anti-evil-maid-unseal fails with exit code 134

[hdevalence]

Hi,

immediately after installing AEM, the anti-evil-maid-unseal script fails somewhere with exit code 134.

Modifying the 90anti-evil-maid-unseal script to have set -x and reinstalling gives the following output:

anti-evil-maid-unseal[315]: tpm_z_srk: yes, SRK is password protected; resetting dictionary attack lock...
anti-evil-maid-unseal[315]: + Z=
anti-evil-maid-unseal[315]: + '[' -n '' ']'
anti-evil-maid-unseal[315]: + for try in 1 2 3
anti-evil-maid-unseal[315]: + log 'Prompting for SRK password...'
anti-evil-maid-unseal[315]: + echo 'anti-evil-maid-unseal: Prompting for SRK password...'
anti-evil-maid-unseal[315]: anti-evil-maid-unseal: Prompting for SRK password...
anti-evil-maid-unseal[315]: + systemd-ask-password 'TPM SRK password to unseal the secret'
anti-evil-maid-unseal[315]: + tee /run/anti-evil-maid/srk-password
anti-evil-maid-unseal[315]: + tpm_sealdata -i /dev/null -o /dev/null
anti-evil-maid-unseal[315]: Enter SRK password: + log 'Correct SRK password'
anti-evil-maid-unseal[315]: + echo 'anti-evil-maid-unseal: Correct SRK password'
anti-evil-maid-unseal[315]: anti-evil-maid-unseal: Correct SRK password
anti-evil-maid-unseal[315]: + break
anti-evil-maid-unseal[315]: + log 'Unsealing the secret...'
anti-evil-maid-unseal[315]: + echo 'anti-evil-maid-unseal: Unsealing the secret...'
anti-evil-maid-unseal[315]: anti-evil-maid-unseal: Unsealing the secret...
anti-evil-maid-unseal[315]: + tpm_unsealdata -i /var/lib/tpm/aem.usb/secret.txt.sealed -o /tmp/unsealed-secret
anti-evil-maid-unseal[315]: Enter SRK password: + rm -rf /run/anti-evil-maid
anti-evil-maid-unseal[315]: + log 'Unmounting the aem.usb device...'
anti-evil-maid-unseal[315]: + echo 'anti-evil-maid-unseal: Unmounting the aem.usb device...'
anti-evil-maid-unseal[315]: anti-evil-maid-unseal: Unmounting the aem.usb device...
anti-evil-maid-unseal[315]: + umount /anti-evil-maid
anti-evil-maid-unseal[315]: + '[' '!' -d /run/anti-evil-maid ']'
anti-evil-maid-unseal[315]: + false
anti-evil-maid-unseal[315]: + WHERE=above
systemd[1]: anti-evil-maid-unseal.service: main process exited, code=exited, status=134/n/a
systemd[1]: Failed to start Anti Evil Maid unsealing.
systemd[1]: Unit anti-evil-maid-unseal.service entered failed state.
systemd[1]: Started Anti Evil Maid sealing.

The script exits before the section asking to unmount the drive, so it just boots without showing the secret or asking to remove the drive.

[marmarek]

Exit code 134 means it was killed by SIGABRT. The code there is
just about to show you the unsealed secret:

        # display secret in current dialog
        WHERE="above"
        {   
            message ""
            message "$(cat "$UNSEALED_SECRET" 2>/dev/null)"
            message ""
        } 2>&1  # don't put the secret into the journal

Can you remove that 2>&1 and see what you'd get logged? Or maybe check some other logs (plymouth? other systemd services?)

[marmarek]

Exit code 134 means it was killed by SIGABRT. The code there is
just about to show you the unsealed secret:

        # display secret in current dialog
        WHERE="above"
        {   
            message ""
            message "$(cat "$UNSEALED_SECRET" 2>/dev/null)"
            message ""
        } 2>&1  # don't put the secret into the journal

Can you remove that 2>&1 and see what you'd get logged? Or maybe check some other logs (plymouth? other systemd services?)

[hdevalence]

Thanks for the tip -- I found the problem, which is here: https://github.com/JoliOS/plymouth/blob/master/src/client/ply-boot-client.c#L489

Plymouth has a size limit on the length of the message, in this case <= 255 bytes.

[hdevalence]

Thanks for the tip -- I found the problem, which is here: https://github.com/JoliOS/plymouth/blob/master/src/client/ply-boot-client.c#L489

Plymouth has a size limit on the length of the message, in this case <= 255 bytes.

[hdevalence]

QubesOS/qubes-antievilmaid#13 adds a note to the README.

[hdevalence]

QubesOS/qubes-antievilmaid#13 adds a note to the README.