| 19 Jul 2021 |
 Mic92 (Old) | Why because virtiofsd needs to change uids? | 11:53:58 |
| Mic92 (Old) | Maybe there could be a uid mapping mode in virtiofsd to map some uid to uid 0 | 11:54:14 |
| Mic92 (Old) | That would be enough for the nix store. | 11:54:24 |
 andi- | Yeah. Like the old 9pfs already worked. | 11:58:39 |
| andi- | I haven't dived into the code since it was merged upstream. Back then the docs were all a bit outdated | 11:59:01 |
| Mic92 (Old) | I put this on my long-term TODO list. For the next months I have enought other VM stuff to solve | 12:02:07 |
| Mic92 (Old) | I don't think it would be very complicated | 12:02:25 |
 @grahamc:nixos.org | cool | 13:14:11 |
| @grahamc:nixos.org | I was watching a talk from mjg59 where he mentioned the code quality of tpm2 and tss2 and that it was ... interesting ... inspiring them to make their own pure Go implementation for https://github.com/google/go-attestation | 13:20:40 |
| andi- | But their tool only focues on attestation basically leaving us with an even more clustered situation if you want to use the TPM for more than just verified boots? | 13:29:44 |
| andi- | Not to sound too negative: I think it is great that that option exists and looks much nicer than the alternatives. | 13:31:54 |
| @grahamc:nixos.org | oh of course | 13:34:37 |
| @grahamc:nixos.org | that tool is just a tiny piece of the puzzle | 13:34:44 |
| @grahamc:nixos.org | just mentioning it to note some confirmation of our sniff test's results | 13:36:25 |
| andi- | Weren't we looking for https://github.com/fedora-iot/clevis-pin-tpm2 the other day? | 14:04:21 |
| 29 Jul 2021 |
|  ryantm joined the room. | 13:39:51 |
| 30 Jul 2021 |
| andi- | https://dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network | 22:14:52 |
| andi- | So fTPM over hardware? | 22:15:11 |
| 3 Aug 2021 |
|  Florian | W3F joined the room. | 12:25:21 |
| 6 Aug 2021 |
| @grahamc:nixos.org | is the event log plausibly at another location than /sys/class/tpm/tpm0/device ? | 13:16:52 |
| @grahamc:nixos.org | * is the event log plausibly at another location than /sys/kernel/security/tpm0/binary_bios_measurements ? | 13:17:04 |
| 8 Aug 2021 |
| andi- | https://gitlab.gnome.org/GNOME/libsecret/-/merge_requests/90 <3 | 15:13:42 |
| andi- | ^ GSoC project using TPM2 as backend for libsecret passwords. Exactly what I wanted to build... | 15:14:05 |
| 11 Aug 2021 |
| Mic92 (Old) | It's weird that dkms does not handle kmod signatures by default: https://gist.github.com/lijikun/22be09ec9b178e745758a29c7a147cc9 | 14:16:46 |
| Mic92 (Old) | That look painful to set up | 14:17:23 |
| Mic92 (Old) | I wonder if NixOS also should sign kernel modules | 14:22:52 |
| andi- | I think we used to sign with a random key during compilation but that has been thrown away for reproducibility | 14:23:25 |
| andi- | That is for in-tree modules. Not sure about out of tree modules. | 14:24:29 |
| Mic92 (Old) | I think for out-of-tree modules one could have a build hook | 14:25:07 |
| andi- | and the signing key is a (separate) output of the actual kernel build? | 14:25:30 |
