NixOS + TPMs

Sender	Message	Time
16 Jul 2021
	@grahamc:nixos.org removed the room topic "Exploring TPMs on NixOS".	19:31:12
@grahamc:nixos.org	andi-: should I change the main address to be #tpm:nixos.org?	19:37:09
andi-	Sure	19:37:56
@grahamc:nixos.org	I'm a little confused, failedTries hasn't decremented despite recoveryTime elapsing several times	19:42:47
@grahamc:nixos.org	so, seeing this happen I decided to look at the spec	19:45:54
@grahamc:nixos.org	failedTries(NV) –This counter is incremented when the TPM returns TPM_RC_AUTH_FAIL. TPM2_Clear() will reset this counter to zero. This counter is also set to zero on a successful invocation of TPM2_DictionaryAttackLockReset(). This counter is decremented by one after recoveryTimeseconds if:the TPM does not record an authorization failure of a DA-protected entity,there is no power interruption, andfailedTriesis not zero	19:46:14
@grahamc:nixos.org	I think I have errata lol	19:47:56
@grahamc:nixos.org	andi-: do you have a handy tpm simulator's source link?	19:51:04
andi-	One sec I read that earlier somewhere. If you use libvirt that is supposed to just work but with QEMU you have to launch a daemon..	19:51:37
andi-	https://documentation.suse.com/sles/15-SP3/html/SLES-all/tpm.html	19:52:04
@grahamc:nixos.org	hm	19:58:23
@grahamc:nixos.org	annoying	20:01:01
@grahamc:nixos.org	and I'm sort of out of energy to dig in to this to see why it isn't decrementing	20:01:12
@grahamc:nixos.org	but I suppose it has to do wit this:	20:01:15
andi-	perhaps the TPM needs the current time?	20:01:31
@grahamc:nixos.org	`TPM2_PT_PERSISTENT: ownerAuthSet: 0 endorsementAuthSet: 0 lockoutAuthSet: 0 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 0 reserved2: 0`	20:01:36
@grahamc:nixos.org	* `[nix-shell:~]# TPM2_PT_PERSISTENT: ownerAuthSet: 0 endorsementAuthSet: 0 lockoutAuthSet: 0 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 0 reserved2: 0`	20:01:50
@grahamc:nixos.org	* `[nix-shell:~]# tpm2 getcap properties-variable TPM2_PT_PERSISTENT: ownerAuthSet: 0 endorsementAuthSet: 0 lockoutAuthSet: 0 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 0 reserved2: 0`	20:02:03
andi-	$ tpm2 getcap properties-variable TPM2_PT_PERSISTENT: ownerAuthSet: 0 endorsementAuthSet: 0 lockoutAuthSet: 0 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 1 reserved2: 0 TPM2_PT_STARTUP_CLEAR: phEnable: 1 shEnable: 1 ehEnable: 1 phEnableNV: 1 reserved1: 0 orderly: 1 TPM2_PT_HR_NV_INDEX: 0x0 TPM2_PT_HR_LOADED: 0x0 TPM2_PT_HR_LOADED_AVAIL: 0x3 TPM2_PT_HR_ACTIVE: 0x0 TPM2_PT_HR_ACTIVE_AVAIL: 0x40 TPM2_PT_HR_TRANSIENT_AVAIL: 0x6 TPM2_PT_HR_PERSISTENT: 0x0 TPM2_PT_HR_PERSISTENT_AVAIL: 0x7 TPM2_PT_NV_COUNTERS: 0x0 TPM2_PT_NV_COUNTERS_AVAIL: 0x19 TPM2_PT_ALGORITHM_SET: 0x0 TPM2_PT_LOADED_CURVES: 0x3 TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0x3 TPM2_PT_LOCKOUT_INTERVAL: 0x3E8 TPM2_PT_LOCKOUT_RECOVERY: 0x3E8 TPM2_PT_NV_WRITE_RECOVERY: 0x0 TPM2_PT_AUDIT_COUNTER_0: 0x0 TPM2_PT_AUDIT_COUNTER_1: 0x0	20:24:59
andi-	did yours report less or did you just stop copying?	20:26:05
@grahamc:nixos.org	stopped copying	20:33:52
@grahamc:nixos.org	my guess is that because I haven't set a lockoutauth it isn't decrementing for some reason	20:34:01
	colemickens joined the room.	22:07:58
17 Jul 2021
Mic92 (Old)	In reply to @andi:kack.it Mic92: are you aware of a password manager that uses pkcs11 and isn't using GPG? Age is still not able to do that IIRC. No. What praticial security would it provide for users though to use TPM in this case?	04:50:08
Mic92 (Old)	Right now you type in a password to decrypt a symmetric key. With TPM i guess you would type in a key to unlock the TPM, which unlocks your symmetric key fro the password?	04:50:56
andi-	In reply to @mic92:nixos.dev Right now you type in a password to decrypt a symmetric key. With TPM i guess you would type in a key to unlock the TPM, which unlocks your symmetric key fro the password? The key never exists in memory and the TPM could ensure that the device-specific secret for the password manager only ever works on this machine when you boot a trusted system (your bootloader, kernel, ...).	07:58:27
andi-	So the boot (+password) would unlock the TPM and then each and every password you'd decrypt using the TPM instead of a derived key in memory.	07:59:04
Mic92 (Old)	Ok, for device specific credentials this might be helpful but not the classic password manager that is synched across devices.	08:01:07
andi-	Why not? Right now I encrypt my pass database to plenty of GPG keys. One per device and the one on my yubi key	08:02:19
andi-	IMHO it would just be one more key I encrypt things for	08:02:42

@grahamc:nixos.org removed the room topic "Exploring TPMs on NixOS".

19:31:12

@grahamc:nixos.org

andi-: should I change the main address to be #tpm:nixos.org?

Sure

I'm a little confused, failedTries hasn't decremented despite recoveryTime elapsing several times

19:42:47

@grahamc:nixos.org

so, seeing this happen I decided to look at the spec

19:45:54

@grahamc:nixos.org

failedTries(NV) –This counter is incremented when the TPM returns TPM_RC_AUTH_FAIL. TPM2_Clear() will reset this counter to zero. This counter is also set to zero on a successful invocation of TPM2_DictionaryAttackLockReset(). This counter is decremented by one after recoveryTimeseconds if:the TPM does not record an authorization failure of a DA-protected entity,there is no power interruption, andfailedTriesis not zero

19:46:14

@grahamc:nixos.org

I think I have errata lol

19:47:56

@grahamc:nixos.org

andi-: do you have a handy tpm simulator's source link?

19:51:04

andi-

One sec I read that earlier somewhere. If you use libvirt that is supposed to just work but with QEMU you have to launch a daemon..

19:51:37

andi-

https://documentation.suse.com/sles/15-SP3/html/SLES-all/tpm.html

hm

annoying

and I'm sort of out of energy to dig in to this to see why it isn't decrementing

20:01:12

@grahamc:nixos.org

but I suppose it has to do wit this:

20:01:15

andi-

perhaps the TPM needs the current time?

20:01:31

@grahamc:nixos.org

TPM2_PT_PERSISTENT:
  ownerAuthSet:              0
  endorsementAuthSet:        0
  lockoutAuthSet:            0
  reserved1:                 0
  disableClear:              0
  inLockout:                 0
  tpmGeneratedEPS:           0
  reserved2:                 0

20:01:36

@grahamc:nixos.org

*

[nix-shell:~]#
TPM2_PT_PERSISTENT:
  ownerAuthSet:              0
  endorsementAuthSet:        0
  lockoutAuthSet:            0
  reserved1:                 0
  disableClear:              0
  inLockout:                 0
  tpmGeneratedEPS:           0
  reserved2:                 0

20:01:50

@grahamc:nixos.org

*

[nix-shell:~]# tpm2 getcap properties-variable
TPM2_PT_PERSISTENT:
  ownerAuthSet:              0
  endorsementAuthSet:        0
  lockoutAuthSet:            0
  reserved1:                 0
  disableClear:              0
  inLockout:                 0
  tpmGeneratedEPS:           0
  reserved2:                 0

20:02:03

andi-

$ tpm2 getcap properties-variable
TPM2_PT_PERSISTENT:
  ownerAuthSet:              0
  endorsementAuthSet:        0
  lockoutAuthSet:            0
  reserved1:                 0
  disableClear:              0
  inLockout:                 0
  tpmGeneratedEPS:           1
  reserved2:                 0
TPM2_PT_STARTUP_CLEAR:
  phEnable:                  1
  shEnable:                  1
  ehEnable:                  1
  phEnableNV:                1
  reserved1:                 0
  orderly:                   1
TPM2_PT_HR_NV_INDEX: 0x0
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x3
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x6
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0x7
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0x19
TPM2_PT_ALGORITHM_SET: 0x0
TPM2_PT_LOADED_CURVES: 0x3
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0x3
TPM2_PT_LOCKOUT_INTERVAL: 0x3E8
TPM2_PT_LOCKOUT_RECOVERY: 0x3E8
TPM2_PT_NV_WRITE_RECOVERY: 0x0
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0

20:24:59

andi-

did yours report less or did you just stop copying?

stopped copying

my guess is that because I haven't set a lockoutauth it isn't decrementing for some reason

20:34:01

colemickens joined the room.

22:07:58

Mic92 (Old)

In reply to @andi:kack.it
Mic92: are you aware of a password manager that uses pkcs11 and isn't using GPG? Age is still not able to do that IIRC.

No. What praticial security would it provide for users though to use TPM in this case?

04:50:08

Mic92 (Old)

Right now you type in a password to decrypt a symmetric key. With TPM i guess you would type in a key to unlock the TPM, which unlocks your symmetric key fro the password?

04:50:56

andi-

In reply to @mic92:nixos.dev
Right now you type in a password to decrypt a symmetric key. With TPM i guess you would type in a key to unlock the TPM, which unlocks your symmetric key fro the password?

The key never exists in memory and the TPM could ensure that the device-specific secret for the password manager only ever works on this machine when you boot a trusted system (your bootloader, kernel, ...).

07:58:27

andi-

So the boot (+password) would unlock the TPM and then each and every password you'd decrypt using the TPM instead of a derived key in memory.

07:59:04

Mic92 (Old)

Ok, for device specific credentials this might be helpful but not the classic password manager that is synched across devices.

08:01:07

andi-

Why not? Right now I encrypt my pass database to plenty of GPG keys. One per device and the one on my yubi key

08:02:19

andi-

IMHO it would just be one more key I encrypt things for

08:02:42

Load older messages

Show newer messages

	NixOS + TPMs	172 Members
		42 Servers