From 9023e9369f59f88e7a46be6844f846257966d57e Mon Sep 17 00:00:00 2001 From: Krystian Hebel Date: Sat, 30 Sep 2023 10:39:26 +0200 Subject: [PATCH 1/4] etc/grub.d: modify to use TrenchBoot instead of tboot Signed-off-by: Krystian Hebel --- anti-evil-maid.spec.in | 10 +++++----- .../{19_linux_xen_tboot => 19_linux_xen_trenchboot} | 13 +++++++------ 2 files changed, 12 insertions(+), 11 deletions(-) rename etc/grub.d/{19_linux_xen_tboot => 19_linux_xen_trenchboot} (95%) diff --git a/anti-evil-maid.spec.in b/anti-evil-maid.spec.in index 96bf74f..acafbf0 100644 --- a/anti-evil-maid.spec.in +++ b/anti-evil-maid.spec.in @@ -53,7 +53,7 @@ cp -r systemd $RPM_BUILD_ROOT/usr/lib /usr/lib/systemd/system/tcsd.service.d/anti-evil-maid-seal.conf /usr/lib/systemd/system/basic.target.wants/anti-evil-maid-seal.service /etc/anti-evil-maid.conf -/etc/grub.d/19_linux_xen_tboot +/etc/grub.d/19_linux_xen_trenchboot %dir /mnt/anti-evil-maid %dir /var/lib/anti-evil-maid @@ -64,7 +64,7 @@ cp -r systemd $RPM_BUILD_ROOT/usr/lib /usr/lib/systemd/system/initrd.target.wants/anti-evil-maid-unseal.service /usr/lib/systemd/system/initrd.target.requires/anti-evil-maid-check-mount-devs.service -%define tboot_grub /etc/grub.d/20_linux_tboot /etc/grub.d/20_linux_xen_tboot +%define trenchboot_grub /etc/grub.d/19_linux_xen_trenchboot %define refresh \ dracut --regenerate-all --force \ @@ -72,17 +72,17 @@ grub2-mkconfig -o /boot/grub2/grub.cfg \ systemctl daemon-reload %post -chmod -x %tboot_grub +chmod -x %trenchboot_grub %refresh %postun if [ "$1" = 0 ]; then %refresh - chmod -f +x %tboot_grub || true + chmod -f +x %trenchboot_grub || true fi %triggerin -- tboot -chmod -x %tboot_grub +chmod -x %trenchboot_grub %changelog @CHANGELOG@ diff --git a/etc/grub.d/19_linux_xen_tboot b/etc/grub.d/19_linux_xen_trenchboot similarity index 95% rename from etc/grub.d/19_linux_xen_tboot rename to etc/grub.d/19_linux_xen_trenchboot index 281f604..785a1ab 100755 --- a/etc/grub.d/19_linux_xen_tboot +++ b/etc/grub.d/19_linux_xen_trenchboot @@ -3,6 +3,7 @@ set -e # grub-mkconfig helper script. # Copyright (C) 2006,2007,2008,2009,2010 Free Software Foundation, Inc. +# Copyright (C) 2023 3mdeb Sp. z o.o. # # GRUB is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -117,28 +118,28 @@ linux_entry () prepare_boot_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | grub_add_tab)" fi printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/" - tmessage="$(gettext_printf "Loading tboot ...")" + tmessage="$(gettext_printf "Enabling slaunch ...")" xmessage="$(gettext_printf "Loading Xen %s ..." ${xen_version})" lmessage="$(gettext_printf "Loading Linux %s ..." ${version})" sed "s/^/$submenu_indentation/" << EOF echo '$(echo "$tmessage" | grub_quote)' - multiboot /tboot.gz placeholder logging=memory,serial ${GRUB_CMDLINE_TBOOT} + slaunch echo '$(echo "$xmessage" | grub_quote)' if [ "\$grub_platform" = "pc" -o "\$grub_platform" = "" ]; then xen_rm_opts= else xen_rm_opts="no-real-mode edd=off" fi - module ${rel_xen_dirname}/${xen_basename} placeholder ${xen_args} \${xen_rm_opts} + multiboot2 ${rel_xen_dirname}/${xen_basename} placeholder ${xen_args} \${xen_rm_opts} echo '$(echo "$lmessage" | grub_quote)' - module ${rel_dirname}/${basename} placeholder root=${linux_root_device_thisversion} ro ${args} aem.uuid=${GRUB_DEVICE_BOOT_UUID} rd.luks.key=/tmp/aem-keyfile rd.luks.crypttab=no + module2 ${rel_dirname}/${basename} placeholder root=${linux_root_device_thisversion} ro ${args} aem.uuid=${GRUB_DEVICE_BOOT_UUID} rd.luks.key=/tmp/aem-keyfile rd.luks.crypttab=no EOF if test -n "${initrd}" ; then # TRANSLATORS: ramdisk isn't identifier. Should be translated. message="$(gettext_printf "Loading initial ramdisk ...")" sed "s/^/$submenu_indentation/" << EOF echo '$(echo "$message" | grub_quote)' - module ${rel_dirname}/${initrd} + module2 ${rel_dirname}/${initrd} EOF fi if test -n "${sinit_module_list}" ; then @@ -147,7 +148,7 @@ EOF message="$(gettext_printf "Loading SINIT module %s ..." ${sinit_module})" sed "s/^/$submenu_indentation/" << EOF echo '$message' - module /${sinit_module} + slaunch_module /${sinit_module} EOF done fi From aa0f706252ebcc36a018a3348d8cb6091a12066a Mon Sep 17 00:00:00 2001 From: Krystian Hebel Date: Sat, 30 Sep 2023 12:04:30 +0200 Subject: [PATCH 2/4] anti-evil-maid.spec.in: remove tboot from requirements and triggers Signed-off-by: Krystian Hebel --- anti-evil-maid.spec.in | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/anti-evil-maid.spec.in b/anti-evil-maid.spec.in index acafbf0..76b7d63 100644 --- a/anti-evil-maid.spec.in +++ b/anti-evil-maid.spec.in @@ -2,14 +2,14 @@ Name: anti-evil-maid Version: @VERSION@ Release: 1%{?dist} Summary: Anti Evil Maid for initramfs-based systems. -Requires: dracut grub2-tools parted tboot tpm-tools +Requires: dracut grub2-tools parted tpm-tools Requires: tpm-extra >= 4.0.0 Requires: trousers-changer >= 4.0.0 Requires: systemd >= 227 Requires: coreutils >= 8.25-2 Requires: scrypt qrencode oathtool Requires: tpm2-tools openssl -Requires(post): dracut grub2-tools tboot systemd +Requires(post): dracut grub2-tools systemd Obsoletes: anti-evil-maid-dracut Vendor: Invisible Things Lab License: GPL @@ -81,8 +81,5 @@ if [ "$1" = 0 ]; then chmod -f +x %trenchboot_grub || true fi -%triggerin -- tboot -chmod -x %trenchboot_grub - %changelog @CHANGELOG@ From f52c59873b32f7e98c44985a82cec7d82519886d Mon Sep 17 00:00:00 2001 From: Krystian Hebel Date: Sat, 30 Sep 2023 12:09:34 +0200 Subject: [PATCH 3/4] etc/anti-evil-maid.conf: remove PCR19, change description Neither TBoot nor TrenchBoot extend PCR19, which resulted in failure in sanity check. Signed-off-by: Krystian Hebel --- README | 4 ++-- etc/anti-evil-maid.conf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README b/README index d8dd4b2..fa36925 100644 --- a/README +++ b/README @@ -299,7 +299,7 @@ store your most intimate confessions. ;) 4) Reboot the system, choose one of the entries called "AEM Qubes". This will attempt to perform a "measured launch" using tboot and the SINIT module you downloaded, which records the Xen, kernel, and initrd versions used in PCRs -17-19 of the TPM for use in sealing and unsealing your secret. If the measured +17-18 of the TPM for use in sealing and unsealing your secret. If the measured launch fails for any reason, tboot will fall back to a normal boot and AEM will not function. @@ -312,7 +312,7 @@ As the system continues booting, AEM will automatically seal your secret(s). You should see a line, or multiple lines, like this one: Sealed /var/lib/anti-evil-maid/aem/secret.txt using - --pcr 13 --pcr 17 --pcr 18 --pcr 19 + --pcr 13 --pcr 17 --pcr 18 Debug output can be read using: diff --git a/etc/anti-evil-maid.conf b/etc/anti-evil-maid.conf index 99ca682..622f33e 100644 --- a/etc/anti-evil-maid.conf +++ b/etc/anti-evil-maid.conf @@ -7,10 +7,10 @@ # 12: (SRTM) Xen/kernel params passed by TrustedGRUB1 # 13: LUKS header(s) # 14: (SRTM) Xen/kernel/initrd loaded by TrustedGRUB1 -# 17-19: (DRTM) TBoot +# 17-18: (DRTM) TrenchBoot # # SRTM = Static Root of Trust Measurement # DRTM = Dynamic Root of Trust Measurement (Intel TXT) # shellcheck disable=SC2034 -SEAL="--pcr 13 --pcr 17 --pcr 18 --pcr 19" +SEAL="--pcr 13 --pcr 17 --pcr 18" From 4ee1c757c6d1fb242eba81bbca256ea6c6a760b2 Mon Sep 17 00:00:00 2001 From: Krystian Hebel Date: Fri, 6 Oct 2023 10:01:37 +0200 Subject: [PATCH 4/4] test Signed-off-by: Krystian Hebel --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ca8670e..7600d26 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,10 +8,11 @@ on: jobs: qubes-dom0-package: - uses: TrenchBoot/.github/.github/workflows/qubes-dom0-package.yml@master + uses: TrenchBoot/.github/.github/workflows/qubes-dom0-package.yml@aem-build-no-patches with: base-commit: '62819a6fdf58d3d3c47aff5096dea9fb88ce1d53' patch-start: 0000 qubes-component: 'antievilmaid' spec-pattern: '/^Source0:/' spec-file: 'anti-evil-maid' + git-url: ${{ github.repository }}