etc/anti-evil-maid.conf: remove PCR19, change description

Neither TBoot nor TrenchBoot extend PCR19, which resulted in failure in sanity check. Signed-off-by: Krystian Hebel <[email protected]>
TrenchBoot · Sep 30, 2023 · 957af76 · 957af76
1 parent fbabd9d
commit 957af76
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/README b/README
@@ -299,7 +299,7 @@ store your most intimate confessions. ;)
 4) Reboot the system, choose one of the entries called "AEM Qubes". This will
 attempt to perform a "measured launch" using tboot and the SINIT module you
 downloaded, which records the Xen, kernel, and initrd versions used in PCRs
-17-19 of the TPM for use in sealing and unsealing your secret. If the measured
+17-18 of the TPM for use in sealing and unsealing your secret. If the measured
 launch fails for any reason, tboot will fall back to a normal boot and AEM
 will not function.
 
@@ -312,7 +312,7 @@ As the system continues booting, AEM will automatically seal your
 secret(s). You should see a line, or multiple lines, like this one:
 
 Sealed /var/lib/anti-evil-maid/aem/secret.txt using
- --pcr 13 --pcr 17 --pcr 18 --pcr 19
+ --pcr 13 --pcr 17 --pcr 18
 
 Debug output can be read using:
 

diff --git a/etc/anti-evil-maid.conf b/etc/anti-evil-maid.conf
@@ -7,10 +7,10 @@
 #    12: (SRTM) Xen/kernel params passed by TrustedGRUB1
 #    13:        LUKS header(s)
 #    14: (SRTM) Xen/kernel/initrd loaded by TrustedGRUB1
-# 17-19: (DRTM) TBoot
+# 17-18: (DRTM) TrenchBoot
 #
 # SRTM =  Static Root of Trust Measurement
 # DRTM = Dynamic Root of Trust Measurement (Intel TXT)
 
 # shellcheck disable=SC2034
-SEAL="--pcr 13 --pcr 17 --pcr 18 --pcr 19"
+SEAL="--pcr 13 --pcr 17 --pcr 18"