| 16 Jul 2021 |
 andi- | * Wait until we adjust the NixOS install guide to "now do your usual TPM init dance" | 13:54:00 |
 @grahamc:nixos.org | lol | 13:54:32 |
| andi- | I actually fear providing any kind of "easy" solution to use TPMs for disk encryption by default... It smells like a huge foot gun. | 13:54:46 |
| @grahamc:nixos.org | I think it has to be easy ... | 13:54:55 |
| andi- | Someone trying Linux for a moment and then switching back to windows might be surprised... | 13:54:56 |
| @grahamc:nixos.org | oh | 13:55:03 |
| andi- | Of course it has to be easy but nobody expects there to be state that is actually important. | 13:55:16 |
| @grahamc:nixos.org | right | 13:55:30 |
| @grahamc:nixos.org | complicated | 13:55:46 |
| andi- | I am also almost certain that if it were feasible to do this with every other user on Linux Fedora or such would have tried that. | 13:55:55 |
| @grahamc:nixos.org | it would probably need to be an opinionated thing | 13:56:29 |
| @grahamc:nixos.org | like "this won't work unless you follow our strict path =) my way or the highway " | 13:57:06 |
| andi- | Ok, I actually think Fedora has done that stuff. There is that dracut plugin that allows you to do SSS, Password, remote unlock and TPM based unlock etc.. | 13:57:58 |
| @grahamc:nixos.org | although in what I've set up here I get PCR validation and encrypted disks without using nvram statue | 13:58:02 |
| @grahamc:nixos.org | * although in what I've set up here I get PCR validation and encrypted disks without using nvram state | 13:58:12 |
| @grahamc:nixos.org | so it would only get wiped if they switched to windows and windows cleared the tpm | 13:58:31 |
| andi- | https://aboutcher.co.uk/2020/06/fedora-linux-luks-encryption-with-tpm-unlock/ this sounds so easy :D | 14:02:06 |
 hexa | oh right, clevis. | 14:02:51 |
| andi- | Getting clevis to work on NixOS would already be amazing. SSS for unlocking a community computer is a common enough use case. | 14:03:33 |
| hexa | right, that's when we looked into that | 14:03:59 |
| andi- | and tango is the remote attestation part to it | 14:05:09 |
| @grahamc:nixos.org | I clicked the link thinking "oh great, exactly what we need, yet another blog post with some obscure commands with dozens of flags that probably makes it work just barely well enough but not actually be thorough" | 14:08:15 |
| @grahamc:nixos.org | but it is short enough that I reasonably trust it! | 14:08:23 |
| andi- | So clevis probably puts the two public parts into the initrd? | 14:09:15 |
| @grahamc:nixos.org | maybe uses nvram | 14:09:27 |
| andi- | https://github.com/latchset/clevis/blob/f8132dfbfdce6db8b2195bc6cd34c46db369ba5d/src/pins/tpm2/clevis-encrypt-tpm2#L70 | 14:11:52 |
| andi- | apparently does. After that line all your other keys are gone? | 14:12:16 |
| andi- | More like here https://github.com/latchset/clevis/blob/f8132dfbfdce6db8b2195bc6cd34c46db369ba5d/src/pins/tpm2/clevis-encrypt-tpm2#L156-L157 | 14:12:23 |
| @grahamc:nixos.org | bash ;_; | 14:13:00 |
| andi- | Isn't that your favourite language? :) | 14:13:44 |
