From 957af76a0e1ce001ee9ed92c4190b1d2ad77066f Mon Sep 17 00:00:00 2001 From: Krystian Hebel Date: Sat, 30 Sep 2023 12:09:34 +0200 Subject: [PATCH] etc/anti-evil-maid.conf: remove PCR19, change description Neither TBoot nor TrenchBoot extend PCR19, which resulted in failure in sanity check. Signed-off-by: Krystian Hebel --- README | 4 ++-- etc/anti-evil-maid.conf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README b/README index d8dd4b2..fa36925 100644 --- a/README +++ b/README @@ -299,7 +299,7 @@ store your most intimate confessions. ;) 4) Reboot the system, choose one of the entries called "AEM Qubes". This will attempt to perform a "measured launch" using tboot and the SINIT module you downloaded, which records the Xen, kernel, and initrd versions used in PCRs -17-19 of the TPM for use in sealing and unsealing your secret. If the measured +17-18 of the TPM for use in sealing and unsealing your secret. If the measured launch fails for any reason, tboot will fall back to a normal boot and AEM will not function. @@ -312,7 +312,7 @@ As the system continues booting, AEM will automatically seal your secret(s). You should see a line, or multiple lines, like this one: Sealed /var/lib/anti-evil-maid/aem/secret.txt using - --pcr 13 --pcr 17 --pcr 18 --pcr 19 + --pcr 13 --pcr 17 --pcr 18 Debug output can be read using: diff --git a/etc/anti-evil-maid.conf b/etc/anti-evil-maid.conf index 99ca682..622f33e 100644 --- a/etc/anti-evil-maid.conf +++ b/etc/anti-evil-maid.conf @@ -7,10 +7,10 @@ # 12: (SRTM) Xen/kernel params passed by TrustedGRUB1 # 13: LUKS header(s) # 14: (SRTM) Xen/kernel/initrd loaded by TrustedGRUB1 -# 17-19: (DRTM) TBoot +# 17-18: (DRTM) TrenchBoot # # SRTM = Static Root of Trust Measurement # DRTM = Dynamic Root of Trust Measurement (Intel TXT) # shellcheck disable=SC2034 -SEAL="--pcr 13 --pcr 17 --pcr 18 --pcr 19" +SEAL="--pcr 13 --pcr 17 --pcr 18"