| 18 Jul 2021 |
 manveru | Pretty sure there's no tpm drv from me... | 17:04:02 |
 @grahamc:nixos.org | andi-: okay so you CAN specify an index when defining the region, but there are defined allocations https://trustedcomputinggroup.org/wp-content/uploads/RegistryOfReservedTPM2HandlesAndLocalities_v1p1_pub.pdf | 20:02:33 |
| @grahamc:nixos.org | [nix-shell:~]# tss2 getplatformcertificates
WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /nix/store/cmkbhbf74dzy2kaxsamvkr2pbiqvhx89-tpm2-tss-3.0.3/var/run/tpm2-tss/eventlog/ does not exist, creating
WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /root//.local/share/tpm2-tss/user/keystore does not exist, creating
WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /nix/store/cmkbhbf74dzy2kaxsamvkr2pbiqvhx89-tpm2-tss-3.0.3/var/lib/tpm2-tss/system/keystore/policy does not exist, creating
sigh
| 20:19:05 |
 andi- | That is normal :d | 20:19:18 |
| andi- | I also get those and can still authenticate my SSH session | 20:19:30 |
| andi- | But yeah it is not optimal.. | 20:19:44 |
| andi- | I hope I'll have some time to read the TPM2.0 spec next week. Been not doing much since Thursday and the weekend was occupied otherwise | 20:20:31 |
| @grahamc:nixos.org | understandable | 20:21:00 |
| @grahamc:nixos.org | I wonder why getplatformcertificates is suddenly part of tss and not the tpm2 command | 20:21:23 |
| andi- | the developers of tss needed it before they started the tpm2 tool? | 20:22:09 |
| @grahamc:nixos.org | hm | 20:22:21 |
| 19 Jul 2021 |
| manveru | does anyonne know if there's some way to turn tpm emulation on for a nixos test? | 06:23:46 |
| andi- | The current VM infrastructure doesnt allow that. You have to run an additional daemon | 07:13:39 |
 Mic92 (Old) | Could you run two VMs for that? | 11:48:55 |
| andi- | No, you have to pass a socket to one of the daemons to QEMUs CLI. Forking off the software TPM before starting QEMU is probably good enough in a sandboxed test. For interactive testing you want more process control. | 11:49:44 |
| Mic92 (Old) | There is some bridging possible with vsockets, but I guess it would get hacky | 11:50:04 |
| Mic92 (Old) | Maybe socat? | 11:50:10 |
| andi- | Yeah, probably but not very elegant. Would be nicer to teach our test driver to take care of "sidecars" | 11:50:31 |
| Mic92 (Old) | vsocket also need root with qemu I just remeber | 11:51:07 |
| Mic92 (Old) | *remember | 11:51:12 |
| Mic92 (Old) | It would be also nice for virtiofsd to have qemu side cars | 11:51:38 |
| andi- | yeah but that also requires root access IIRC | 11:51:58 |
| Mic92 (Old) | Why because virtiofsd needs to change uids? | 11:53:58 |
| Mic92 (Old) | Maybe there could be a uid mapping mode in virtiofsd to map some uid to uid 0 | 11:54:14 |
| Mic92 (Old) | That would be enough for the nix store. | 11:54:24 |
| andi- | Yeah. Like the old 9pfs already worked. | 11:58:39 |
| andi- | I haven't dived into the code since it was merged upstream. Back then the docs were all a bit outdated | 11:59:01 |
| Mic92 (Old) | I put this on my long-term TODO list. For the next months I have enought other VM stuff to solve | 12:02:07 |
| Mic92 (Old) | I don't think it would be very complicated | 12:02:25 |
| @grahamc:nixos.org | cool | 13:14:11 |
