Anti Evil Maid relies on GRUB for functioning, which is not verified in any way by default.
If I understand correctly, by replacing GRUB with malicious code, it would be trivial to provide the TPM with valid measurements while not actually loading measured code, opening the possibility for revealing TPM secrets or tricking the user into thinking that the code that is running is trusted.
Is this specific case not part of the threat model that Anti Evil Maid is supposed to defend against? Or am I just missing something?
You are missing how Intel TXT works. Grub loads tboot that starts Intel TXT measured environment - at this point, it’s a fresh isolated environment, its measurement is sent to the TPM by the CPU itself (or more specifically - by Intel-signed Authenticated Code Module - ACM in short).
While Grub (or anything else before that stage) can load something else, it cannot fake measurements sent to the TPM.
A bit more details can be found on Intel® Trusted Execution Technology (TXT)
My understanding was that the measurements do not necessarily have to be made by the ACM, meaning that malicious code itself could make measurements of trusted code, while actually loading untrusted code, without ever running tboot or the ACM. Am I just plain wrong?
Yes. I think you confuse SRTM with DRTM. With the latter, the initial measurement after dynamic launch is performed by ACM, regardless of what happened before, into specific PCRs reserved for this purpose (they cannot be used without DRTM). In this scenario, chain of trust starts from there, and we have the usual chain of measurements (ACM measures tboot, then tboot measures Xen etc before starting it).