3 Oct 2024 |
emily | it's sure better than all the TPM-spec stuff you can buy | 18:17:45 |
ElvishJerricco | that's fair | 18:17:57 |
raitobezarius | In reply to @elvishjerricco:matrix.org yes but nixos doesn't implement that right now because systemd wants you to be booting ukis for their tpm stuff to work UKIs are not needed | 22:34:06 |
raitobezarius | I have a Lanzaboote PR for systemd credentials | 22:34:15 |
raitobezarius | It's just stuck alas | 22:34:38 |
ElvishJerricco | raitobezarius: I know it's not needed but the reason it's not as trivial as it could be is because of Condition=measured-uki on all the TPM related systemd units | 22:35:13 |
ElvishJerricco | though I think lanzaboote fills that condition | 22:35:26 |
raitobezarius | There's a PR that fixes the measurements which just need a rebase, yes | 22:36:26 |
raitobezarius | I may have spoons at some point | 22:36:37 |
4 Oct 2024 |
| @ajcxz0:matrix.org left the room. | 01:00:46 |
5 Oct 2024 |
ElvishJerricco | Jan Tojnar: Hey, did you have anything worth sharing on the luks gnome keyring thing? I know you didn't get very far but I'm bored and want to take a look into it tonight :P | 01:16:22 |
emily | oh, I never reached out to Arch about that… :( | 01:16:43 |
ElvishJerricco | ok, so the pam_gdm auth module gets the key out of the keyring and sets the authtok. Then pam_gnome_keyring reads that, forks off the daemon, which switches to your user, and the authtok is piped in to child from parent. Or if the daemon was already running, it just sends the authtok over the control socket. | 03:16:40 |
ElvishJerricco | so there is definitely at least a moment where the password is being piped to a process owned by your user | 03:16:56 |
emily | did you find jtojnar's WIP NixOS test thing? | 03:17:00 |
emily | https://gist.github.com/jtojnar/d1c98d5d803cee3998f68e2e1761c8f8 | 03:17:25 |
ElvishJerricco | I didn't. Figured I'd rather get familiar with how it works before testing anything out | 03:17:28 |
emily | (doesn't work, but maybe it's useful to you) | 03:17:31 |
ElvishJerricco | thanks | 03:17:53 |
emily | relevant comment about timing / multiple sessions https://matrix.to/#/!NBBFPbiuttRgTqbrcY:nixos.org/$-nf3vPAiCozFLiNCXkzyvCjEZ9W57MT7dOBOLu9ee_U?via=nixos.org&via=matrix.org&via=nixos.dev | 03:18:05 |
emily | and pointer to earlier discussion from there | 03:18:10 |
ElvishJerricco | yea, so my guess is that there is some vulnerability here, that's probably quite difficult to take advantage of | 03:18:26 |
ElvishJerricco | part of it depends on when exactly pam_sm_open_session happens. | 03:21:29 |
ElvishJerricco | But I think you can make that not matter by having a non-gdm session open before gdm-autologin happens | 03:27:53 |
ElvishJerricco | which is probably plausible with systemd user lingering | 03:28:04 |
ElvishJerricco | oh that was easier than I thought | 03:55:46 |
ElvishJerricco | emily: you around? | 03:55:49 |
| magic_rb changed their profile picture. | 22:18:06 |
6 Oct 2024 |
emily | https://github.com/NixOS/nixpkgs/pull/346797 could probably use more opinions/discussion (for once I lean slightly against) | 12:47:22 |
| @sofo:matrix.org left the room. | 15:28:06 |