AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I'm attempting to install Anti Evil Maid on a Lenovo T450s (Broadwell,
Wildcat Point-LP).

A previous report from Alex Guzman indicated that AEM works on this
model. [1] However, I've followed the instructions [2] to the letter
and across dozens of variations over the course of days with no luck.
It's possible I'm missing something obvious, but here's what I've tried:

* Use legacy boot option.
* Use UEFI boot option.
* Try all USB ports.
* Try different USB drives.
* Install to /boot partition on internal SSD.
* Enable/disable different BIOS USB options.
* Try different AEM text secrets (e.g., no symbols).
* Check that the correct SINIT module is in /boot.
Unless I'm mistaken, for the T450s, it should be:

5th_gen_i5_i7_SINIT_79.BIN

In all cases, everything goes smoothly with the installation up to
step 5 (reboot and select the "AEM Qubes" GRUB option). I select that
option (or allow it to be auto-selected, or select the one in the
"advanced" submenu). It gets about 4 lines in (up to "loading initial
ramdisk," I think; a bit too fast to read), then the laptop appears to
do a hard reboot/partial shutdown. Instead of a normal reboot with the
BIOS and normal boot process, the screen is blank, but the system
retains power. (Power button is lit and keyboard backlight brightness
can be changed.)

Does anyone have any ideas or tips about this one? Any help would be
greatly appreciated.


[1] https://groups.google.com/d/topic/qubes-users/jelz1pA8Ilk/discussion
[2] https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-
evil-maid/README

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXOr21AAoJENtN07w5UDAwzC4QAIu1+eIxw7hG0Oy+EPEZXjHr
qsb/jdDqv+Yf/gNWkyjEfps1w2ZZu2StpJQoZyMVTKsl4lFJdkEcNRRxC+ahZ/iv
X7/P8+FftG0BEnC/g7o6Ei1ywogRPIOlcBPAkHMnovUilQZliAXAkEcAbDc6OYnh
Aw0lg4L1uXsXN2XHP+Pej7RGNp9Wx0Pln/4jOxAO0+nsklysiHnJg7abdSKrqAZQ
xlLxCOAieSfHCEbYNqx9HjASPx2Q2QF0U6jSYe51ZHBPHFF+VOjL7lZ4Uuc5S0Ns
QjdPvmuzgO7S7Yv+1wm8y6KLpUqrmfP2EG6riVbvaFIp67kAcdlO8L/yszU8syS+
6IQ021Yvw3d/gCeNGoZEKE7f9yX04at9f8qBpKDBOwEJXJoY30FvhQK61c0K3gIX
OJYx/+m0bPMvxC2LGGtuDm3ry+By4nXMAnWMduMfYypnzxyq9gVP4nTIUmJv+zo1
saHf2u5vbmIdXpu2Dyh/G6SLmiLWnkJKuNxjyMvev+hgj3lqyXxv7vjls4725QkS
imD54usbWfFLxM/L+kXLMLlwmHhtj1bR/S3cDfEAe8YWUCSqcw9wTVznrMXn8Hp6
opeIqORp2hkpd88tpi7SH7v1382F741lFT5umG1Q3nsE1VwgZ70a9N5I2kl+gQSw
BL55lptib3L2DT5yIYeA
=FQvw
-----END PGP SIGNATURE-----

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-05-16 23:44, Andrew David Wong wrote:
> I'm attempting to install Anti Evil Maid on a Lenovo T450s
> (Broadwell, Wildcat Point-LP).
>
> A previous report from Alex Guzman indicated that AEM works on
> this model. [1] However, I've followed the instructions [2] to the
> letter and across dozens of variations over the course of days with
> no luck. It's possible I'm missing something obvious, but here's
> what I've tried:
>
> * Use legacy boot option. * Use UEFI boot option. * Try all USB
> ports. * Try different USB drives. * Install to /boot partition on
> internal SSD. * Enable/disable different BIOS USB options. * Try
> different AEM text secrets (e.g., no symbols). * Check that the
> correct SINIT module is in /boot. Unless I'm mistaken, for the
> T450s, it should be:
>
> 5th_gen_i5_i7_SINIT_79.BIN
>
> In all cases, everything goes smoothly with the installation up to
> step 5 (reboot and select the "AEM Qubes" GRUB option). I select
> that option (or allow it to be auto-selected, or select the one in
> the "advanced" submenu). It gets about 4 lines in (up to "loading
> initial ramdisk," I think; a bit too fast to read), then the laptop
> appears to do a hard reboot/partial shutdown. Instead of a normal
> reboot with the BIOS and normal boot process, the screen is blank,
> but the system retains power. (Power button is lit and keyboard
> backlight brightness can be changed.)
>

Just to clarify what I mean by "hard reboot/partial shutdown," here
are the physical symptoms:

1. Screen goes blank.
2. Screen and keyboard backlight both flash briefly, then go blank
again.
3. Faint "pop" sound (sounds power-related).
4. Fan dies down.
5. Screen and keyboard backlight are dark, but Fn (function) key and
power button LED are lit.
6. Pressing keyboard backlight combination (Fn + space) toggles
backlight brightness. All other keys/combinations are unresponsive.
7. Briefly holding down power button completely shuts down the laptop
(~1 second; much faster than usual).

> Does anyone have any ideas or tips about this one? Any help would
> be greatly appreciated.
>
>
> [1]
> https://groups.google.com/d/topic/qubes-users/jelz1pA8Ilk/discussion
>
>
[2] https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-
> evil-maid/README
>

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXOsBGAAoJENtN07w5UDAwpwIP/1KSeqdWydDY5uucR9qRnKxl
e2/dAZD9Erw9H8JqVwx5NgxzEOZyaGQRBlFASUc3ME+XU6yhD3c4DEm9088j5v6f
cCUyFxe6TfRVCu8kWRiaUuALG/5d7cfS0cAtYMY3wTgzViQbFyLXKRWMwNNl5cOx
ac1RvcF9aG/zRK1ljCulG+FxG3lpLTaTb8Cp2BKuaJEOA42KkPHDJJ5M3Mpx5x4C
SE/dRRQAUWlH226yGsZEzKF469CfoNRXvwZgmv6O7JkI4Jft6RXMKTo1izblsuOD
4xNrWCO/hB6eH4K+0yTEayf/XjuesUm2XdZhiIW4NVhVI3mV3px+sgp7ACD6PxmQ
9XRoo+duw4iD1+cFp9yCQBczsAAza3UgEDyqUL+0P2vznV7io5eEMcXqIh+ZGOUI
J1eCDMdiz0CACm095b0Irexo9r2eHmxPedvpGOdj8Z3XpRtBwTx919qPHeLHd2t6
xRZZL4ITEJZLluoMM1Fq4RzZ9IgymJ0HQIIvlBYvJo/EIXAmPvITXu+FmSCW0NAN
SinAaRYtZ11NT8Vw+Nxx+ZieKFcdxKHaMk6lmVcFrSrkS/DkVTZAooxMYvOIkaHC
t5lsrTcnaA9+NzULb1mlDLz81xrJ0X7sjGTY2yhw85U83Uox6gRyIN+3OBKYhsj7
8+sHv34gTnfhvkaA695y
=AXMt
-----END PGP SIGNATURE-----

[Alex Guzman]

I’ve removed Qubes from the laptop at this point, but I never had this behavior.

For reference, my setup had an internal /boot, TPM SRK key set, using legacy boot. I never encountered the stuff you’re seeing.

> On May 16, 2016, at 11:55 PM, Andrew David Wong <a...@qubes-os.org> wrote:
>
> Signed PGP part

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-05-17 00:01, Alex Guzman wrote:
> I’ve removed Qubes from the laptop at this point, but I never had
> this behavior.
>
> For reference, my setup had an internal /boot, TPM SRK key set,
> using legacy boot. I never encountered the stuff you’re seeing.
>

Thanks for the feedback, Alex! I'm beginning to suspect that it's due
to an AEM installer change since then.

- --

Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXOtUtAAoJENtN07w5UDAwDaMP/iFiXkdeymKP454x+86cmkm7
DyH1DhkvjRR3WgTCyfR+2MCFRgXnlgS9gCv0bMM8jL256h4nDuZXlEvhaAx4O7Xq
gsDLBMIsETQIgbPYUGqLI9PD0HWbhL079jU075r6/Dm2GybkByXybkwf96J9Voik
QucoWk99ZP9CO68+svpUAadKtVDs5mqKS4tTUE4Ci2YntD+5ymwBpCx0NSydADEY
4ABCLyWUhdi7CpPcbe7sDmvMuHJAWo+ZH9s0JATrcv+9fjzd1tKyPkGpcSzeIdgf
jCqrSJcgRgmyOro3iLC7npmAuq0ddfsTQZapXkMuljk8FWZtmzu6GClAXCFKIn2T
bk9xPatdTf4GCF/OfOBEb/soQmVTy1h0F6Rl7rMFw1vw1esSQbIlmeMzE0JXFiAO
Q3z55s4R7g4ItngmjFsnDeDJCmxC/pMoWIgROgl6eUZKdiuE8iJanXVkjhr599v/
6lIfU2Y0Yxzp8HW9FqwVESBkkK0qNfb4wykq9VxhOu8Cbtr8VOeZJW+Zbt+EtIrA
7KNHGBA5q5iKX1IXFyISIkhkHDmbBND65SxHmNMqfCARsJSWGmIEVbELllVx3OyR
XCxA3ww2k5E8Zkwff+L18uJZr7Yi+m+/TfAQ2hQbZQ6nfClTaUp6TYW0Ja4FqpsS
eb7zawx0DWeslpvXSTYB
=2pbo
-----END PGP SIGNATURE-----

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, May 16, 2016 at 11:44:14PM -0700, Andrew David Wong wrote:
> I'm attempting to install Anti Evil Maid on a Lenovo T450s (Broadwell,
> Wildcat Point-LP).
>
> A previous report from Alex Guzman indicated that AEM works on this
> model. [1] However, I've followed the instructions [2] to the letter
> and across dozens of variations over the course of days with no luck.
> It's possible I'm missing something obvious, but here's what I've tried:
>
> * Use legacy boot option.
> * Use UEFI boot option.

AEM is not compatible with UEFI, so you can rule this option out.

> * Try all USB ports.
> * Try different USB drives.
> * Install to /boot partition on internal SSD.
> * Enable/disable different BIOS USB options.

Do you have Intel TXT enabled in BIOS?

> * Try different AEM text secrets (e.g., no symbols).
> * Check that the correct SINIT module is in /boot.
> Unless I'm mistaken, for the T450s, it should be:
>
> 5th_gen_i5_i7_SINIT_79.BIN
>
> In all cases, everything goes smoothly with the installation up to
> step 5 (reboot and select the "AEM Qubes" GRUB option). I select that
> option (or allow it to be auto-selected, or select the one in the
> "advanced" submenu). It gets about 4 lines in (up to "loading initial
> ramdisk," I think; a bit too fast to read), then the laptop appears to
> do a hard reboot/partial shutdown.

Try adding "logging=serial,vga,memory" option to "multiboot
.../tboot.gz" line in grub - can be directly from grub menu. And remove
"quiet" from kernel parameters and "console=none" from xen parameters.

> Instead of a normal reboot with the
> BIOS and normal boot process, the screen is blank, but the system
> retains power. (Power button is lit and keyboard backlight brightness
> can be changed.)
>
> Does anyone have any ideas or tips about this one? Any help would be
> greatly appreciated.
>
>
> [1] https://groups.google.com/d/topic/qubes-users/jelz1pA8Ilk/discussion
> [2] https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-
> evil-maid/README
>

- --

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXOv3GAAoJENuP0xzK19csKdUH/jncawTxFTa9uwvcLExhxQXP
dygUdbb8JnWEBfFUHvHfOm4pu0xU8Ps72rQ8IWtgoTO9lLqckXiIVdVwvxfo8+JV
dQZ7lf0v11CEmYJp1ecnmakG+B+mXCwq4AFIo4Ue9Zk4uToyibycSCDVWFuLWX1L
t/LvzqXMk0yq4hts5yBUWfK1mUMf6BniFs7soE/U/1yvLo2kA8+m7QZ+1mp9xUq0
XwYemSjrlt8iekszT3GSofRIo1Vd/quXqYqkkv1UMhp/JuiwAUa/4mLDSR26zo7w
U1mkNrb6gEBFMSvvgyFzphsUM9AGkFCN3d4bNfIg1hUp9EzUfgFbgKF4dyAWOOw=
=2BzE
-----END PGP SIGNATURE-----

[Chris Laprise]

On 05/17/2016 04:24 AM, Andrew David Wong wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 2016-05-17 00:01, Alex Guzman wrote:
>> I’ve removed Qubes from the laptop at this point, but I never had
>> this behavior.
>>
>> For reference, my setup had an internal /boot, TPM SRK key set,
>> using legacy boot. I never encountered the stuff you’re seeing.
>>
> Thanks for the feedback, Alex! I'm beginning to suspect that it's due
> to an AEM installer change since then.

After using AEM for years, I tried to install a second copy a few weeks
ago and failed. So I am thinking the installer became broken as well.
When I get a chance I intend to retrace my steps and file an issue for it.

Chris

[jpalc...@gmail.com]

I managed to install AEM on thinkpad x220 yesterday(TXT enabled, UEFI disabled, secret is txt file, VT-d is enabled), so the installer is rather working now, but I had few problems with TPM - I wasn't able to take ownership - after disabling TPM -> restart -> enabling security chip even the option to clear keys disappeared from BIOS.
The solution was simple: In Lenovo's laptops, the "Physical Presence" thing mentioned i.e. in tpm_clear tool is related with pressing fn before power button - in that case the option appeared again in bios and I hadn't met any other problems.

Regards,
Jacek

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-05-17 04:17, Marek Marczykowski-Górecki wrote:
> On Mon, May 16, 2016 at 11:44:14PM -0700, Andrew David Wong wrote:
>> I'm attempting to install Anti Evil Maid on a Lenovo T450s
>> (Broadwell, Wildcat Point-LP).
>
>> A previous report from Alex Guzman indicated that AEM works on
>> this model. [1] However, I've followed the instructions [2] to
>> the letter and across dozens of variations over the course of
>> days with no luck. It's possible I'm missing something obvious,
>> but here's what I've tried:
>
>> * Use legacy boot option. * Use UEFI boot option.
>
> AEM is not compatible with UEFI, so you can rule this option out.
>

Understood.

>> * Try all USB ports. * Try different USB drives. * Install to
>> /boot partition on internal SSD. * Enable/disable different BIOS
>> USB options.
>
> Do you have Intel TXT enabled in BIOS?
>

Yes, TXT is enabled.

>> * Try different AEM text secrets (e.g., no symbols). * Check
>> that the correct SINIT module is in /boot. Unless I'm mistaken,
>> for the T450s, it should be:
>
>> 5th_gen_i5_i7_SINIT_79.BIN
>
>> In all cases, everything goes smoothly with the installation up
>> to step 5 (reboot and select the "AEM Qubes" GRUB option). I
>> select that option (or allow it to be auto-selected, or select
>> the one in the "advanced" submenu). It gets about 4 lines in (up
>> to "loading initial ramdisk," I think; a bit too fast to read),
>> then the laptop appears to do a hard reboot/partial shutdown.
>
> Try adding "logging=serial,vga,memory" option to "multiboot
> .../tboot.gz" line in grub - can be directly from grub menu. And
> remove "quiet" from kernel parameters and "console=none" from xen
> parameters.
>

Ok, I've tried again with these options. The result is the same,
except that some more output flashes across the screen before it
fails, but it's far too fast to read.

Is there any way to dump the output to disk so that I can read it?

>> Instead of a normal reboot with the BIOS and normal boot
>> process, the screen is blank, but the system retains power.
>> (Power button is lit and keyboard backlight brightness can be
>> changed.)
>
>> Does anyone have any ideas or tips about this one? Any help
>> would be greatly appreciated.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXO9eUAAoJENtN07w5UDAw+4oP/1OCRkVqSVUW+XfnUWzMihfS
W8EgVJmmlELGkLD/tD7G4J2JoAPedQdTgcB1w2k1B4XmRks/2Mo1SK6X5z/U9Kaf
SYs0yWRdgLLc5MRQdoaCoe4A08GoHlz0SElrYwYcjiTbAqRrgy9iAHTZDEZ/9GYT
zFEXBdO8fmfKyXXSeJ/ps6wGMSwCgToAoWMtW/Xpq0iD/Yojq9CONsQB36/ukfr0
tbSAZd4aEZsup8aF3VNjO3+KnjuYIsW4TngAi3X4aMGLyvgOMbjWKMnjOdHBcZcF
fLimBLAxrXcGGMiBsb96ZcGNk5YRVKZVq3sn0L7OYb1ARURvxk/hwBJigMzHr3bM
3Z7DOOZuMJs8jNal6zi9/uhdOBXCfIslccYnyYX0E4qU1avVdYwzeiA9l/QUUv/L
9G3tPsHiFW/OSCmk+jEn+bsFYkda3CeUgftqzlnEa/PeuCgRQ88CGRPkme3BwTp4
ZMInTrjFE1hBXoxhx4S4HomJIGRh+I68zBcmQfxaay3MmJ14bSaQMdm7xu2xRald
N3+drWGPvPQwd++gGEPb3/rFohmGMf5Q2C/Doy0GfRVXM26wG3VwXFZ3cy2dQ/Id
G5B8YyBpAndzovYVnp7u6+VJuXqefZpRjucbGeJnYSF5UHC5ofAXLvAuG+Qltcbi
gr4g3sHYtr7B26uy9nRJ
=xlVU
-----END PGP SIGNATURE-----

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Sounds good. Please keep us posted!

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXO9e3AAoJENtN07w5UDAwQ84P/35OP3aBgwdgy2p3xWE8vBn1
EOM3c3aCvg+F+zCrG6DG+U0i5LNmv9Uw3YTZqXY6yMiQHHXEvZp4DJzmLMi17Rqf
b7PLbNpSCmpzri7b4GrW7lYhf388+TOwPSOuV5DKSjk8TdXgeVCzWVL66/0ugmA0
ZEY3ZNFzSW0dTY/KqHrk+EVHzyE+wjKNUdG/HTrK6nYIxx1qe4BSnMmTkjwrz2CH
7x6Sf3FArePPDfeROjUhTdVswv7sepXnR5naVHe3O49Eh/6U8ozFfPN+wKknzmiD
xN5atGFSg7c+Gz5JgtabA2vj3RpCWH98JmsHrLWCUeqHgF7vY1Up81lNVf5I9lkx
5DPil70zy4FqJ09LIhT43TEVCPnQZugMvPEn2UOTdh53gdHONANtUDTK+fAavv4E
Sb6p/heYEsvQpCJNlxJ42yI5qha7vofnhIiv6tLUoEWZXtZRkBxTAH7t4i8p9KPD
/y6V6D9krNdH+9FNZjoHVCrS9T+0uLrxlG/MBPWmy22jG55+p1v6aKxa9+es3onq
Fb48RasTgqEc2B8CYVfuQhBLj2YL4hU1DeO36EPKueNuT0dgJAP4q6q+JkjKeTBE
ZZpfbSZ7najiteo833hT2dKSUJ7PFSvTHE1qMqh42Y6oi5fBzgDaJ/Y40OiFry1c
KZgIZw/EtJ55WiSTyy7o
=C4BQ
-----END PGP SIGNATURE-----

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-05-17 10:01, jpalc...@gmail.com wrote:
> On Tuesday, May 17, 2016 at 6:17:13 PM UTC+2, Chris Laprise wrote:
>> On 05/17/2016 04:24 AM, Andrew David Wong wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>>>
>>> On 2016-05-17 00:01, Alex Guzman wrote:
>>>> I’ve removed Qubes from the laptop at this point, but I never
>>>> had this behavior.
>>>>
>>>> For reference, my setup had an internal /boot, TPM SRK key
>>>> set, using legacy boot. I never encountered the stuff you’re
>>>> seeing.
>>>>
>>> Thanks for the feedback, Alex! I'm beginning to suspect that
>>> it's due to an AEM installer change since then.
>>
>> After using AEM for years, I tried to install a second copy a few
>> weeks ago and failed. So I am thinking the installer became
>> broken as well. When I get a chance I intend to retrace my steps
>> and file an issue for it.
>>
> I managed to install AEM on thinkpad x220 yesterday(TXT enabled,
> UEFI disabled, secret is txt file, VT-d is enabled), so the
> installer is rather working now, but I had few problems with TPM -
> I wasn't able to take ownership - after disabling TPM -> restart
> -> enabling security chip even the option to clear keys
> disappeared from BIOS.

I didn't encounter any problems with taking ownership of the TPM. I
did, however, discover that Lenovos (or at least this model) requires
a cold boot (rather than a warm boot) in order for the option to clear
the TPM to be available in the BIOS.

> The solution was simple: In Lenovo's laptops, the "Physical
> Presence" thing mentioned i.e. in tpm_clear tool is related with
> pressing fn before power button - in that case the option appeared
> again in bios and I hadn't met any other problems.

Interesting. As mentioned above, I didn't have to press Fn before the
power button in order to clear or take ownership of the TPM even
though I have the "require physical presence" option enabled in the
BIOS. Perhaps this issue is model-specific or BIOS-specific.

Just to clarify, when you say "pressing fn before power button," do
you mean the following?

1. System is completely powered off.
2. Press and hold the Fn key.
3. Press and release the power button.
4. Release the Fn key.

In your case, this caused the "clear TPM" option to be available in
the BIOS, whereas before it was not? Did it have any other effects?

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXO94WAAoJENtN07w5UDAwl1AQAKmJSFC7c6agPnPHdUd2sEB8
5S/LwmNJlHu88xaQiswfapz5rZ1AV+mPhdzxTsiM+GHIliHALMLZS+8elD3xwK3c
QHGKLukOUpydgKpcwDLvw0xvdRrhutUQO6bl0CO9vtNedYkJFnk431JERVlIy37V
kiPlzOwBEx5iy28WD+LZ2y5fXXWoUom+ndSPXxY3pbFcF54Pd3W4CqbFhg2wacpR
dsHwcHvNsCzvoel/557IsqG0RNeuFagAzqxgbmLG3cu38kHkR2IBfLi2kTmydui5
Pr39+dsFCv+5xyrY8Z8gU/ukjejhgNnfocYH4rzzHQRG2LKVHjjT17N1d9bWvJtA
DkK8ELzZqljQdo0akBoQtShC81WYMGE2xMbwqx22BMKeV9RbIZJdcs/cjK2ggHIF
ADhMNRyVW3vnXje2DyjM1KRmbgmNtXT77lYMweM1EZz4Vzi8mK4XgRnljL+e8GaN
rYbmdhpR5uNUVbMnsObLvJ4fKWlaOvIW5gk+X1lgLe2cvttcnOUi3OB/APmqYYeb
VwK8TlS8niDo28skOxDzLme0vl53y1qwflyOD2qsRJPpdk6jR0y+ds9fw5qB9ezt
aXz/+0i5D/OAej34vXc8ro4JZ/+VD9rexLR5wxdJR1/UCznVBpwKGDgPWAQnAEPm
6x9yTVpWEDorLuSuijp7
=Ou+z
-----END PGP SIGNATURE-----

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, May 17, 2016 at 07:46:46PM -0700, Andrew David Wong wrote:
> On 2016-05-17 04:17, Marek Marczykowski-Górecki wrote:
> > On Mon, May 16, 2016 at 11:44:14PM -0700, Andrew David Wong wrote:
> >> I'm attempting to install Anti Evil Maid on a Lenovo T450s
> >> (Broadwell, Wildcat Point-LP).
> >
> >> A previous report from Alex Guzman indicated that AEM works on
> >> this model. [1] However, I've followed the instructions [2] to
> >> the letter and across dozens of variations over the course of
> >> days with no luck. It's possible I'm missing something obvious,
> >> but here's what I've tried:
> >
> >> * Use legacy boot option. * Use UEFI boot option.
> >
> > AEM is not compatible with UEFI, so you can rule this option out.
> >
>
> Understood.

Interesting, according to tboot documentation it supports EFI. But
multiboot2 support in Xen is still missing, so not going to work yet.

> >> * Try different AEM text secrets (e.g., no symbols). * Check
> >> that the correct SINIT module is in /boot. Unless I'm mistaken,
> >> for the T450s, it should be:
> >
> >> 5th_gen_i5_i7_SINIT_79.BIN
> >
> >> In all cases, everything goes smoothly with the installation up
> >> to step 5 (reboot and select the "AEM Qubes" GRUB option). I
> >> select that option (or allow it to be auto-selected, or select
> >> the one in the "advanced" submenu). It gets about 4 lines in (up
> >> to "loading initial ramdisk," I think; a bit too fast to read),
> >> then the laptop appears to do a hard reboot/partial shutdown.
> >
> > Try adding "logging=serial,vga,memory" option to "multiboot
> > .../tboot.gz" line in grub - can be directly from grub menu. And
> > remove "quiet" from kernel parameters and "console=none" from xen
> > parameters.
> >
>
> Ok, I've tried again with these options. The result is the same,
> except that some more output flashes across the screen before it
> fails, but it's far too fast to read.
>
> Is there any way to dump the output to disk so that I can read it?

You can try with serial console if you have one...

Check tboot documentation in /usr/share/doc/tboot/README - there are
some more hints.

For example vga_delay=<secs> parameter to slow down the output.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXO+E8AAoJENuP0xzK19csgyUIAJnlaTOWWhnNRiZg8vQq0VnD
XFWZlAGLuiQUia+7EPv2Hp8hGjkEOGB/NEySLsxtID/3Jt31MPHAmkAYG1x6jjMR
1SdbfvD5W7KlszRMBnoQe30ZXcGR0a6sIhIxYJDSmvHkKT4VSZfRZu5sUI9jc4/p
bTk6kYtPo8yxKZ17izpdTyZKssNp9aOS3sRNNdbMXPwuA505FVUBkyhZd1T+psRv
+LFkRXORNXT88CLew6BkmdNXNi5Nh8zT816Y4D1KIk9rG2EhaTrzIJQ6LhrdQMth
QO4iMTJWL8bP2gn2cLB+hT/7JeJF5kDkuOZARnfNXPKGUofWU2ZP1ZjuviHxnjc=
=2hVj
-----END PGP SIGNATURE-----

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Ok, thanks. Using vga_delay, I was able to see that TBOOT gets to this
point before it fails:

setting MTRRs for acmod: [...]
executing GETSEC[SENTER]...
<system reboots>

Everything before that looks good (confirmed that SINIT module matches
platform, etc.). The only thing I'm not sure about is that there are
warnings that there's no TPM NV policy (or that it can't be read).

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXO+esAAoJENtN07w5UDAwlH8QAIZ6z9KvBDeD3KoAaZ8q4e4J
A+m60tJoMu7Q24VYOVh7fKH8Rf1YrTatOlH1fWZujiboZE8aUvOtus4tfWgnlZBl
YhYJqiWOPc6O5dnfwOSaTesu0BMiywJiRRVurA5FQh5LuIVuKows44MWtujXAf+C
9Y28YcCIc1wr4fe30foOYiZFzPaVkqDbsy+YdqvcCes17ChHKGwpSG4gqYNouiJK
OeJjEJj/QNjkEeOyQKI/P8VIIjur00zax5BmipxDrLbTz4pLiO8SzdW53ThZLg6f
8e3uilIH+CYhjzkTqrxXpVbumCMrvtzf45eH9UZS3/eOkDf/V6jpbAae83wHpfZP
RP0k+kVM2zP5fihWCIiPBTsDgdRvZ6oh2j1txbg1oCsZ0+/2YRNOYn0lvCg9qaDu
Sy20R1Nchh7h4fhiytK0oNnBgSlEYEbWha+VV5QYGIoVviqLAHG/hNJwoEbJ8Gwn
mTOohey3BBduN4wTtZfSAbdGO0ctrwCB6YREmsJsMV4ymwJzI+tIYOxgDEZSKQUB
PkMdx7zu4X7KPtx7OyuCrQJHkamrVUhGCqjABiUs/7tuJdwKnF002gRbLm6MU+so
oRJBk44Kektd/O3RZGKballuPhtxmpPgyeBz3rY+CC/4YVIXXvErbz4wTPH1ANkt
iSUGThnVof90E2rYwtu2
=9dwH
-----END PGP SIGNATURE-----

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-05-17 10:01, jpalc...@gmail.com wrote:
> On Tuesday, May 17, 2016 at 6:17:13 PM UTC+2, Chris Laprise wrote:
>> On 05/17/2016 04:24 AM, Andrew David Wong wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>>>
>>> On 2016-05-17 00:01, Alex Guzman wrote:
>>>> I’ve removed Qubes from the laptop at this point, but I
>>>> never had this behavior.
>>>>
>>>> For reference, my setup had an internal /boot, TPM SRK key
>>>> set, using legacy boot. I never encountered the stuff you’re
>>>> seeing.
>>>>
>>> Thanks for the feedback, Alex! I'm beginning to suspect that
>>> it's due to an AEM installer change since then.
>>
>> After using AEM for years, I tried to install a second copy a
>> few weeks ago and failed. So I am thinking the installer became
>> broken as well. When I get a chance I intend to retrace my steps
>> and file an issue for it.
>>
> I managed to install AEM on thinkpad x220 yesterday(TXT enabled,
> UEFI disabled, secret is txt file, VT-d is enabled), so the
> installer is rather working now

Did you use the latest version of AEM (version 3.0.2), or was it by
chance an older version? You can check with this command in dom0:

$ sudo yum info anti-evil-maid | grep Version

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXO/dhAAoJENtN07w5UDAwjCQP/1vqs5C24KP8k9DZ8WcJc/Ff
RBpcQzGdpocDoCWFGAlRToJHiZpIFvziAB05uJKnoG94Db0AkR6DL9iAtFYxawoh
mbGX4fEiafilYWIzPeL51kRjPigNnXMTRtrJkYiX7kFXelHAauMQq3JgdRGGhl/E
DYshyp0YQxFNSPNQXavKViKL3UncDG12+pY6N97cM/Hz6Ycdul1R3ueqN+w7uIm2
UQ/ypMgLLYdUgUkfI18VQ4wmKrg/nzbTAQ81tDsgOq2aS4yZ0W/CkmV7iYxIDxEK
xbGfL72KgRpsxGJVbf/k9wl0ddA6RY69dwzJzZFzFZmZU0GttPyqRPSoABs7jPtR
dy6Lm68vylu2TLwc70OFYToeOVevh0xzHyUMTSwOBAEqUoyN0irCPWYzXBj9J9gd
FO9Cm66EczRiImRboBHb3SpgC+oEnt4VR6UTTQpa+Qhc+6+wb+XjmdzirtDzeaxe
XfFjQ9NwAc3CvBWJe1TuIVZ7IHafP2G5Ue0qFP3LSOr7UEx1wRozOtp8IALQLB7p
hmJvUSHfq+9qnPKy9supxWwdae6Bw9bJgENl92Idtiamwgu3eZtYdLp6Hs5k21gS
Lm+J4xMO9R5aH/Vqg/JBUBJQqIs9W3J56Vgaa387WhFMYLI2h6CpMDB7up1Cjpv7
AdxOtHZbUh9wSW0koKo3
=c+4v
-----END PGP SIGNATURE-----

[Jacek Palczewski]

Yes, I used the latest version.

> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJXO/dhAAoJENtN07w5UDAwjCQP/1vqs5C24KP8k9DZ8WcJc/Ff
> RBpcQzGdpocDoCWFGAlRToJHiZpIFvziAB05uJKnoG94Db0AkR6DL9iAtFYxawoh
> mbGX4fEiafilYWIzPeL51kRjPigNnXMTRtrJkYiX7kFXelHAauMQq3JgdRGGhl/E
> DYshyp0YQxFNSPNQXavKViKL3UncDG12+pY6N97cM/Hz6Ycdul1R3ueqN+w7uIm2
> UQ/ypMgLLYdUgUkfI18VQ4wmKrg/nzbTAQ81tDsgOq2aS4yZ0W/CkmV7iYxIDxEK
> xbGfL72KgRpsxGJVbf/k9wl0ddA6RY69dwzJzZFzFZmZU0GttPyqRPSoABs7jPtR
> dy6Lm68vylu2TLwc70OFYToeOVevh0xzHyUMTSwOBAEqUoyN0irCPWYzXBj9J9gd
> FO9Cm66EczRiImRboBHb3SpgC+oEnt4VR6UTTQpa+Qhc+6+wb+XjmdzirtDzeaxe
> XfFjQ9NwAc3CvBWJe1TuIVZ7IHafP2G5Ue0qFP3LSOr7UEx1wRozOtp8IALQLB7p
> hmJvUSHfq+9qnPKy9supxWwdae6Bw9bJgENl92Idtiamwgu3eZtYdLp6Hs5k21gS
> Lm+J4xMO9R5aH/Vqg/JBUBJQqIs9W3J56Vgaa387WhFMYLI2h6CpMDB7up1Cjpv7
> AdxOtHZbUh9wSW0koKo3
> =c+4v
> -----END PGP SIGNATURE-----

> Just to clarify, when you say "pressing fn before power button," do
> you mean the following?

> 1. System is completely powered off.
> 2. Press and hold the Fn key.
> 3. Press and release the power button.
> 4. Release the Fn key.

That's true.

> In your case, this caused the "clear TPM" option to be available in
> the BIOS, whereas before it was not? Did it have any other effects?

Yes, I haven't tested if booting with fn key has any further impact in system.

Regards,
Jacek

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-05-17 00:01, Alex Guzman wrote:

> I’ve removed Qubes from the laptop at this point, but I never had
> this behavior.
>
> For reference, my setup had an internal /boot, TPM SRK key set,
> using legacy boot. I never encountered the stuff you’re seeing.
>

Alex, do you know which version of the BIOS you had when AEM worked on
your T450s?

- --

Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXO/5AAAoJENtN07w5UDAwao8P/1fNl8fB8PKu/Ji0B71PrKOe
8HYR5x3e3eXQvz48kmPadkoe4+NCwrNDKe5RXmUBwYsF2ECvq//mPeIu/yY9dygY
ADIOqG8PmRVSvV5sH/noN8RILsN3FhdMf+z2KISt6KEFHvUH/wH8GdE+Y0GsTgsc
VDZkUB5swM9Xr4UG25d4/Fvy+8xbnjnDqhOlAKg1YE9yHIROIaYr1Cv5MpIHhIEi
clWcHpG1HSCXXTEQu7weMs1Dh8rcNRrFhsWu5VUqcsD3CbCTmbtw7WZ0F7zPYfDY
AB2zdOyYGw8fnhj5Ejkl/uFldWIel1B/f5SnImogTozwGGXKdLaBVE1zzgZCfp+D
2G+Xj2L/3G2RhVaFjsRJ9b0G+S1ycQiqTrFueNvBJuFf+delBTNJuLn5jATI6SJE
tB7x9/Uw4RqlqxIG0ETrX8SvCnNoC3uN+iJcsbcXzMVlS4rSIPoA7Ygv9otsVIto
DCBZECf44MkJr/SLlHciAkIfumKLo56Nm1KOA+MiBsun/w5IU20GDred866XTzjF
A1xUNHayvZYQWAbTFWS4wTJhvJujKc6UbrDRE/SH4Dav8l8sDlLmJakulvUH9HKR
xsXY0ghtzgnMu/0qx28cxsXlEw1/b3C4CQxtlqBp8ukak3Ht/HEbDKnc44LO8UUp
iZqwuWNJu666IrpIznjF
=iObv
-----END PGP SIGNATURE-----

[Alex Guzman]

Same one, haven’t updated it. It’s in the HCL file I sent in.

> On May 17, 2016, at 10:31 PM, Andrew David Wong <a...@qubes-os.org> wrote:
>
> Signed PGP part

> On 2016-05-17 00:01, Alex Guzman wrote:
> > I’ve removed Qubes from the laptop at this point, but I never had
> > this behavior.
> >
> > For reference, my setup had an internal /boot, TPM SRK key set,
> > using legacy boot. I never encountered the stuff you’re seeing.
> >
>
> Alex, do you know which version of the BIOS you had when AEM worked on
> your T450s?
>

[Jacek Palczewski]

> Perhaps this issue is model-specific or BIOS-specific.

It isn't, because this trick is based on
http://trousers.sourceforge.net/faq.html#5.1 and appears a few times in trousers mailing list.

Regards,
Jacek

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I guess, it's where SINIT module is actually executed.
Quick search returns some quite old (2009-2010) threads on tboot-devel
when "GETSEC[SENTER]" fails (but not reboots). After some BIOS update.
But can't find anything with reboot there. Maybe worth asking on
tboot-devel?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXPEixAAoJENuP0xzK19csun8H/31WtNbu/BEngzucmLx6GPoy
UI18JWVtbKUgGNnJg1g2KTZKb24kmOdJ5iNSAMWEf5N0Ek5mz8MbmaPpcP7iitJ9
GRT/RNaGX8DWb8CwU21o9Gbzl41XHc9YeqiYAW3PkOcPKTzeB8eiaefwVmSclp0C
WXsUiGbagF/YOvqPz6skyxv6Z+K++A16KZgIomQnWurYdwfPy1gnuhN9fFaDkCGN
j3bDAvsWHsvyZnjl2SKkqMK03tZ7a61ZTqK90wFc0o5W8YViiwavHL5Ej8gDo70e
ZjSomVALDjr1n2bHZtqd5x/YwFGsKbPx3UVYiUW9DukAKoIFT1/mmywTLGpkcZI=
=r662
-----END PGP SIGNATURE-----

[Chris Laprise]

What happens when BIOS checks the SINIT signature and it fails? Reboot?

Try downloading the SINIT file from an alternate network route, and
verify if possible (I don't recall if Intel provides checksums).

Also check your BIOS version and maybe do an update.

And test your hardware and RAM (there is a BIOS menu with a built-in test).

Chris

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Yes. From what I've read, that's the normal failure mode for tboot.

> Try downloading the SINIT file from an alternate network route,
> and verify if possible (I don't recall if Intel provides
> checksums).
>

Yep, downloaded over clearnet and Tor on different computers; hashes
match. Platform match confirmed in tboot output.

> Also check your BIOS version and maybe do an update.
>

Looks like there's an update available, but the process requires
either using Windows or a really long, complicated, and dangerous (in
the sense that it risks bricking the laptop) process for Linux. And it
may not even work after updating the BIOS. If I have time, I'll
consider trying it.

> And test your hardware and RAM (there is a BIOS menu with a
> built-in test).
>

Yep, hardware tests check out.

> Chris
>

I appreciate the suggestions!

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXPI2UAAoJENtN07w5UDAwzN4P/2xSEYIys1kQWroL5G+4n5mB
j24R22ad75QVWoZdLIHrGMCZKtyvmPrUzwYlVuVNSorFB2vBamie3sCAQE1z6+DD
ithp0cJdfG39OXbOuu/pV4GzSqHp0IpDX1s6pjJ8rNQ6xTgLBDgdaR/Vz7448Q98
pjxJftFTQ7C4PSWgnbFP+wQ1vquVYVa+NjVN5swYqzPL8CXrISpJEB0ifFlYw3KO
Q8zaGIOX5frcS7vgS3NA9lxfZuxoe1m+r6QS2G7T04wSH/RGdySLWPqhA9sMSN2T
CoyzKxFlmvtyl4qPmpYh1WiWHoEWoxbl3A5XwDptiSB3h+KUAqDDnPqxnqnNlpw6
llMeo8/1b7czwZDvsuaO1u0IwqD8XnZxj7tH6JhEMjMxC7YOCJ9bmP59+LGo8/Er
wKAzGcSCfVHhjwy+G9L3iXust6qerhiUaEl2eSKTwb0jZfzBQt1qJhQHojzvfoSk
88qLW+Cg24mY1t45ckAS/LkV/7GWRBOt+LAKJgwtjyoKcU6j3Dz5SjKXbF+I5FBh
XkshU1vsl9ZEkmdogAXqJbemtHr8MG1tEQXboc8WhipqhK7X7L6/pD+y2wgQeTY/
h33WRZK8aDx+CAmDfWVCxTxGZW8xmMw919fh9FYKdFjfTpAsfTyzwHD4AJF2ReKg
Z5a6TGu5UcN2HaL56sry
=6KuC
-----END PGP SIGNATURE-----

[Frank Schäckermann]

There should be a bootable BIOS-Updater-Image that can be burned to a CD and booted on the TP to get the BIOS updated. At least there was one for my Lenovo W530 a couple of weeks ago. Practically hassle free - not counting getting the CD burned on Qubes OS. ;-) But than again... the T450 mileage may vary...

>
>> And test your hardware and RAM (there is a BIOS menu with a
>> built-in test).
>
> Yep, hardware tests check out.
>
>> Chris
>
> I appreciate the suggestions!
>
> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJXPI2UAAoJENtN07w5UDAwzN4P/2xSEYIys1kQWroL5G+4n5mB
> j24R22ad75QVWoZdLIHrGMCZKtyvmPrUzwYlVuVNSorFB2vBamie3sCAQE1z6+DD
> ithp0cJdfG39OXbOuu/pV4GzSqHp0IpDX1s6pjJ8rNQ6xTgLBDgdaR/Vz7448Q98
> pjxJftFTQ7C4PSWgnbFP+wQ1vquVYVa+NjVN5swYqzPL8CXrISpJEB0ifFlYw3KO
> Q8zaGIOX5frcS7vgS3NA9lxfZuxoe1m+r6QS2G7T04wSH/RGdySLWPqhA9sMSN2T
> CoyzKxFlmvtyl4qPmpYh1WiWHoEWoxbl3A5XwDptiSB3h+KUAqDDnPqxnqnNlpw6
> llMeo8/1b7czwZDvsuaO1u0IwqD8XnZxj7tH6JhEMjMxC7YOCJ9bmP59+LGo8/Er
> wKAzGcSCfVHhjwy+G9L3iXust6qerhiUaEl2eSKTwb0jZfzBQt1qJhQHojzvfoSk
> 88qLW+Cg24mY1t45ckAS/LkV/7GWRBOt+LAKJgwtjyoKcU6j3Dz5SjKXbF+I5FBh
> XkshU1vsl9ZEkmdogAXqJbemtHr8MG1tEQXboc8WhipqhK7X7L6/pD+y2wgQeTY/
> h33WRZK8aDx+CAmDfWVCxTxGZW8xmMw919fh9FYKdFjfTpAsfTyzwHD4AJF2ReKg
> Z5a6TGu5UcN2HaL56sry
> =6KuC
> -----END PGP SIGNATURE-----
>

> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bdcedc6b-c6f0-8151-d8da-af664439642b%40qubes-os.org.
> For more options, visit https://groups.google.com/d/optout.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-05-19 02:34, Frank Schäckermann wrote:
> There should be a bootable BIOS-Updater-Image that can be burned to
> a CD and booted on the TP to get the BIOS updated. At least there
> was one for my Lenovo W530 a couple of weeks ago. Practically
> hassle free - not counting getting the CD burned on Qubes OS. ;-)
> But than again... the T450 mileage may vary...

Thanks, Frank. Unfortunately, even after successfully updating the BIOS
to the latest version, AEM is still not working (fails the same way as
before). I really thought updating the BIOS would fix it, since
there's a TPM-related fix in the BIOS patch notes.

Marek, I noticed that the version of tboot being used is somewhat old
(July 2014). Would upgrading tboot itself break compatibility with
AEM? If so, are there any plans to upgrade AEM to be compatible with a
newer version of tboot?

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXSCEHAAoJENtN07w5UDAwc+UP/3Ei78EYFI+hzOslohEhC58u
vQWaI7ThNOpXm29AezzvdMFFNrpzZZhRTBC2G4xzi8or9ZU9o84OtDChJ5u+u+7t
MHjyCHDvc6z6PocJm4OdKRVaIXjZC8wZYHLWQduo1+SbATWwPtIBgf60iBjG/mQR
dQ3+gIgUR/q51IZ4V7JBSf81SZ5zlTJrXFBOnG6fUaT79N1TWxGg7A4Fu4GD93TR
OmTK7Qh0LHVC+eHIaAwruCZ4K7YniQ+AyVphDVO1Q7I///b9eXg7pSCi2SyJkkxY
mlBTGjT1Z2tN2dwanxByjXpXXS7eHI2Q3PKY7N1bjGH8cBMgH4TvqoB5m2AJ754/
0B5HS8f4O2UUjUm5f4cST5SGuz0qyh858SuGmGHqEFrDv3AZn/md2Fs73usD9Deo
v1yH+hTizIuAdW44+myGx+GW1XA3QD+B8APDGj/iQ4qDq6UVzbdNVW8sODMgWiWy
NzMModDuT0i1oeAWOf3I1JnAcBwjHFHTUaW9B6ghFPWsbMiFHxLhWAS5+Ou+RhS7
MDg0MBK5oP4kmSIzXR/iCmKU9fkFavG33u9S42Gu7mNuxuNd6N/Jw0Mi/AT9u2qm
/2jeV7UQQM0r3M5srbxInDKgqGEqomTz/rLyo6NlwfvF9mffpd/5QnbixqLrs4Dv
EM35Vea4yO5th44b+ANv
=TAgf
-----END PGP SIGNATURE-----

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, May 27, 2016 at 03:27:50AM -0700, Andrew David Wong wrote:
> On 2016-05-19 02:34, Frank Schäckermann wrote:
> > There should be a bootable BIOS-Updater-Image that can be burned to
> > a CD and booted on the TP to get the BIOS updated. At least there
> > was one for my Lenovo W530 a couple of weeks ago. Practically
> > hassle free - not counting getting the CD burned on Qubes OS. ;-)
> > But than again... the T450 mileage may vary...
>
> Thanks, Frank. Unfortunately, even after successfully updating the BIOS
> to the latest version, AEM is still not working (fails the same way as
> before). I really thought updating the BIOS would fix it, since
> there's a TPM-related fix in the BIOS patch notes.
>
> Marek, I noticed that the version of tboot being used is somewhat old
> (July 2014). Would upgrading tboot itself break compatibility with
> AEM? If so, are there any plans to upgrade AEM to be compatible with a
> newer version of tboot?

I think newer tboot shouldn't break anything. The only reason for this
particular version (1.8.2) is a package in Fedora. And I see even in
Fedora 23 (planned as dom0 for Qubes 3.2), it's still at 1.8.2.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXS3yWAAoJENuP0xzK19cs15cH/itnEnSnnnXnVZxRITtWqSE3
mFxwG34GcwV01+ZuIQ/7tbKaU9owAo8b1vKq9zJS63pEkmSSIcwXu1h3jC52AiIG
Oeq+FEcu3P79a4c8D8q1lXi50Urcw/ibRAnXpQQDfPzzdlwAoBbcyYMwspC08HTl
xfRljhxWxp95GUlc3C+JXvI5yXZExT6SD86SBfmpJdQP1UaAw4BNbyHJVpA2SRh6
HR2MFERzEK3CmzF9X/3uAZTv3bgcbgFwyuLe/NaY3eWDdrkzAglX3kbiPcHmyR6/
3xBJgwZ80Y2pH0ONEp7dtTwvaoRN1fcizmGvDQXF+Maf1wuFtpbao5YbuIs45DI=
=VCk5
-----END PGP SIGNATURE-----

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-05-29 16:34, Marek Marczykowski-Górecki wrote:
> On Fri, May 27, 2016 at 03:27:50AM -0700, Andrew David Wong wrote:
>> On 2016-05-19 02:34, Frank Schäckermann wrote:
>>> There should be a bootable BIOS-Updater-Image that can be
>>> burned to a CD and booted on the TP to get the BIOS updated. At
>>> least there was one for my Lenovo W530 a couple of weeks ago.
>>> Practically hassle free - not counting getting the CD burned on
>>> Qubes OS. ;-) But than again... the T450 mileage may vary...
>
>> Thanks, Frank. Unfortunately, even after successfully updating
>> the BIOS to the latest version, AEM is still not working (fails
>> the same way as before). I really thought updating the BIOS would
>> fix it, since there's a TPM-related fix in the BIOS patch notes.
>
>> Marek, I noticed that the version of tboot being used is somewhat
>> old (July 2014). Would upgrading tboot itself break compatibility
>> with AEM? If so, are there any plans to upgrade AEM to be
>> compatible with a newer version of tboot?
>
> I think newer tboot shouldn't break anything. The only reason for
> this particular version (1.8.2) is a package in Fedora. And I see
> even in Fedora 23 (planned as dom0 for Qubes 3.2), it's still at
> 1.8.2.
>

Would it be as simple as "qubes-dom0-update tboot" or more complicated?

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXS9liAAoJENtN07w5UDAwRMAP/jGyagzAhW0D788SYlw0CwZA
Y71nqq1thrbYCDmKgDzUcmuo01H1C8TVaOH5DqKR8hwGWPlXFy+nZgklKKk6Tj4r
2WOxj+utqPxRx10KaHGbSM1o/56uiX9WVHXbnSwEGWK9nwAfcYIiTJWnhSh+3c66
qtzhthuNYnMsV1td8i8w3qDuYv1G09tkNc9rXbzsp+QITwACZsjqfh0Z3L8MNza8
BOaRpkkjtZZJGfXudztROZG7z/5MYAMSu9aL/ZaVu2Yp27vgP/CTC/9/+P/PX2IO
yxZp0FEhR9f3kCeClLRUm3bCdYKFgvNxzcSu7ANAMTr+knj7GnpVwffaP2/Z6cjm
QG3m+6+dySLs/zQVJxcOu2w9crt1XSUeZAJPaHwX9KYeGJtFwABblJhQj+PrT86S
a88YU+LhcUbLTrJaIN4wRLziUB4x9ZG+kj6xghAj+uh3U9JHfGsLG53wPeMQZKys
HF5U4yzh7KoGvCQjEG2jCR/I2dzuBjAADgPpJczjtwmTNTMzFDbONE0upGWRkAWy
kpOahCWAJ4DEDdE7d5kIE5GqPjfrdjKVePYIsQXzC3EM4jOJ9SuA6aQzUnXjdSej
uiv2F+WSgIbTlrp8x+ivdaepacOp11QHhqnn9sm5WCEY8Eil0JLn1p5MzlF8CD55
Clg6T9vCnq1MJc0FmtTI
=l84H
-----END PGP SIGNATURE-----

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sun, May 29, 2016 at 11:10:45PM -0700, Andrew David Wong wrote:
> On 2016-05-29 16:34, Marek Marczykowski-Górecki wrote:
> > On Fri, May 27, 2016 at 03:27:50AM -0700, Andrew David Wong wrote:
> >> On 2016-05-19 02:34, Frank Schäckermann wrote:
> >>> There should be a bootable BIOS-Updater-Image that can be
> >>> burned to a CD and booted on the TP to get the BIOS updated. At
> >>> least there was one for my Lenovo W530 a couple of weeks ago.
> >>> Practically hassle free - not counting getting the CD burned on
> >>> Qubes OS. ;-) But than again... the T450 mileage may vary...
> >
> >> Thanks, Frank. Unfortunately, even after successfully updating
> >> the BIOS to the latest version, AEM is still not working (fails
> >> the same way as before). I really thought updating the BIOS would
> >> fix it, since there's a TPM-related fix in the BIOS patch notes.
> >
> >> Marek, I noticed that the version of tboot being used is somewhat
> >> old (July 2014). Would upgrading tboot itself break compatibility
> >> with AEM? If so, are there any plans to upgrade AEM to be
> >> compatible with a newer version of tboot?
> >
> > I think newer tboot shouldn't break anything. The only reason for
> > this particular version (1.8.2) is a package in Fedora. And I see
> > even in Fedora 23 (planned as dom0 for Qubes 3.2), it's still at
> > 1.8.2.
> >
>
> Would it be as simple as "qubes-dom0-update tboot" or more complicated?

It will not help, as there is no newer package for Fedora (even for
upcoming Fedora 24).

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXS+4hAAoJENuP0xzK19csKq8H/jIR89UyQJROJCC2reHpkz4x
Tv3AToMpocU+6H7ryDKksHG00YjZvWBLh3WE3QF5veX4QOr+7ZUy4GsUqHHrMWX7
knjMmUXwqIy4aWDDfkqOnd0Stiy71xPfFK00/R3Of9eLkQVFQc83DonvWZgRpDSC
ah8SvQaigqA4KSGa5716xWZkorXgqI1iOndlulPgWcrEWiEK0EtWfdBzS/EwFmwt
Ef4K2cbLTsm9cH4QbR6FbX1ahvTNEIRcn6aJiMc18YlDCG7Zfroaa7rNVlqDG1hp
wmSAgAkzyaOs0KiQjd0/X2gS7NoNJBibKKsPOSSKWOv/wAtg/3HSUUfR9VBHqnM=
=0+vK
-----END PGP SIGNATURE-----

[Todd Lasman]

Andrew, did you ever get this resolved? I seem to have this exact same
problem, but only after installing Qubes 3.2 (worked fine with 3.1) on
my Thinkpad T430.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-06-22 21:58, Todd Lasman wrote:
> On 05/16/2016 11:44 PM, Andrew David Wong wrote:
>> I'm attempting to install Anti Evil Maid on a Lenovo T450s
>> (Broadwell, Wildcat Point-LP).
>>

>> [...]

>
>
> Andrew, did you ever get this resolved?

I'm afraid not. I gave up on it after my last message in this thread.

> I seem to have this exact same problem, but only after installing
> Qubes 3.2 (worked fine with 3.1) on my Thinkpad T430.

Very interesting. Perhaps my suspicion about the AEM installer having
recently changed was right after all?

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXa4fYAAoJENtN07w5UDAwv8YP/3yfU0aO/fzLhsCJnMmh+9eh
nTdgrnGvAOv57jZkzaHmqiDHpxm77j03chqzV+BMdwPUfY4SkP5StGTbp/yTTYeq
OSr3n3qNBvhAziUygYVVusDFgQ252CZGzAPECeKQXCS1JHhkZJ9j/o5oHdqRo9h1
jHTytZDVuO+UlQzsQXYGySTwlmrkyNl5aZ+gXxjMa0kHdaJuO+ENeMSlJxeopEI3
M7BPxjlGTKKzFO4sTjLbjhuWu5KWGUKX7gKfA+R+AhBF7Oorvo0e3F6Q+CclMo2v
VPfdprIXGhDf0dq5Mg4b19UDVDs1sGaGKyFDTc9CljyN9TjxA0FgMOjrgnGhZ4j7
TJfptym0YXC1QYJWZj2tAsWbFktiofdyPYG/QGb/htW4RF2LD9R6SYffXhbhG+yn
7b4OtqAOis41g38KjRh+ffdGoG69jOX/oxgSqhzLc/zouPhk6xJARkqDu9IChrVe
ciaN4BEf4uR4L3ckCwKrX8QqyokqSUFWTzepJaLVvzNWt9jnvqp0Tco0opm7mp8+
jk+j/Ak48wxLl4W5HP4regrovGUtuowv9ZREGxbetfImRQn0eW6FHaKFXIvSeHOQ
NuIC0/lzSMcthsOq3yNfw1K+4qV+g5VJ6VvBb86z5ZBSPTN0BgB7X1bzOVmqBG02
N+hNBfmrt1aqH3hsTed0
=j733
-----END PGP SIGNATURE-----

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-06-23 03:49, Rusty Bird wrote:
> Hi Andrew,

>
>> On 2016-06-22 21:58, Todd Lasman wrote:

>>> On 05/16/2016 11:44 PM, Andrew David Wong wrote: I seem to

>>> have this exact same problem, but only after installing Qubes
>>> 3.2 (worked fine with 3.1) on my Thinkpad T430.
>
>> Very interesting. Perhaps my suspicion about the AEM installer
>> having recently changed was right after all?
>

> IIRC and going by the dates on the pages below, the installer and
> all other code changes were before R3.1 (only the README has
> changed since):
>
> [...]
>
> Rusty
>

Ah, perhaps not then. It remains a mystery!

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXa7+SAAoJENtN07w5UDAwuXkP/R1aLX1n7xm50huX93/YxSnE
vrR1RiLytNMUSEBF8jz/8F0TSivVK/40qm6LBEF42UpLQUnjx7NDX+zCmeToLxBE
WacBzx5osT7vCS3QCdd3Z8RO2pVKQ2Fn4w56ucSXJtV8v6nn29mPdTVwtXpH+HxI
rC/QvmN/ZvH3+5rwXcH5qE+mSn3+OKKVLXW0LdmOfqw2aa208Rk/VJ2FnpYGlIyq
RNeE9JpQOiEsvxt2g9S+pACzeC5deN/xn7myhLKjGtMKEhsIwr5IrAIzOwv7Ir/o
nrB3jOiP8k3Hai/Zn3tPYZrg7/MycIY06KPK0Qr2KnSYLF/Tq4bhMupopprluIDK
L2NQ5L7bEFtUQUEFnO0xrOev8JTQrVsxllBBtxyedcyQGFxPDz8+YnKezW4MUKlQ
pmcJgsPw+3Zf7Dqrw7SJKdOjbg602tz53g1GnknDIkPkHEKCVz5Udn+6kVDV0ZRk
El7RXjaa70I1CFO8F3QwGBcTn9PWbUrgPl2nwbOmPUGsoI/crsea2KR5GQHdHmw/
5xV9yIcRp81l/T9GG2eswuFOEZcPdFo11HVkXZhHLgO5vavAEhlTuqXArA4iV0wx
S33T9RDYnaf5+aLIIs3Itf3QY3lYthIABZnPFb+acx+Gm9n0Vnpbt3Ptfxq4usIb
CepoRxYGUqaQE4tMfE9r
=4PlM
-----END PGP SIGNATURE-----

[Chris Laprise]

On 06/23/2016 06:53 AM, Andrew David Wong wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 2016-06-23 03:49, Rusty Bird wrote:
>> Hi Andrew,
>>
>>> On 2016-06-22 21:58, Todd Lasman wrote:
>>>> On 05/16/2016 11:44 PM, Andrew David Wong wrote: I seem to
>>>> have this exact same problem, but only after installing Qubes
>>>> 3.2 (worked fine with 3.1) on my Thinkpad T430.
>>> Very interesting. Perhaps my suspicion about the AEM installer
>>> having recently changed was right after all?
>> IIRC and going by the dates on the pages below, the installer and
>> all other code changes were before R3.1 (only the README has
>> changed since):
>>
>> [...]
>>
>> Rusty
>>
> Ah, perhaps not then. It remains a mystery!
>

If it changed after initial 3.0 release (esp. later on, near the 3.1
release date) then that would actually make sense.

Chris

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-06-23 06:20, Rusty Bird wrote:
> Hi Chris & everyone,

>
>> On 06/23/2016 06:53 AM, Andrew David Wong wrote:
>
>>> On 2016-06-23 03:49, Rusty Bird wrote:
>>>> Hi Andrew,
>>>>
>>>>> On 2016-06-22 21:58, Todd Lasman wrote:
>>>>>> On 05/16/2016 11:44 PM, Andrew David Wong wrote: I seem
>>>>>> to have this exact same problem, but only after
>>>>>> installing Qubes 3.2 (worked fine with 3.1) on my
>>>>>> Thinkpad T430.
>>>>> Very interesting. Perhaps my suspicion about the AEM
>>>>> installer having recently changed was right after all?
>>>> IIRC and going by the dates on the pages below, the
>>>> installer and all other code changes were before R3.1 (only
>>>> the README has changed since):
>

>>> Ah, perhaps not then. It remains a mystery!
>>>
>> If it changed after initial 3.0 release (esp. later on, near the
>> 3.1 release date) then that would actually make sense.
>

> There is something the people for whom AEM fails on UEFI could
> try:
>
> [...]

Not sure if this is directed at me, but I was/am not on UEFI. (If you
were already aware of this and were talking to other people, my
apologies.)

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXa+NFAAoJENtN07w5UDAw5q8P/16kAWjSnG/OYaGRRgX6V91m
6EKiypRoxHPGZrRf4QGDiSGzaZDOQzwCfWXQer24SB6AKwDpumW5vm3q7OgcAqCd
3qi0scV0KgUnFrqs8pxgJ7Ojs6kl6vAv1ugYo5pR6/Q3L8gEcra2j/9Dj7FV6kqo
f8X9gmgd7wVB2J6KMJ5HxLterBcx/uN4aG8WR2Oit2sDvJOoqvQQlv+h5zbm7EGo
6P1A5mOidIrOBhBuTQ+8ZqaU8INJa8VuYMwGuGpCJVAQgPKNF3ZqpKCgDce7N5hI
c3AkJMnsxb/VHyAV4c43gjAOcr9WqhbRpa4zH8oiPAhBp8LxmFBAibMuBREVa5cp
li4WGDrplS5mzIDrTPCiaCLzdyRPvfX6J+ZG2wEco82YVpAJWxWh6ennZiV2DDEy
V3YZJHO4ukZCQsPGpWPgucr+M39R0rYS1qr83WUA5oYii9VRU2y+HzMtmpMSs0dG
rvL8Vnu6pSqHrtvkZcLCZLEVSyh3xUYArYzfLXlgZeXoCKkGy3Xf15p4oqb1HheT
QqpnRj7b9P9WGJo91p6d/xhi2erNm/vyDdWmgqnA3qRcALz+67OaRH7/5QvePTVY
RD/1JIKj/3eQ4vRLP5seRsDWLoGMh0kQij9UCbmUzyC4kwUq4JpC0qpdOujqd0fy
m//6FjSVH/XIugK1V1cA
=cwuz
-----END PGP SIGNATURE-----

[Rusty Bird]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Chris & everyone,

> On 06/23/2016 06:53 AM, Andrew David Wong wrote:

>> On 2016-06-23 03:49, Rusty Bird wrote:
>>> Hi Andrew,
>>>
>>>> On 2016-06-22 21:58, Todd Lasman wrote:
>>>>> On 05/16/2016 11:44 PM, Andrew David Wong wrote: I seem to
>>>>> have this exact same problem, but only after installing
>>>>> Qubes 3.2 (worked fine with 3.1) on my Thinkpad T430.
>>>> Very interesting. Perhaps my suspicion about the AEM
>>>> installer having recently changed was right after all?
>>> IIRC and going by the dates on the pages below, the installer
>>> and all other code changes were before R3.1 (only the README
>>> has changed since):

>> Ah, perhaps not then. It remains a mystery!
>>
> If it changed after initial 3.0 release (esp. later on, near the
> 3.1 release date) then that would actually make sense.

There is something the people for whom AEM fails on UEFI could try:

AEM uses a forked version of grub2's 20_linux_xen as
/etc/grub.d/19_linux_xen_tboot. In commit c43309[1], I rebased this
against the then current (on Fedora) version, which added the
following options for non-BIOS platforms: no-real-mode edd=off

But tboot's 20_linux_xen_tboot [2], a different fork of 20_linux_xen,
never followed grub2 upstream in adding these options. Maybe they
should not be used if Xen is loaded by tboot?

So, try removing "no-real-mode edd=off" (but not the whole line, I
don't know if empty else blocks are allowed here) in
19_linux_xen_tboot and running anti-evil-maid-install again. I'd be
very interested to hear if it helps.

Rusty


1.
https://github.com/QubesOS/qubes-antievilmaid/commit/c43309d0a0b90368b5b2600c886b9deee55e0522

2.
https://sourceforge.net/p/tboot/code/ci/default/tree/tboot/20_linux_xen_tboot
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJXa+IGXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfWR4P/3siCVvTWN3JJHZfeCyjhWpc
lI8P8nNuSP6a4u1bPzu18s8jRaX25AXHID27RnwuOXKXHlSJkH4pB6FphmorqSFS
EhtaIKz+QaEB8ecRxlZeS6KREKGyQbIbaJW5KAOzb2HEeZ6AP4qTBrIHuXOIhYaB
H6qLOvrIMtngJNtKsdBD6xIsx/AuCbn/5jqA807Fw4IikWLts+53CxJ31WK8Er2D
cHD3OD+AyurM2We9Cbc7FNG4H8kIM1+qAGGSqFNAXJP8O9vOIyeGCAN3fo3Ctbj8
ueAqNrRjO00y1Cd/oist8VSf0uNnYKc8Q3sfnnHI6Fm1cn+h+2DBL6UctEPq6JJ7
NpiBP8mBWmkgTWoMOjWkVCjQXJU9GnTFQGLQRUl35nM+pdu9+it9gxbhWeqBh+ME
r1bbNHBK2k9FUPPxE7qiQA1xTuiTeFfOxLTeD2uVoABROYHAlxkh656AXL2qvKOG
lmy0kqFsAsQ81PXfRN6VETjGVaHQBcQLh3nunSS2CeNE88YcwNt4WH6X6mh3453B
NNjnX3p0aHv0uHI9IWp10Tqap/ed8/2F+WStH7on9gFtBgNvPoou7iqP9jjsd0cU
BLvFvffDpqgka50iEH4KUIUHNHWBBkabhpTrUL0t+OlVXGOBPrMuU5sQHIN1+HVw
RNzvu+DKYq/dJMs5w98a
=+Liu
-----END PGP SIGNATURE-----

[Rusty Bird]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Andrew,

> On 2016-06-22 21:58, Todd Lasman wrote:

>> On 05/16/2016 11:44 PM, Andrew David Wong wrote: I seem to have

>> this exact same problem, but only after installing Qubes 3.2
>> (worked fine with 3.1) on my Thinkpad T430.
>
> Very interesting. Perhaps my suspicion about the AEM installer
> having recently changed was right after all?

IIRC and going by the dates on the pages below, the installer and all
other code changes were before R3.1 (only the README has changed since):

https://www.qubes-os.org/doc/releases/3.1/schedule/
https://www.qubes-os.org/news/2016/03/09/qubes-os-3-1-has-been-released/
https://github.com/QubesOS/qubes-antievilmaid/commits/master
https://github.com/QubesOS/qubes-antievilmaid/commits/master/anti-evil-maid/sbin/anti-evil-maid-install

Rusty
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJXa77KXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfoHMQAINdc3jjtOepRQeist3RVXzd
xyMLsbQ6kQtG/mnKAt/ddSI/TDEwQNXG/LQKtVVYDZesU9tDRzX4kKo2ou7DieuK
0/jW9HxrWQuWLH9RzGbIgff5HHQAr2LJx837mwuxqoTmCxmkI+70dXGdJ74ns33t
Cz3ElYqE63xkxnCtf+V5l8pN+fQUXkhxXEVWlh0W+nwCjE7igP1+Eljl4FFWcbdF
fnWlv9fbWcoSHTxexkuzQ1HLzVh3YLD4tecUe5JrmuAP0pwUjEephGacadm4yhh1
cXDdIy2XvLijsmrOhFgLmHsnKY7w4DEWFXLQADZm6vHNpG3dkhhdL4bVF/TxCxNg
lThp5AUJiDTSoXtV3pe1tYw52TrUabbL4rzOseQzfI0fp9qOu90enLnFG6d6usyj
zbuwQer56dZiOoSn8BNY4fBquFjaQnQ4utqY4GIGqm/hssLLPgNGFPD/4zQbqJJW
j1MJyQYwd9vPQLQOnpOSxxRv9Vm+7YpA8/JOuefrpEIIVPGJcZDpU7zqDeeOOkFn
qGPEnKDmKBqRaKYaAdYFpDu6G6WPMRE1+A3VDhBIWnBkXs3ZwIG9Mgnz5wriuPxM
dkObLIi5Rb6CbDTNdLazmppF6xwNMDg12iWb2a5puUzE4ccMEARcbmW9S0BMHCeA
L88bxut/i51024RDjRTE
=210N
-----END PGP SIGNATURE-----

[Rusty Bird]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> On 2016-06-23 06:20, Rusty Bird wrote:
>> There is something the people for whom AEM fails on UEFI could
>> try:
>
>> [...]
>
> Not sure if this is directed at me, but I was/am not on UEFI. (If
> you were already aware of this and were talking to other people,
> my apologies.)

No problem, I just understood your original post to mean that you
tried both BIOS and UEFI booting because your ThinkPad can do either?
If so, there might be a tiny chance that it's worth retrying UEFI with
the options removed.

Rusty
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJXbAewXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfPw0P/2CSFQ85OrlpnlJHvnkesTI/
oDPUYa12EEVNm0bQiL4VLciH5ob3uQc+5ykKX8lYd0foOzQatnxwtXUGQQgMF6eO
2lJqpgyaa8x8ewEyOb7Kr/iDqwoU5jbNvFA5v9Uhlei1W2hOISStrl4ZjON+C95H
2ZYoSnAyjdseZK0O6iXKWDLdsMTTm/oNU1CIbpZsxvKX1tmvVnSTPmcpDI+MwPht
pIrAgw4wZqOl6V+g3OKsnIV5wevedmK9/EWxPzIgElf/6dr2e9FN9ysiohhmSxdx
HgmBbbMCd1OfQGCIJh+1FPw4XjZ1fJjis3zq6rfr74j+ilRMjKcxP4gBtu8lDwyT
dWv4UKL9utPmlIimEpemYqR+BPl5dchRplO/JUNtoQyHVfaq9H/KgHqYQ7HgPlSf
c+PaDft2fgRIkaNsaQ+FkVvIca4STfM1O9Kjl3t5lVMqk8jnFwIIypF1Y4J/i3x6
jvUaDV3fpVl1XGf1AxLqIBEXFN6J0/o9zHtp0+E6wZQE/ETlrbPyxgoGdPFKgUZR
CF7S4JCdkM+P0miQzfvd03piK0XV7NoxmT7A32Ds+MuHUBIm76IV2nlELA77zbVH
fzPIiT/5ysG1U9C+ExdUzaz9Ey12Y6ESldTYSq2jbFGVi5v86VCW2HVmdhV0o52p
/LCthjRRPbi7i51pFNDb
=2J9L
-----END PGP SIGNATURE-----

[Chris Laprise]

AEM is now causing reboots for me as well, after installing it under
R3.2rc1.

Has there been any progress on this? I don't see any signed sources of
the newer tboot versions, so I'm reluctant to try them.

Chris

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Try setting `pci_e820_host` property to false on sys-net and sys-usb.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXekfwAAoJENuP0xzK19csDzEH/j64FaOHAd4jmCJ2/kE44fdL
GQzEKEr5pfqQwI3TOgcTUN2XK1/qjcyDa1uH8SGfRWAGcwa3WigvaAeuLZYIbQEb
uuWOMKOBO/f/soHDd/7rVNkOs4tOuoNm7NX0pCi6dZu1m+3HiR++la2iePBNRgKk
K5QjcmH9b0SskEtIcOW+cUPQeaQxtIWkgp2gy3ueZsfniHq58M6Oa8l3zRB32G17
sXgjKQ3sMzlrTtQajj+hJxvdc+WZqmyQrZz9sWzg5Nnmz8Qb2C4fj1vkeoTEvU6l
I6Wjiqk/Jdfb0xWoLeAausL7OF1AdRUQ7l44btswFhc87kzgJkOlRS9CUFnKh3Y=
=Ctd4
-----END PGP SIGNATURE-----

[Chris Laprise]

On 07/04/2016 07:26 AM, Marek Marczykowski-Górecki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>

> On Sun, Jul 03, 2016 at 09:20:47PM -0400, Chris Laprise wrote:
>>
>> AEM is now causing reboots for me as well, after installing it under
>> R3.2rc1.
>>
>> Has there been any progress on this? I don't see any signed sources of the
>> newer tboot versions, so I'm reluctant to try them.
> Try setting `pci_e820_host` property to false on sys-net and sys-usb.
>
> - --

I tried it anyway (without success), but the reset is occurring well
before the decryption prompt. It happens just after the 'Loading...'
grub screen vanishes and there is a cursor at the top of a black screen
(before plymouth GUI screen would appear).

I still have a boot image with a working AEM. If I could use it to help
eliminate some possible causes, like the new kernel version for instance...

Chris

[Chris Laprise]

If I replace the kernel with 4.1 from R3.1, it can make it to the AEM
target and the decrypt prompt. It chokes just after decrypting the
volumes, but that's to be expected. The 4.4 kernel appears to introduce
some factor that causes the crash.

Swapping xen 4.6.1 with 4.6.0 has no visible effect either way.

Chris

[Chris Laprise]

Is there an issue open for this yet?

Chris

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Jul 05, 2016 at 11:03:10AM -0400, Chris Laprise wrote:
> Is there an issue open for this yet?

I don't see any.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXe/lNAAoJENuP0xzK19csty0H/jnIRi0v3TsLQ6v9YLSOhb2G
7fYDnIFtdc/4aTzJ8dufGkfAtT4AX0NOx4rSngUdp2adxJA9W6hrT2twrcRfkPBk
RFNrhJRiZxwScvdz0S75BW7Mr4V1JdSN8yrZ+GZ2zIhPqzoAWZY/ORxEeglQ11nv
kT3WYlKmfeGh9MiLW75+GDdwXva31FV6UWV558hOX2vMDV5XKB8i0YIDBffcTc62
7EWf0wkK5bXcaZFtpp3eNZRCwVsocqmGkCvu2PyLaPBCpEU2uYrxydlF8ORUnfXZ
X4tOC9YWLKrGtT2OG3TNueGiutOnJ+eV20p26zy4dqIOND0HW9Brn67LcpHfHeg=
=8HHF
-----END PGP SIGNATURE-----

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, Jul 04, 2016 at 10:26:51AM -0400, Chris Laprise wrote:
> If I replace the kernel with 4.1 from R3.1, it can make it to the AEM target
> and the decrypt prompt. It chokes just after decrypting the volumes, but
> that's to be expected. The 4.4 kernel appears to introduce some factor that
> causes the crash.

Interesting, have you tried 4.2 kernel from R3.1 unstable repository?
Do you have any means of collecting kernel/xen messages? I guess you've
already disabled "quiet" kernel option and also removed "console=none"
from xen cmdline.
If this doesn't help, try adding "noreboot" and "sync_console" to xen cmdline.

If you have serial console (on docking station?) if would be easier to
reliably get log messages.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXe/qTAAoJENuP0xzK19csNjEIAJlshr1jl/6yHL4hmLbJDxkq
fyA92UjOnMGpt2SHHKQABcEqvqpb0mbXJRCXwNEhVGFjljkYSul4Sr2CDenWdNZC
XRCr0AcxLCy8IYnv6WJAWtTbMKaE1FJozfNW7GdlnhlqdipO/SbFLYIMP6nsTDsk
ADFviMQ7qin6+nHsQYfbfFnmE0gcpX9fTOZrQMo702K77wYyT9VLIIXNiJxveCUz
G31e1IBEnCFx5GFOVdmsAacZDqTip+/UikRTFMEP+qiNrq/9ryJdZBWSHRztJySY
jgBUjlV8MyfvT1rrY01XhA6zRrHH/dJj7uk5gHW783HmlMzlOfW+s/dWdBv+Qw4=
=3sc0
-----END PGP SIGNATURE-----

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-07-05 08:03, Chris Laprise wrote:
> Is there an issue open for this yet?
>
> Chris
>

I didn't want to open one if I was the only one experiencing the
problem, but since it appears to be affecting others now, I've opened
an issue for it here:

https://github.com/QubesOS/qubes-issues/issues/2155

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXfDYHAAoJENtN07w5UDAwIUkP/2H+yYOQGxGw9X6hJvG5MjsZ
FIZfmRHNC5nWR9sVxvDLOdvr8yyYDAJOW2vHBHGhegY1Td1qtbc+mdqb49wVUCII
aMVHfbFRhUakNNQyVTXGNn5SsK48razcrktoPdPIsc4my4ZWtVOeKUNqq7VpzDzq
LdSIwQMG4GwVD+NxZd+7webkGPoNnX3lydZWmPWEQ70QbE8LljYd1Gs6XUrscLIh
d/Upc5d/EbMXRAbBu4RX89Nseujz/qFVpuXmddEbTeI3y9lrmQ2tXu/KuOpVOJTZ
68Pg9cogwtbggptQkzBoc/rjl8sKlB5e7MSFm3qQoUdS/3PJQEoV8owxb4ghdSDa
Nu18Yt4XI67zZaaW5cwtOD2I58f2kipUCEny7bWrlQHEzqdqIospI28fswYuwGM5
3TDEZgkLhuVlXQ2IQxONWY8tbB2B2slTVZ1gIZK7iuOFQ8o2UfGIOxSME2QS4CBz
xVrPHSkwlHwKVOtdv958pBXnuzSACpq+0w4bhizswf6kpYmzjnJW8ueJMAHpFpaC
wACj4ieyzdfpKjXI9o/a+Dxi/xxCc0duFgKaf3mod24DYnlV0OSYNHvUVFo3/xtp
ENBwkZ5MxPwLMCQPgYoc9o8Rc+xMvLRQQleJBkYRt0uol9sDcTq1ifFCPO8DjdSh
hKzqOjcBlYuumeb6TSyh
=EBfq
-----END PGP SIGNATURE-----

[Chris Laprise]

On 07/05/2016 02:21 PM, Marek Marczykowski-Górecki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Mon, Jul 04, 2016 at 10:26:51AM -0400, Chris Laprise wrote:
>> If I replace the kernel with 4.1 from R3.1, it can make it to the AEM target
>> and the decrypt prompt. It chokes just after decrypting the volumes, but
>> that's to be expected. The 4.4 kernel appears to introduce some factor that
>> causes the crash.
> Interesting, have you tried 4.2 kernel from R3.1 unstable repository?
> Do you have any means of collecting kernel/xen messages? I guess you've
> already disabled "quiet" kernel option and also removed "console=none"
> from xen cmdline.
> If this doesn't help, try adding "noreboot" and "sync_console" to xen cmdline.
>
> If you have serial console (on docking station?) if would be easier to
> reliably get log messages.
>
> - --

I just tried the 4.2 kernel on the stick created by AEM under R3.2rc1;
It seems to work as well as 4.1.

I'll try 4.4 again removing those boot options.

Unfortunately, the only docking station here is the kind lacking serial
ports.

Chris

[Chris Laprise]

A bit more info:

Removing rd.antievilmaid from 4.4.12 options doesn't help; it still
restarts. I also tried 4.4.14 in the unstable repo but that did not help.

It appears to be an incompatibility between kernel version 4.4 and tboot.

Chris

[Chris Laprise]

I am able to get 4.4.* to boot now! The trick was to add
'min_ram=0x2000000' to the tboot options like I used to do--the AEM
README describes how.

But now I cannot get AEM to seal the secret. Nothing at all about AEM is
displayed during startup, even though rd.antievilmaid is on the kernel
options line.

Chris

[Chris Laprise]

For the record, AEM is now working on my system. The other thing that
was required was to update the anti-evil-maid package to version 3.0.3.

Chris

[fredlet...@gmail.com]

Hi Chris,

can you confirm that AEM is working now on this preceise laptop :
LENOVO T450s (20BWS01D00)

If yes, please describe what is required to be modified/setup to make it work.

And if confirmed, can someone update the line on the HCL page ?
https://www.qubes-os.org/hcl/

Regards
--
Fred

[alexey....@gmail.com]

Hi All,

I am experiencing the same problem with AEM v3.0.4 and TBOOT v1.8.2 on Thinkpad X1 Carbon 4th Gen (20FCS5CY00) where it reboots precisely after executing GETSEC[SENTER]. "min_ram" option does not help.

My setup:
* UEFI BIOS in LegacyBoot mode with SecureBoot disabled
* Discrete TPM 1.2 and Intel TXT enabled with "Physical presence" feature disabled
* Fresh Qubes3.2 installed on 1TB SSD (NVME device) with /boot on MBR partition of a 128G USB flash drive.
* Xen 4.6.1 with kernel 4.4.14
* SINIT matches the platform as per the TBOOT log output

Anybody had any success or ideas how to make it work?

--
Alex

[Chris Laprise]

Going by the comments in issue #2155, at least one person did get it to
boot by upgrading tboot to version 1.9.4. I also upgraded tboot, but had
already got it booting with the min_ram parameter... at this stage I
don't know if the newer tboot is the factor that allows my system to
boot with AEM.

An additional issue which I'm still experiencing with AEM is sleep/wake
not working.

My other versions are Xen 4.6.5 and Linux 4.9.28-16 (from qubes*testing).

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[alexey....@gmail.com]

Just want to confirm that the solution suggested in [issue #2155][1] solved my problem with TBOOT. Basically, when you substitute default TBOOT 1.8.2 from QubesOS repo with TBOOT 1.9.4 from [Ubuntu][2] my laptop boots and able to seal/unseal secrets.

It would be great if TBOOT 1.9.4 is included in QubesOS repo (testing?) as I was unable to verify .deb sig of ubuntu package (not sure if there is any included in .deb).

Also confirming suspend/sleep issues describe by Chris...

[1]: https://github.com/QubesOS/qubes-issues/issues/2155
[2]: https://launchpad.net/ubuntu/yakkety/amd64/tboot/1.9.4-0ubuntu1

On Wednesday, June 7, 2017 at 10:48:38 PM UTC-4, Chris Laprise wrote:

[cyrinux]

Nice news,

Alexey could you please explain how you install 1.9.4 version please?
Maybe you have extract deb content with dpkg -x and copy/replace with the content?

Regards

[Chris Laprise]

On 06/12/2017 05:06 PM, cyrinux wrote:
> Nice news,
>
> Alexey could you please explain how you install 1.9.4 version please?
> Maybe you have extract deb content with dpkg -x and copy/replace with the content?
>
> Regards

You could do that and replace the tboot.gz and tboot-syms files on the
/boot partition.

To get a verified copy, its probably easier to download the current
version (1.9.5) from here:
https://sourceforge.net/projects/tboot/files/?source=navbar

...then do normal GPG verification, and use 'make' to compile it and
replace the two files mentioned above.

[LEVIS Cyril]

So :(
I updated tboot in 1.9.5, and same problem.
Try to update to last 1.28 bios, same thing.
So Sad

[Chris Laprise]

On 06/13/2017 04:39 PM, LEVIS Cyril wrote:
> So :(
> I updated tboot in 1.9.5, and same problem.
> Try to update to last 1.28 bios, same thing.
> So Sad
>

Did you also specify the parameter min_ram=0x2000000 ?

[LEVIS Cyril]

Yes, I did. And same problem :(