| 16 Jul 2021 |
 @grahamc:nixos.org | https://www.mankier.com/1/tpm2_quote | 12:21:10 |
|  Linux Hackerman is moving: @linus:schreibt.jetzt joined the room. | 12:21:36 |
 andi- | I must also look at the OpenConnect VPN client. Apparently they integrate with the kernel keyring but there are also mentions of the TSS lib somewhere. Perhaps that stuff is really interoperable. At first I didn't think that could be the case. | 12:22:58 |
| @grahamc:nixos.org | I wonder if the openconnect server can require your PCRs to match specific values to allow a connection | 12:24:00 |
|  Matrix Traveler (bot) joined the room. | 12:24:04 |
| @grahamc:nixos.org | * I wonder if the openconnect client key can require your PCRs to match specific values to allow a connection | 12:24:11 |
| andi- | Off-topic: Do we now have all the bots on the matrix universe? :D | 12:24:22 |
| @grahamc:nixos.org | I would not be surprised if that were true, the TPM2 book talks about it a lot :D | 12:24:22 |
| @grahamc:nixos.org | haha | 12:24:33 |
| andi- | It is nice that we have a well documented user of all of the TPM infrastructure. | 12:41:49 |
|  hexa joined the room. | 12:41:58 |
| andi- | I now wish that I could use the TPM for wireguard key derivation. | 12:41:58 |
| @grahamc:nixos.org | is that openconnect? | 12:42:04 |
| andi- | Yeah | 12:42:10 |
| @grahamc:nixos.org | :) | 12:42:14 |
|  spacesbot - keeps a log of public NixOS channels | 13:00:04 |
| andi- | So yesterday I was able to wipe my state without th ecorrect password IIRC. All I did was call tpm2_clear. | 13:16:47 |
| andi- | How do you protect against that? | 13:17:04 |
| andi- | IIRC I did set two passwords when I first setup secrets. | 13:17:24 |
| @grahamc:nixos.org | interesting | 13:21:19 |
| @grahamc:nixos.org | not sure you can actually | 13:21:38 |
| @grahamc:nixos.org | maybe you can | 13:21:44 |
| @grahamc:nixos.org | but I'm thinking about how the bios can wipe it too | 13:24:08 |
| andi- | That would mean that I must lock the tpm device away and only let root / a special user interact with it. | 13:24:25 |
| andi- | I read some text that said that there are some hardware keys to adjust it | 13:24:38 |
| @grahamc:nixos.org | you sort of need to do that anyway | 13:25:12 |
| @grahamc:nixos.org | because the nvram isn't partitioned or anything, it has no fs, you just have offsets in to the memory you write to | 13:25:35 |
| andi- | So you need to coordinate offsets across all your tools? e.g. OpenConnect and my kerberos daemon must each know where they can write? | 13:26:50 |
| @grahamc:nixos.org | mostly tools dont' need to write to the nvram I think | 13:27:15 |
| @grahamc:nixos.org | like, I think the nvram is for "I don't have a filesystem yet!" stuff, plus perhaps password attempt counters | 13:27:35 |
