| 16 Jul 2021 |
 @grahamc:nixos.org | set -e # all good! | 14:13:58 |
 andi- | oh, I am confusing you with that other guy... | 14:14:17 |
| @grahamc:nixos.org | https://github.com/latchset/clevis/blob/f8132dfbfdce6db8b2195bc6cd34c46db369ba5d/src/pins/tpm2/clevis-encrypt-tpm2#L21-L25 | 14:16:11 |
| andi- | Any idea where that code is? | 14:18:49 |
| andi- | I've only found a dracut module with that name | 14:19:16 |
| @grahamc:nixos.org | I can't find it | 14:19:29 |
| andi- | I feel like I'd want to throw most of clevis away and implement it in Rust/Python/... instead | 14:41:06 |
| @grahamc:nixos.org | when people look at Nixpkgs and say "puke, bash" I say yes but it runs in a sandbox and is gone at the end | 14:50:52 |
| @grahamc:nixos.org | like yeah, puke, bash, but you're not forever cursed by its taint | 14:51:06 |
| andi- | "gone" I have an entire directory on my disk full of it that :D | 14:51:16 |
| @grahamc:nixos.org | it is inert! :) | 14:51:43 |
| andi- | so yeah, lets understand how all this stuff works before rewriting things from scratch | 14:51:49 |
| @grahamc:nixos.org | run clevis inside a nix-build with the sandbox disabled :see | 14:52:18 |
| @grahamc:nixos.org | * run clevis inside a nix-build with the sandbox disabled | 14:52:19 |
| @grahamc:nixos.org | 🙈 | 14:52:22 |
| andi- | The best of none of the worlds? | 14:52:47 |
| @grahamc:nixos.org | bingo | 14:53:07 |
| @grahamc:nixos.org | okay new learning | 15:01:07 |
| @grahamc:nixos.org | In reply to @grahamc:nixos.org
like, I think the nvram is for "I don't have a filesystem yet!" stuff, plus perhaps password attempt counters this isn't stored in an arbitrary location in nvram, and it isn't on a per-secret basis, but an overal property of the TPM: a counter of failures:
[nix-shell:~]# tpm2 getcap properties-variable > prop-vals.2
[nix-shell:~]# diff prop-vals.1 prop-vals.2
29c29
< TPM2_PT_LOCKOUT_COUNTER: 0x7
---
> TPM2_PT_LOCKOUT_COUNTER: 0x8
| 15:02:21 |
