!agkXCfUrgbadYlQXRj:kack.it

NixOS + TPMs

156 Members
40 Servers

Load older messages


SenderMessageTime
16 Jul 2021
@grahamc:nixos.org@grahamc:nixos.orgheh12:13:45
@grahamc:nixos.org@grahamc:nixos.org

takeownership does 2 thinsg afaik:

  1. resets the seed which is used for all the root key calculations
  2. sets a password used to reset counters
12:14:06
@grahamc:nixos.org@grahamc:nixos.orgso you can set a policy saying increment a counter on decrypt attempt, and refuse if it goes about 10, then you need the ownership password to reset it12:14:51
@andi:kack.itandi-Ok, so that part is then stored in the NV RAM of the TPM?12:15:35
@grahamc:nixos.org@grahamc:nixos.orgyeah12:15:43
@grahamc:nixos.org@grahamc:nixos.orgyou don't need any special credential to use the roots12:15:55
@grahamc:nixos.org@grahamc:nixos.org
I am still a bit confused by the requirement of different secrets to decrypt one secret.
12:16:49
@andi:kack.itandi-Does the internal seed change the PCR values? I guess it shouldn't...12:16:54
@grahamc:nixos.org@grahamc:nixos.orgI think this is because you're maybe not ever going to decrypt it12:16:56
@grahamc:nixos.org@grahamc:nixos.orgbut maybe you're just using it for attestation 12:17:07
@grahamc:nixos.org@grahamc:nixos.orgI don't think the seed has anything to do with the PCR, yeah12:18:16
@grahamc:nixos.org@grahamc:nixos.orgRedacted or Malformed Event12:19:07
@grahamc:nixos.org@grahamc:nixos.orgah here we are12:20:30
@grahamc:nixos.org@grahamc:nixos.orgyou can get what the TPM calls a "quote" which is the PCRs signed by the TPM, in a way you can trust itis actually the PCRs and not falsified 12:21:03
@grahamc:nixos.org@grahamc:nixos.orghttps://www.mankier.com/1/tpm2_quote12:21:10
@linus.heckemann:matrix.mayflower.deLinux Hackerman joined the room.12:21:36
@andi:kack.itandi-I must also look at the OpenConnect VPN client. Apparently they integrate with the kernel keyring but there are also mentions of the TSS lib somewhere. Perhaps that stuff is really interoperable. At first I didn't think that could be the case.12:22:58
@grahamc:nixos.org@grahamc:nixos.orgI wonder if the openconnect server can require your PCRs to match specific values to allow a connection12:24:00
@voyager:t2bot.ioMatrix Traveler (bot) joined the room.12:24:04
@grahamc:nixos.org@grahamc:nixos.org * I wonder if the openconnect client key can require your PCRs to match specific values to allow a connection12:24:11
@andi:kack.itandi-Off-topic: Do we now have all the bots on the matrix universe? :D12:24:22
@grahamc:nixos.org@grahamc:nixos.orgI would not be surprised if that were true, the TPM2 book talks about it a lot :D12:24:22
@grahamc:nixos.org@grahamc:nixos.orghaha12:24:33
@andi:kack.itandi-It is nice that we have a well documented user of all of the TPM infrastructure.12:41:49
@hexa:lossy.networkhexa joined the room.12:41:58
@andi:kack.itandi-I now wish that I could use the TPM for wireguard key derivation.12:41:58
@grahamc:nixos.org@grahamc:nixos.orgis that openconnect?12:42:04
@andi:kack.itandi-Yeah12:42:10
@grahamc:nixos.org@grahamc:nixos.org:)12:42:14
@spacesbot:nixos.devspacesbot - keeps a log of public NixOS channels 13:00:04

There are no newer messages yet.


Back to Room ListRoom Version: 6