| 16 Jul 2021 |
 Mic92 (Old) | * I rather prefer theirs over gnupg codebase | 16:37:48 |
 andi- | Yeah, you basically enable the tpm2 settings in the nixos options. Including the pkcs11 shim and then:
ssh-keygen -D /run/current-system/sw/lib/libtpm2_pkcs11.so
| 16:37:59 |
| Mic92 (Old) | Nice. | 16:38:10 |
| andi- | Yeah except that on current unstable you have to patch the tpm2-tss lib or rather remove our dlopen patch. | 16:38:37 |
| andi- | I've not had a moment to upstream that yet. | 16:38:46 |
| andi- | You can also follows this guide: https://incenp.org/notes/2020/tpm-based-ssh-key.html minus all the compiling | 16:40:11 |
| andi- | Mic92: are you aware of a password manager that uses pkcs11 and isn't using GPG? Age is still not able to do that IIRC. | 16:43:58 |
| andi- | (It has a bunch of repos around that topic but I've not managed to understand why they need so many) | 16:44:04 |
|  samueldr joined the room. | 18:19:34 |
 @grahamc:nixos.org | I think it would go a long way if someone made some flow charts of how pieces fit together and some state diagrams, | 18:46:44 |
| @grahamc:nixos.org | like a state diagram of the lockout interval, recovery, counter for example. it is not very complicated, but I think a diagram would clear up how it is used | 18:48:07 |
| andi- | Is there a nice collaborative tool to draw those? | 18:57:14 |
| andi- | I don't want to pass graphviz files around | 18:57:28 |
| @grahamc:nixos.org | I was just going to say graphviz | 18:57:35 |
| andi- | how about https://md.darmstadt.ccc.de/tpm2# ? | 18:59:52 |
| andi- | It is graphviz and collaborative | 18:59:58 |
| @grahamc:nixos.org | oh wowo | 19:00:37 |
| @grahamc:nixos.org | nice | 19:00:54 |
| andi- | There you go :P | 19:01:07 |
| @grahamc:nixos.org | page 67 TPM_PT_LOCKOUT_RECOVERY https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf | 19:23:51 |
| @grahamc:nixos.org | not pointing anything out there just a primary source for the meaning of these values | 19:26:30 |
| @grahamc:nixos.org removed the room topic "Exploring TPMs on NixOS". | 19:31:12 |
| @grahamc:nixos.org | andi-: should I change the main address to be #tpm:nixos.org? | 19:37:09 |
| andi- | Sure | 19:37:56 |
| @grahamc:nixos.org | I'm a little confused, failedTries hasn't decremented despite recoveryTime elapsing several times | 19:42:47 |
| @grahamc:nixos.org | so, seeing this happen I decided to look at the spec | 19:45:54 |
| @grahamc:nixos.org |
failedTries(NV) –This counter is incremented when the TPM returns TPM_RC_AUTH_FAIL. TPM2_Clear() will reset this counter to zero. This counter is also set to zero on a successful invocation of TPM2_DictionaryAttackLockReset(). This counter is decremented by one after recoveryTimeseconds if:the TPM does not record an authorization failure of a DA-protected entity,there is no power interruption, andfailedTriesis not zero
| 19:46:14 |
| @grahamc:nixos.org | I think I have errata lol | 19:47:56 |
| @grahamc:nixos.org | andi-: do you have a handy tpm simulator's source link? | 19:51:04 |
| andi- | One sec I read that earlier somewhere. If you use libvirt that is supposed to just work but with QEMU you have to launch a daemon.. | 19:51:37 |
