Drop tboot

.github/workflows/build.yml

@@ -8,10 +8,11 @@ on:
 
 jobs:
   qubes-dom0-package:
-    uses: TrenchBoot/.github/.github/workflows/qubes-dom0-package.yml@master
+    uses: TrenchBoot/.github/.github/workflows/qubes-dom0-package.yml@aem-build-no-patches
     with:
       base-commit: '62819a6fdf58d3d3c47aff5096dea9fb88ce1d53'
       patch-start: 0000
       qubes-component: 'antievilmaid'
       spec-pattern: '/^Source0:/'
       spec-file: 'anti-evil-maid'
+      git-url: ${{ github.repository }}

README

@@ -299,7 +299,7 @@ store your most intimate confessions. ;)
 4) Reboot the system, choose one of the entries called "AEM Qubes". This will
 attempt to perform a "measured launch" using tboot and the SINIT module you
 downloaded, which records the Xen, kernel, and initrd versions used in PCRs
-17-19 of the TPM for use in sealing and unsealing your secret. If the measured
+17-18 of the TPM for use in sealing and unsealing your secret. If the measured
 launch fails for any reason, tboot will fall back to a normal boot and AEM
 will not function.
 
@@ -312,7 +312,7 @@ As the system continues booting, AEM will automatically seal your
 secret(s). You should see a line, or multiple lines, like this one:
 
 Sealed /var/lib/anti-evil-maid/aem/secret.txt using
- --pcr 13 --pcr 17 --pcr 18 --pcr 19
+ --pcr 13 --pcr 17 --pcr 18
 
 Debug output can be read using:
 

anti-evil-maid.spec.in

@@ -2,14 +2,14 @@ Name:		anti-evil-maid
 Version:	@VERSION@
 Release:	1%{?dist}
 Summary:    	Anti Evil Maid for initramfs-based systems.
-Requires:	dracut grub2-tools parted tboot tpm-tools
+Requires:	dracut grub2-tools parted tpm-tools
 Requires:	tpm-extra >= 4.0.0
 Requires:	trousers-changer >= 4.0.0
 Requires:	systemd >= 227
 Requires:	coreutils >= 8.25-2
 Requires:	scrypt qrencode oathtool
 Requires:	tpm2-tools openssl
-Requires(post):	dracut grub2-tools tboot systemd
+Requires(post):	dracut grub2-tools systemd
 Obsoletes:	anti-evil-maid-dracut
 Vendor:		Invisible Things Lab
 License:	GPL
@@ -53,7 +53,7 @@ cp -r systemd $RPM_BUILD_ROOT/usr/lib
 /usr/lib/systemd/system/tcsd.service.d/anti-evil-maid-seal.conf
 /usr/lib/systemd/system/basic.target.wants/anti-evil-maid-seal.service
 /etc/anti-evil-maid.conf
-/etc/grub.d/19_linux_xen_tboot
+/etc/grub.d/19_linux_xen_trenchboot
 %dir /mnt/anti-evil-maid
 %dir /var/lib/anti-evil-maid
 
@@ -64,25 +64,22 @@ cp -r systemd $RPM_BUILD_ROOT/usr/lib
 /usr/lib/systemd/system/initrd.target.wants/anti-evil-maid-unseal.service
 /usr/lib/systemd/system/initrd.target.requires/anti-evil-maid-check-mount-devs.service
 
-%define tboot_grub /etc/grub.d/20_linux_tboot /etc/grub.d/20_linux_xen_tboot
+%define trenchboot_grub /etc/grub.d/19_linux_xen_trenchboot
 
 %define refresh \
 dracut --regenerate-all --force \
 grub2-mkconfig -o /boot/grub2/grub.cfg \
 systemctl daemon-reload
 
 %post
-chmod -x %tboot_grub
+chmod -x %trenchboot_grub
 %refresh
 
 %postun
 if [ "$1" = 0 ]; then
     %refresh
-    chmod -f +x %tboot_grub || true
+    chmod -f +x %trenchboot_grub || true
 fi
 
-%triggerin -- tboot
-chmod -x %tboot_grub
-
 %changelog
 @CHANGELOG@

etc/anti-evil-maid.conf

@@ -7,10 +7,10 @@
 #    12: (SRTM) Xen/kernel params passed by TrustedGRUB1
 #    13:        LUKS header(s)
 #    14: (SRTM) Xen/kernel/initrd loaded by TrustedGRUB1
-# 17-19: (DRTM) TBoot
+# 17-18: (DRTM) TrenchBoot
 #
 # SRTM =  Static Root of Trust Measurement
 # DRTM = Dynamic Root of Trust Measurement (Intel TXT)
 
 # shellcheck disable=SC2034
-SEAL="--pcr 13 --pcr 17 --pcr 18 --pcr 19"
+SEAL="--pcr 13 --pcr 17 --pcr 18"

etc/grub.d/19_linux_xen_tboot → etc/grub.d/19_linux_xen_trenchboot

@@ -3,6 +3,7 @@ set -e
 
 # grub-mkconfig helper script.
 # Copyright (C) 2006,2007,2008,2009,2010  Free Software Foundation, Inc.
+# Copyright (C) 2023 3mdeb Sp. z o.o.
 #
 # GRUB is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -117,28 +118,28 @@ linux_entry ()
     prepare_boot_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | grub_add_tab)"
   fi
   printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/"
-  tmessage="$(gettext_printf "Loading tboot ...")"
+  tmessage="$(gettext_printf "Enabling slaunch ...")"
   xmessage="$(gettext_printf "Loading Xen %s ..." ${xen_version})"
   lmessage="$(gettext_printf "Loading Linux %s ..." ${version})"
   sed "s/^/$submenu_indentation/" << EOF
 	echo	'$(echo "$tmessage" | grub_quote)'
-	multiboot	/tboot.gz placeholder logging=memory,serial ${GRUB_CMDLINE_TBOOT}
+	slaunch
 	echo	'$(echo "$xmessage" | grub_quote)'
         if [ "\$grub_platform" = "pc" -o "\$grub_platform" = "" ]; then
             xen_rm_opts=
         else
             xen_rm_opts="no-real-mode edd=off"
         fi
-	module	${rel_xen_dirname}/${xen_basename} placeholder ${xen_args} \${xen_rm_opts}
+	multiboot2	${rel_xen_dirname}/${xen_basename} placeholder ${xen_args} \${xen_rm_opts}
 	echo	'$(echo "$lmessage" | grub_quote)'
-	module	${rel_dirname}/${basename} placeholder root=${linux_root_device_thisversion} ro ${args} aem.uuid=${GRUB_DEVICE_BOOT_UUID} rd.luks.key=/tmp/aem-keyfile rd.luks.crypttab=no
+	module2	${rel_dirname}/${basename} placeholder root=${linux_root_device_thisversion} ro ${args} aem.uuid=${GRUB_DEVICE_BOOT_UUID} rd.luks.key=/tmp/aem-keyfile rd.luks.crypttab=no
 EOF
   if test -n "${initrd}" ; then
     # TRANSLATORS: ramdisk isn't identifier. Should be translated.
     message="$(gettext_printf "Loading initial ramdisk ...")"
     sed "s/^/$submenu_indentation/" << EOF
 	echo	'$(echo "$message" | grub_quote)'
-	module	${rel_dirname}/${initrd}
+	module2	${rel_dirname}/${initrd}
 EOF
   fi
   if test -n "${sinit_module_list}" ; then
@@ -147,7 +148,7 @@ EOF
       message="$(gettext_printf "Loading SINIT module %s ..." ${sinit_module})"
       sed "s/^/$submenu_indentation/" << EOF
 	echo	'$message'
-	module	/${sinit_module}
+	slaunch_module	/${sinit_module}
 EOF
     done
   fi