| 16 Jul 2021 |
 @grahamc:nixos.org | 🙈 | 14:52:22 |
 andi- | The best of none of the worlds? | 14:52:47 |
| @grahamc:nixos.org | bingo | 14:53:07 |
| @grahamc:nixos.org | okay new learning | 15:01:07 |
| @grahamc:nixos.org | In reply to @grahamc:nixos.org
like, I think the nvram is for "I don't have a filesystem yet!" stuff, plus perhaps password attempt counters this isn't stored in an arbitrary location in nvram, and it isn't on a per-secret basis, but an overal property of the TPM: a counter of failures:
[nix-shell:~]# tpm2 getcap properties-variable > prop-vals.2
[nix-shell:~]# diff prop-vals.1 prop-vals.2
29c29
< TPM2_PT_LOCKOUT_COUNTER: 0x7
---
> TPM2_PT_LOCKOUT_COUNTER: 0x8
| 15:02:21 |
| @grahamc:nixos.org |
Note that the DA lockout counter decrements automatically every TPM_PT_LOCKOUT_INTERVAL seconds, in your case 100s.
| 15:04:29 |
| @grahamc:nixos.org | mine is:
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
so 2 hours | 15:04:42 |
| @grahamc:nixos.org | I sure wish there was some crash course already put together on all this | 15:05:57 |
| andi- | I'll book one with DS once you are at that point. There is a friends&family discount, right? | 15:06:25 |
| @grahamc:nixos.org | haha | 15:07:36 |
| @grahamc:nixos.org | I should get a TPM simulator instead of putting my actual TPM in lockout | 15:09:01 |
| @grahamc:nixos.org | did you figure out how to run the simulator? | 15:10:51 |
| @grahamc:nixos.org | a very annoying thing about TPMs is the management thing | 15:22:05 |
