-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 loke...@gmail.com: > The AEM package was upgraded recently (probably because of this > thread: > https://groups.google.com/forum/#!topic/qubes-users/3ZkmS5v7E38), > and after I installed the updated version, AEM stopped working > completely. > > Now, it asks me for the AEM password. I type it in, and it doesn't > display my secret message. Instead, it immediately asks me for the > disk password, and while it boots the system, I see a message > telling me: "PCR sanity check failed".
Below that, it should say "See /usr/share/doc/anti-evil-maid/README for details." You can find some hints for debugging there. > This is the content of the journalctl log: > > Jul 07 16:25:36 dom0 systemd[1]: Starting Anti Evil Maid sealing... > Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: tpm_z_srk: detecting whether > SRK is password protected > Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: Tspi_Key_CreateKey failed: > 0x00000001 - layer=tpm, code=0001 (1), Authentication failed > Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: tpm_z_srk: yes, SRK is > password protected; resetting dictionary attack lock... > Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: PCR-17: FF FF FF FF FF FF FF > FF FF FF FF FF FF FF FF FF FF FF FF FF > Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: PCR-18: FF FF FF FF FF FF FF > FF FF FF FF FF FF FF FF FF FF FF FF FF > Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: PCR-19: FF FF FF FF FF FF FF > FF FF FF FF FF FF FF FF FF FF FF FF FF > Jul 07 16:25:39 dom0 systemd[1]: anti-evil-maid-seal.service: Main process > exited, code=exited, status=1/FAILURE Looks like tboot/SINIT is not working correctly on your system. The new AEM version refuses to seal in this situation, so that you don't get a false sense of security. Rusty -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJZaMNAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfytAP/ArUcgXB5vKoBz+SP6My2QQQ SXsjK1jqCqgXYziK/JI6r7LUEhXIvJfMsJKW/mdjd7OQv4davlSZxXVT9mxqA/0E rCzF0AoIoAqtNYRSy0r+5t301KGy2I9efr0aziIFv591JEnOqKJK+F/MFNn7Zitb +IY8YCQ6s+pgJcuKOycF2vz/9Dc817cILTfW+tzcSDMkG1NcbI4AbxXPxNwvMxkw OZ0BJ9IMPfGVfAmKCGsouvnVc7vg/9mPgG7BhjD5Nojwwyb2dle8mhGiiWKtNPRw 2Eksk/m/NqCQb2F5NiQnQDOjJTwLvzf3hnEKSIwuKxLjrlVUyvsbmSrMwIbAUK7v VdG2iCpCSgIPwTqUOlVPmQ2TNWhA3cDP2jGRSSi1RRWS2nGQd2w1tYKw3dibr/K7 RD6KQUgJdyxW3Y6cBidQ+zy0vbmMFyuQ6DyTF/T3Zmq2XvvBVaq6U/LwMZOpt+s+ X56JQa1HDdVBKTEXbPnxI+sT0ehMhfn1YOZBZ93lYkJyiyrIAvwCiQKfPLsVQqZH M9e6L1C+CePEqNyb2btMUPJOuRtVd0059mgQ+x5PpdhnQOia0RR4A9Bn6oW5515m qGsqY2wIg2wb7xG8O+Gl9sxQk8jtQX7Or/V4oixfGEqMb5Xi6a97nFKLha22lc7J A5aT5+xMPvsk+02b33sg =mUFf -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170714131232.GA5546%40mutt. For more options, visit https://groups.google.com/d/optout.
