for use in sealing and unsealing your secret. If the measured launch fails for any reason, tboot will fall back to a normal boot and AEM will not function. @@ -312,7 +312,7 @@ As the system continues booting, AEM will automatically seal your secret(s). You should see a line, or multiple lines, like this one: Sealed /var/lib/anti-evil-maid/aem/secret.txt using - --pcr 13 --pcr 17 --pcr 18 --pcr 19 + --pcr 13 --pcr 17 --pcr 18 Debug output can be read using: diff --git a/anti-evil-maid.spec.in b/anti-evil-maid.spec.in index 96bf74f..88835bf 100644 --- a/anti-evil-maid.spec.in +++ b/anti-evil-maid.spec.in @@ -2,14 +2,14 @@ Name: anti-evil-maid Version: @VERSION@ Release: 1%{?dist} Summary: Anti Evil Maid for initramfs-based systems. -Requires: dracut grub2-tools parted tboot tpm-tools +Requires: dracut grub2-tools parted tpm-tools Requires: tpm-extra >= 4.0.0 Requires: trousers-changer >= 4.0.0 Requires: systemd >= 227 Requires: coreutils >= 8.25-2 Requires: scrypt qrencode oathtool Requires: tpm2-tools openssl -Requires(post): dracut grub2-tools tboot systemd +Requires(post): dracut grub2-tools systemd Obsoletes: anti-evil-maid-dracut Vendor: Invisible Things Lab License: GPL @@ -53,7 +53,7 @@ cp -r systemd $RPM_BUILD_ROOT/usr/lib /usr/lib/systemd/system/tcsd.service.d/anti-evil-maid-seal.conf /usr/lib/systemd/system/basic.target.wants/anti-evil-maid-seal.service /etc/anti-evil-maid.conf -/etc/grub.d/19_linux_xen_tboot +/etc/grub.d/19_linux_xen_trenchboot %dir /mnt/anti-evil-maid %dir /var/lib/anti-evil-maid @@ -64,25 +64,18 @@ cp -r systemd $RPM_BUILD_ROOT/usr/lib /usr/lib/systemd/system/initrd.target.wants/anti-evil-maid-unseal.service /usr/lib/systemd/system/initrd.target.requires/anti-evil-maid-check-mount-devs.service -%define tboot_grub /etc/grub.d/20_linux_tboot /etc/grub.d/20_linux_xen_tboot - %define refresh \ dracut --regenerate-all --force \ grub2-mkconfig -o /boot/grub2/grub.cfg \ systemctl daemon-reload %post -chmod -x %tboot_grub %refresh %postun if [ "$1" = 0 ]; then %refresh - chmod -f +x %tboot_grub || true fi -%triggerin -- tboot -chmod -x %tboot_grub - %changelog @CHANGELOG@ diff --git a/etc/anti-evil-maid.conf b/etc/anti-evil-maid.conf index 99ca682..622f33e 100644 --- a/etc/anti-evil-maid.conf +++ b/etc/anti-evil-maid.conf @@ -7,10 +7,10 @@ # 12: (SRTM) Xen/kernel params passed by TrustedGRUB1 # 13: LUKS header(s) # 14: (SRTM) Xen/kernel/initrd loaded by TrustedGRUB1 -# 17-19: (DRTM) TBoot +# 17-18: (DRTM) TrenchBoot # # SRTM = Static Root of Trust Measurement # DRTM = Dynamic Root of Trust Measurement (Intel TXT) # shellcheck disable=SC2034 -SEAL="--pcr 13 --pcr 17 --pcr 18 --pcr 19" +SEAL="--pcr 13 --pcr 17 --pcr 18" diff --git a/etc/grub.d/19_linux_xen_tboot b/etc/grub.d/19_linux_xen_trenchboot similarity index 95% rename from etc/grub.d/19_linux_xen_tboot rename to etc/grub.d/19_linux_xen_trenchboot index 281f604..3cc1642 100755 --- a/etc/grub.d/19_linux_xen_tboot +++ b/etc/grub.d/19_linux_xen_trenchboot @@ -3,6 +3,7 @@ set -e # grub-mkconfig helper script. # Copyright (C) 2006,2007,2008,2009,2010 Free Software Foundation, Inc. +# Copyright (C) 2023 3mdeb Sp. z o.o. # # GRUB is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -117,28 +118,28 @@ linux_entry () prepare_boot_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | grub_add_tab)" fi printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/" - tmessage="$(gettext_printf "Loading tboot ...")" + tmessage="$(gettext_printf "Enabling slaunch ...")" xmessage="$(gettext_printf "Loading Xen %s ..." ${xen_version})" lmessage="$(gettext_printf "Loading Linux %s ..." ${version})" sed "s/^/$submenu_indentation/" << EOF echo '$(echo "$tmessage" | grub_quote)' - multiboot /tboot.gz placeholder logging=memory,serial ${GRUB_CMDLINE_TBOOT} + slaunch echo '$(echo "$xmessage" | grub_quote)' if [ "\$grub_platform" = "pc" -o "\$grub_platform" = "" ]; then xen_rm_opts= else xen_rm_opts="no-real-mode edd=off" fi - module ${rel_xen_dirname}/${xen_basename} placeholder ${xen_args} \${xen_rm_opts} + multiboot2 ${rel_xen_dirname}/${xen_basename} placeholder ${xen_args} \${xen_rm_opts} echo '$(echo "$lmessage" | grub_quote)' - module ${rel_dirname}/${basename} placeholder root=${linux_root_device_thisversion} ro ${args} aem.uuid=${GRUB_DEVICE_BOOT_UUID} rd.luks.key=/tmp/aem-keyfile rd.luks.crypttab=no + module2 ${rel_dirname}/${basename} placeholder root=${linux_root_device_thisversion} ro ${args} aem.uuid=${GRUB_DEVICE_BOOT_UUID} rd.luks.key=/tmp/aem-keyfile rd.luks.crypttab=no EOF if test -n "${initrd}" ; then # TRANSLATORS: ramdisk isn't identifier. Should be translated. message="$(gettext_printf "Loading initial ramdisk ...")" sed "s/^/$submenu_indentation/" << EOF echo '$(echo "$message" | grub_quote)' - module ${rel_dirname}/${initrd} + module2 ${rel_dirname}/${initrd} EOF fi if test -n "${sinit_module_list}" ; then @@ -147,7 +148,7 @@ EOF message="$(gettext_printf "Loading SINIT module %s ..." ${sinit_module})" sed "s/^/$submenu_indentation/" << EOF echo '$message' - module /${sinit_module} + slaunch_module /${sinit_module} EOF done fi @@ -188,11 +189,15 @@ xen_list=`for i in /boot/xen*; do if grub_file_is_not_garbage "$i" && file_is_not_sym "$i" ; then echo -n "$i " ; fi done` +# Ignore case of SINIT files +_shopt="$( shopt -p | grep nocaseglob)" +shopt -s nocaseglob sinit_module_list=`for i in /boot/*SINIT*.BIN; do if grub_file_is_not_garbage "$i"; then echo "$i" fi done` +eval "$_shopt" prepare_boot_cache= boot_device_id=