!agkXCfUrgbadYlQXRj:kack.it

NixOS + TPMs

118 Members
39 Servers

Load older messages


SenderMessageTime
17 Jul 2021
@andi:kack.itandi-Why not? Right now I encrypt my pass database to plenty of GPG keys. One per device and the one on my yubi key 08:02:19
@andi:kack.itandi-IMHO it would just be one more key I encrypt things for08:02:42
@mic92:nixos.devMic92An attack on the password manager would not look much different if an TPM would be involved I would say08:04:45
@mic92:nixos.devMic92Passwords need to be at some point in memory08:05:43
@mic92:nixos.devMic92It's different when you use the yubi key to authenticate remotly against a different system.08:06:15
@mic92:nixos.devMic92Than you never need to have the key in host memory08:06:32
@andi:kack.itandi-My threat is more about local code execution stealing keys08:09:46
@mic92:nixos.devMic92The key for what?08:11:03
@mic92:nixos.devMic92A second use case for TPM would be second factor auth08:15:48
@mic92:nixos.devMic92Also interesting: https://github.com/mtth-bfft/tpm-otp08:18:28
@andi:kack.itandi-
In reply to @mic92:nixos.dev
The key for what?
The key for the passwords.
08:47:47
@mic92:nixos.devMic92
In reply to @andi:kack.it
The key for the passwords.
It seems like a small win in security for an increased complexity, since the passwords itself are still in plain
08:48:57
@andi:kack.itandi-Yeah but it defeats all kinds of offline attacks on my password database08:49:24
@andi:kack.itandi-you can use my entire disk and still have no way to decrypt my passwords. Not even if you also have a memory dump.08:49:38
@andi:kack.itandi-You only obtain what you can observe me requesting.08:50:02
@mic92:nixos.devMic92I can imangine for most people the risk of loosing access to all their passwords is higher when their hardware breaks than the added security.08:51:56
@mic92:nixos.devMic92 * I can imagine for most people the risk of loosing access to all their passwords is higher when their hardware breaks than the added security.08:52:18
@andi:kack.itandi- I would only loose access to keys on that machine and not all my passwords. 08:52:50
@andi:kack.itandi-which is a perfectly acceptable risk for me as I can still use my YubiKey to access passwords (or another device with the same scheme).08:53:32
@andi:kack.itandi-
In reply to @mic92:nixos.dev
Also interesting: https://github.com/mtth-bfft/tpm-otp
This looks like it wouldn't go well with other TPM applications as they try to manage the TPM directly and write to random nvram positions.
09:17:56
@grahamc:nixos.org@grahamc:nixos.org
Corrected a problem which generated improper hash values on 16 bit machines
23:34:21
@grahamc:nixos.org@grahamc:nixos.orgdamn this file has a LOT of history23:34:58
18 Jul 2021
@grahamc:nixos.org@grahamc:nixos.org okay andi- I was maybe predictable wrong about the rvram 00:40:08
@grahamc:nixos.org@grahamc:nixos.orgto r/w space you have to preallocate a chunk with nvdefine, and it gives you an "NV Index" in response:00:40:49
@grahamc:nixos.org@grahamc:nixos.org[nix-shell:~]# tpm2 nvdefine -s 1 nv-index: 0x1000000 00:40:50
@grahamc:nixos.org@grahamc:nixos.org (-s 1 means 1 byte) 00:41:04
@grahamc:nixos.org@grahamc:nixos.org
[nix-shell:~]# tpm2 nvdefine -p str:lolol  -s 1
nv-index: 0x1000000

for index 0x1000000 you'll need to present the lolol password to read or write it:

[nix-shell:~]# tpm2 nvwrite -i ./lol 0x1000000
WARNING:esys:src/tss2-esys/api/Esys_NV_Write.c:310:Esys_NV_Write_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_NV_Write.c:110:Esys_NV_Write() Esys Finish ErrorCode (0x0000098e) 
ERROR: Failed to write NV area at index 0x1000000
ERROR: Tss2_Sys_NV_Write(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
ERROR: Unable to run nvwrite

[nix-shell:~]# tpm2 nvwrite -i ./lol --auth str:lolol 0x1000000 



[nix-shell:~]# tpm2 nvread 0x1000000
WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x0000098e) 
ERROR: Esys_NV_Read(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
ERROR: Failed to read NVRAM area at index 0x1000000
ERROR: Unable to run nvread


[nix-shell:~]# tpm2 nvread 0x1000000 --auth str:lolol
h

00:42:14
@grahamc:nixos.org@grahamc:nixos.orgI don't know how you're supposed to remember the index00:43:45
@mic92:nixos.devMic92
In reply to @grahamc:nixos.org
damn this file has a LOT of history
Well there might be still a need in microcontrollers.
03:15:37
@andi:kack.itandi-
In reply to @grahamc:nixos.org
I don't know how you're supposed to remember the index
But that is much better than expecting the applications to synchronize. If you look at that bash script from yesterday: They probably stuff it in their JSON blob?
07:56:01

There are no newer messages yet.


Back to Room ListRoom Version: 6