| 2 Sep 2021 |
 vika (she/her) 🏳️⚧️ | I hate it when consumer hardware is locked down compared to enterprise | 11:29:01 |
| vika (she/her) 🏳️⚧️ | In reply to @manveru:matrix.org
with TPM it'd be much nicer too... but those are VMs :( Wait, can't VMs expose an emulated TPM device that would be as trustworthy as the VM host? | 11:29:36 |
| vika (she/her) 🏳️⚧️ | That would be useful if the host is trustworthy (and if not, you're screwed anyway) | 11:29:55 |
 manveru | that'd be nice, but i have no control over that part... | 11:30:09 |
| vika (she/her) 🏳️⚧️ | Cloud hosting? | 11:30:37 |
| manveru | can't really talk about that part ^^; | 11:31:25 |
| vika (she/her) 🏳️⚧️ | It's ok, we all have secrets :3
I wish I had a working TPM in my laptop. My UEFI implementation seems so broken that the ACPI stuff breaks the TPM support in Linux | 11:32:00 |
| manveru | that sucks :( | 11:32:20 |
| manveru | i have TPM, but unfortunately it doesn't have ed25519 support... | 11:32:46 |
| vika (she/her) 🏳️⚧️ | I kinda want to lock SSH host keys to TPM and unseal them on Secure Boot authentication, and then unseal secrets on the host keys as the identity of the machine | 11:33:08 |
| vika (she/her) 🏳️⚧️ | Sadly Raspberry Pi doesn't have secure boot (but can have a TPM via an external device) | 11:33:42 |
| vika (she/her) 🏳️⚧️ | I am sure though that I can seal the TPM to different PCRs representing something different | 11:34:03 |
| manveru | yep, that's definitely my ideal setup too, it's just so hardware dependent to be hard to generalize... | 11:34:12 |
 @grahamc:nixos.org | No tpm has ed25519 support lol | 11:34:25 |
| vika (she/her) 🏳️⚧️ | lol | 11:34:37 |
| vika (she/her) 🏳️⚧️ | then it leaves an RSA key that would decrypt an ed25519 key | 11:35:04 |
| manveru | the yubi hsm can do ed25519 | 11:35:43 |
| manveru | but it's bloody expensive | 11:35:50 |
| vika (she/her) 🏳️⚧️ |
.<
| 11:36:04 |
| vika (she/her) 🏳️⚧️ | * >.< | 11:36:15 |
| vika (she/her) 🏳️⚧️ | * \ >.< | 11:36:21 |
| vika (she/her) 🏳️⚧️ | Redacted or Malformed Event | 11:36:25 |
| @grahamc:nixos.org | Yeah but TPMs aren’t very interesting if they’re not connected directly to the CPU over that weird bus. The HSM would be interesting for other reasons though | 11:36:37 |
| vika (she/her) 🏳️⚧️ | * \>.< | 11:36:50 |
| manveru | yeah, but as you said, RSA usually suffices with some extra steps | 11:37:13 |
| vika (she/her) 🏳️⚧️ | TPM is the most interesting when it can't be intercepted | 11:37:27 |
| vika (she/her) 🏳️⚧️ | So yeah, direct CPU connection | 11:37:37 |
| vika (she/her) 🏳️⚧️ | I guess | 11:37:38 |
| @grahamc:nixos.org | More importantly to me, the CPU needs to send it hashes of everything it executes starting from the firmware it uses before it turns on the real internal cores | 11:39:04 |
| @grahamc:nixos.org | Needs CPU and firmware cooperation | 11:39:50 |
