| 18 Jul 2021 |
 @grahamc:nixos.org | andi-: okay so you CAN specify an index when defining the region, but there are defined allocations https://trustedcomputinggroup.org/wp-content/uploads/RegistryOfReservedTPM2HandlesAndLocalities_v1p1_pub.pdf | 20:02:33 |
| @grahamc:nixos.org | [nix-shell:~]# tss2 getplatformcertificates
WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /nix/store/cmkbhbf74dzy2kaxsamvkr2pbiqvhx89-tpm2-tss-3.0.3/var/run/tpm2-tss/eventlog/ does not exist, creating
WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /root//.local/share/tpm2-tss/user/keystore does not exist, creating
WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /nix/store/cmkbhbf74dzy2kaxsamvkr2pbiqvhx89-tpm2-tss-3.0.3/var/lib/tpm2-tss/system/keystore/policy does not exist, creating
sigh
| 20:19:05 |
 andi- | That is normal :d | 20:19:18 |
| andi- | I also get those and can still authenticate my SSH session | 20:19:30 |
| andi- | But yeah it is not optimal.. | 20:19:44 |
| andi- | I hope I'll have some time to read the TPM2.0 spec next week. Been not doing much since Thursday and the weekend was occupied otherwise | 20:20:31 |
| @grahamc:nixos.org | understandable | 20:21:00 |
| @grahamc:nixos.org | I wonder why getplatformcertificates is suddenly part of tss and not the tpm2 command | 20:21:23 |
| andi- | the developers of tss needed it before they started the tpm2 tool? | 20:22:09 |
| @grahamc:nixos.org | hm | 20:22:21 |
| 19 Jul 2021 |
 manveru | does anyonne know if there's some way to turn tpm emulation on for a nixos test? | 06:23:46 |
| andi- | The current VM infrastructure doesnt allow that. You have to run an additional daemon | 07:13:39 |
 Mic92 | Could you run two VMs for that? | 11:48:55 |
| andi- | No, you have to pass a socket to one of the daemons to QEMUs CLI. Forking off the software TPM before starting QEMU is probably good enough in a sandboxed test. For interactive testing you want more process control. | 11:49:44 |
| Mic92 | There is some bridging possible with vsockets, but I guess it would get hacky | 11:50:04 |
| Mic92 | Maybe socat? | 11:50:10 |
| andi- | Yeah, probably but not very elegant. Would be nicer to teach our test driver to take care of "sidecars" | 11:50:31 |
| Mic92 | vsocket also need root with qemu I just remeber | 11:51:07 |
| Mic92 | *remember | 11:51:12 |
| Mic92 | It would be also nice for virtiofsd to have qemu side cars | 11:51:38 |
| andi- | yeah but that also requires root access IIRC | 11:51:58 |
| Mic92 | Why because virtiofsd needs to change uids? | 11:53:58 |
| Mic92 | Maybe there could be a uid mapping mode in virtiofsd to map some uid to uid 0 | 11:54:14 |
| Mic92 | That would be enough for the nix store. | 11:54:24 |
| andi- | Yeah. Like the old 9pfs already worked. | 11:58:39 |
| andi- | I haven't dived into the code since it was merged upstream. Back then the docs were all a bit outdated | 11:59:01 |
| Mic92 | I put this on my long-term TODO list. For the next months I have enought other VM stuff to solve | 12:02:07 |
| Mic92 | I don't think it would be very complicated | 12:02:25 |
| @grahamc:nixos.org | cool | 13:14:11 |
| @grahamc:nixos.org | I was watching a talk from mjg59 where he mentioned the code quality of tpm2 and tss2 and that it was ... interesting ... inspiring them to make their own pure Go implementation for https://github.com/google/go-attestation | 13:20:40 |
