| 16 Jul 2021 |
 andi- | and tango is the remote attestation part to it | 14:05:09 |
 @grahamc:nixos.org | I clicked the link thinking "oh great, exactly what we need, yet another blog post with some obscure commands with dozens of flags that probably makes it work just barely well enough but not actually be thorough" | 14:08:15 |
| @grahamc:nixos.org | but it is short enough that I reasonably trust it! | 14:08:23 |
| andi- | So clevis probably puts the two public parts into the initrd? | 14:09:15 |
| @grahamc:nixos.org | maybe uses nvram | 14:09:27 |
| andi- | https://github.com/latchset/clevis/blob/f8132dfbfdce6db8b2195bc6cd34c46db369ba5d/src/pins/tpm2/clevis-encrypt-tpm2#L70 | 14:11:52 |
| andi- | apparently does. After that line all your other keys are gone? | 14:12:16 |
| andi- | More like here https://github.com/latchset/clevis/blob/f8132dfbfdce6db8b2195bc6cd34c46db369ba5d/src/pins/tpm2/clevis-encrypt-tpm2#L156-L157 | 14:12:23 |
| @grahamc:nixos.org | bash ;_; | 14:13:00 |
| andi- | Isn't that your favourite language? :) | 14:13:44 |
| @grahamc:nixos.org | :) | 14:13:53 |
| @grahamc:nixos.org | set -e # all good! | 14:13:58 |
| andi- | oh, I am confusing you with that other guy... | 14:14:17 |
| @grahamc:nixos.org | https://github.com/latchset/clevis/blob/f8132dfbfdce6db8b2195bc6cd34c46db369ba5d/src/pins/tpm2/clevis-encrypt-tpm2#L21-L25 | 14:16:11 |
| andi- | Any idea where that code is? | 14:18:49 |
| andi- | I've only found a dracut module with that name | 14:19:16 |
| @grahamc:nixos.org | I can't find it | 14:19:29 |
| andi- | I feel like I'd want to throw most of clevis away and implement it in Rust/Python/... instead | 14:41:06 |
| @grahamc:nixos.org | when people look at Nixpkgs and say "puke, bash" I say yes but it runs in a sandbox and is gone at the end | 14:50:52 |
| @grahamc:nixos.org | like yeah, puke, bash, but you're not forever cursed by its taint | 14:51:06 |
| andi- | "gone" I have an entire directory on my disk full of it that :D | 14:51:16 |
| @grahamc:nixos.org | it is inert! :) | 14:51:43 |
| andi- | so yeah, lets understand how all this stuff works before rewriting things from scratch | 14:51:49 |
| @grahamc:nixos.org | run clevis inside a nix-build with the sandbox disabled :see | 14:52:18 |
| @grahamc:nixos.org | * run clevis inside a nix-build with the sandbox disabled | 14:52:19 |
| @grahamc:nixos.org | 🙈 | 14:52:22 |
| andi- | The best of none of the worlds? | 14:52:47 |
| @grahamc:nixos.org | bingo | 14:53:07 |
| @grahamc:nixos.org | okay new learning | 15:01:07 |
| @grahamc:nixos.org | In reply to @grahamc:nixos.org
like, I think the nvram is for "I don't have a filesystem yet!" stuff, plus perhaps password attempt counters this isn't stored in an arbitrary location in nvram, and it isn't on a per-secret basis, but an overal property of the TPM: a counter of failures:
[nix-shell:~]# tpm2 getcap properties-variable > prop-vals.2
[nix-shell:~]# diff prop-vals.1 prop-vals.2
29c29
< TPM2_PT_LOCKOUT_COUNTER: 0x7
---
> TPM2_PT_LOCKOUT_COUNTER: 0x8
| 15:02:21 |
