| 16 Jul 2021 |
 andi- | Isn't that your favourite language? :) | 14:13:44 |
 @grahamc:nixos.org | :) | 14:13:53 |
| @grahamc:nixos.org | set -e # all good! | 14:13:58 |
| andi- | oh, I am confusing you with that other guy... | 14:14:17 |
| @grahamc:nixos.org | https://github.com/latchset/clevis/blob/f8132dfbfdce6db8b2195bc6cd34c46db369ba5d/src/pins/tpm2/clevis-encrypt-tpm2#L21-L25 | 14:16:11 |
| andi- | Any idea where that code is? | 14:18:49 |
| andi- | I've only found a dracut module with that name | 14:19:16 |
| @grahamc:nixos.org | I can't find it | 14:19:29 |
| andi- | I feel like I'd want to throw most of clevis away and implement it in Rust/Python/... instead | 14:41:06 |
| @grahamc:nixos.org | when people look at Nixpkgs and say "puke, bash" I say yes but it runs in a sandbox and is gone at the end | 14:50:52 |
| @grahamc:nixos.org | like yeah, puke, bash, but you're not forever cursed by its taint | 14:51:06 |
| andi- | "gone" I have an entire directory on my disk full of it that :D | 14:51:16 |
| @grahamc:nixos.org | it is inert! :) | 14:51:43 |
| andi- | so yeah, lets understand how all this stuff works before rewriting things from scratch | 14:51:49 |
| @grahamc:nixos.org | run clevis inside a nix-build with the sandbox disabled :see | 14:52:18 |
| @grahamc:nixos.org | * run clevis inside a nix-build with the sandbox disabled | 14:52:19 |
| @grahamc:nixos.org | 🙈 | 14:52:22 |
| andi- | The best of none of the worlds? | 14:52:47 |
| @grahamc:nixos.org | bingo | 14:53:07 |
| @grahamc:nixos.org | okay new learning | 15:01:07 |
| @grahamc:nixos.org | In reply to @grahamc:nixos.org
like, I think the nvram is for "I don't have a filesystem yet!" stuff, plus perhaps password attempt counters this isn't stored in an arbitrary location in nvram, and it isn't on a per-secret basis, but an overal property of the TPM: a counter of failures:
[nix-shell:~]# tpm2 getcap properties-variable > prop-vals.2
[nix-shell:~]# diff prop-vals.1 prop-vals.2
29c29
< TPM2_PT_LOCKOUT_COUNTER: 0x7
---
> TPM2_PT_LOCKOUT_COUNTER: 0x8
| 15:02:21 |
| @grahamc:nixos.org |
Note that the DA lockout counter decrements automatically every TPM_PT_LOCKOUT_INTERVAL seconds, in your case 100s.
| 15:04:29 |
| @grahamc:nixos.org | mine is:
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
so 2 hours | 15:04:42 |
| @grahamc:nixos.org | I sure wish there was some crash course already put together on all this | 15:05:57 |
| andi- | I'll book one with DS once you are at that point. There is a friends&family discount, right? | 15:06:25 |
| @grahamc:nixos.org | haha | 15:07:36 |
| @grahamc:nixos.org | I should get a TPM simulator instead of putting my actual TPM in lockout | 15:09:01 |
| @grahamc:nixos.org | did you figure out how to run the simulator? | 15:10:51 |
| @grahamc:nixos.org | a very annoying thing about TPMs is the management thing | 15:22:05 |
| andi- | I haven't continued that journey yet. I'm trying to get things organzied for the weekend. Not going to have much more time besides during the Nights. | 16:20:04 |
