!agkXCfUrgbadYlQXRj:kack.it

NixOS + TPMs

171 Members
44 Servers

Load older messages


SenderMessageTime
19 Jul 2021
@grahamc:nixos.org@grahamc:nixos.orgI was watching a talk from mjg59 where he mentioned the code quality of tpm2 and tss2 and that it was ... interesting ... inspiring them to make their own pure Go implementation for https://github.com/google/go-attestation13:20:40
@andi:kack.itandi-But their tool only focues on attestation basically leaving us with an even more clustered situation if you want to use the TPM for more than just verified boots?13:29:44
@andi:kack.itandi-Not to sound too negative: I think it is great that that option exists and looks much nicer than the alternatives.13:31:54
@grahamc:nixos.org@grahamc:nixos.orgoh of course13:34:37
@grahamc:nixos.org@grahamc:nixos.orgthat tool is just a tiny piece of the puzzle13:34:44
@grahamc:nixos.org@grahamc:nixos.orgjust mentioning it to note some confirmation of our sniff test's results13:36:25
@andi:kack.itandi-Weren't we looking for https://github.com/fedora-iot/clevis-pin-tpm2 the other day?14:04:21
29 Jul 2021
@ryantm:matrix.orgryantm joined the room.13:39:51
30 Jul 2021
@andi:kack.itandi-https://dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network22:14:52
@andi:kack.itandi-So fTPM over hardware?22:15:11
3 Aug 2021
@florian:web3.foundationFlorian | W3F joined the room.12:25:21
6 Aug 2021
@grahamc:nixos.org@grahamc:nixos.orgis the event log plausibly at another location than /sys/class/tpm/tpm0/device ?13:16:52
@grahamc:nixos.org@grahamc:nixos.org * is the event log plausibly at another location than /sys/kernel/security/tpm0/binary_bios_measurements ?13:17:04
8 Aug 2021
@andi:kack.itandi-https://gitlab.gnome.org/GNOME/libsecret/-/merge_requests/90 <315:13:42
@andi:kack.itandi-^ GSoC project using TPM2 as backend for libsecret passwords. Exactly what I wanted to build...15:14:05
11 Aug 2021
@mic92:nixos.devMic92It's weird that dkms does not handle kmod signatures by default: https://gist.github.com/lijikun/22be09ec9b178e745758a29c7a147cc914:16:46
@mic92:nixos.devMic92That look painful to set up14:17:23
@mic92:nixos.devMic92I wonder if NixOS also should sign kernel modules14:22:52
@andi:kack.itandi-I think we used to sign with a random key during compilation but that has been thrown away for reproducibility14:23:25
@andi:kack.itandi-That is for in-tree modules. Not sure about out of tree modules.14:24:29
@mic92:nixos.devMic92I think for out-of-tree modules one could have a build hook14:25:07
@andi:kack.itandi-and the signing key is a (separate) output of the actual kernel build?14:25:30
@mic92:nixos.devMic92Yes. It could be actually a build hook in the kernel. Every out-of-tree kernel module already has this as a depedency14:27:54
@mic92:nixos.devMic92*dependency14:27:57
@grahamc:nixos.org@grahamc:nixos.orgI'd love to see development in that area, it'd be a bit tricky to know you're supposed to have access to the signing key15:44:08
@mic92:nixos.devMic92I just stumbled over this features for the first time when modifying some runc hypervisor.15:48:29
@andi:kack.itandi- we could have a disallowedRequisites = [ kernel.signingKey ]; as very minimal "safety" against having the key world readable on the system (by accident). That is obviously not a silver bullet. Everyone that can build software against the systems nixpkgs checkout could generate properly signed modules and given that it would have to be deterministic you could probably just generate the key "offline" on another box.. 15:52:46
@andi:kack.itandi-What exactly are we gaining again? :D15:52:55
@mic92:nixos.devMic92So would need an activation phase that signs all keys afterwards?16:10:35
13 Aug 2021
@grahamc:nixos.org@grahamc:nixos.orgthe work I'm doing around secureboot support is based on a more involved bootloader "install" step which could support signing modules19:47:39

There are no newer messages yet.


Back to Room ListRoom Version: 6