| 17 Jul 2021 |
 Mic92 (Old) | The key for what? | 08:11:03 |
| Mic92 (Old) | A second use case for TPM would be second factor auth | 08:15:48 |
| Mic92 (Old) | Also interesting: https://github.com/mtth-bfft/tpm-otp | 08:18:28 |
 andi- | In reply to @mic92:nixos.dev
The key for what? The key for the passwords. | 08:47:47 |
| Mic92 (Old) | In reply to @andi:kack.it
The key for the passwords. It seems like a small win in security for an increased complexity, since the passwords itself are still in plain | 08:48:57 |
| andi- | Yeah but it defeats all kinds of offline attacks on my password database | 08:49:24 |
| andi- | you can use my entire disk and still have no way to decrypt my passwords. Not even if you also have a memory dump. | 08:49:38 |
| andi- | You only obtain what you can observe me requesting. | 08:50:02 |
| Mic92 (Old) | I can imangine for most people the risk of loosing access to all their passwords is higher when their hardware breaks than the added security. | 08:51:56 |
| Mic92 (Old) | * I can imagine for most people the risk of loosing access to all their passwords is higher when their hardware breaks than the added security. | 08:52:18 |
| andi- | I would only loose access to keys on that machine and not all my passwords. | 08:52:50 |
| andi- | which is a perfectly acceptable risk for me as I can still use my YubiKey to access passwords (or another device with the same scheme). | 08:53:32 |
| andi- | In reply to @mic92:nixos.dev
Also interesting: https://github.com/mtth-bfft/tpm-otp This looks like it wouldn't go well with other TPM applications as they try to manage the TPM directly and write to random nvram positions. | 09:17:56 |
 @grahamc:nixos.org |
Corrected a problem which generated improper hash values on 16 bit machines
| 23:34:21 |
| @grahamc:nixos.org | damn this file has a LOT of history | 23:34:58 |
| 18 Jul 2021 |
| @grahamc:nixos.org | okay andi- I was maybe predictable wrong about the rvram | 00:40:08 |
| @grahamc:nixos.org | to r/w space you have to preallocate a chunk with nvdefine, and it gives you an "NV Index" in response: | 00:40:49 |
| @grahamc:nixos.org | [nix-shell:~]# tpm2 nvdefine -s 1
nv-index: 0x1000000
| 00:40:50 |
| @grahamc:nixos.org | (-s 1 means 1 byte) | 00:41:04 |
| @grahamc:nixos.org | [nix-shell:~]# tpm2 nvdefine -p str:lolol -s 1
nv-index: 0x1000000
for index 0x1000000 you'll need to present the lolol password to read or write it:
[nix-shell:~]# tpm2 nvwrite -i ./lol 0x1000000
WARNING:esys:src/tss2-esys/api/Esys_NV_Write.c:310:Esys_NV_Write_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_Write.c:110:Esys_NV_Write() Esys Finish ErrorCode (0x0000098e)
ERROR: Failed to write NV area at index 0x1000000
ERROR: Tss2_Sys_NV_Write(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
ERROR: Unable to run nvwrite
[nix-shell:~]# tpm2 nvwrite -i ./lol --auth str:lolol 0x1000000
[nix-shell:~]# tpm2 nvread 0x1000000
WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x0000098e)
ERROR: Esys_NV_Read(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
ERROR: Failed to read NVRAM area at index 0x1000000
ERROR: Unable to run nvread
[nix-shell:~]# tpm2 nvread 0x1000000 --auth str:lolol
h
| 00:42:14 |
| @grahamc:nixos.org | I don't know how you're supposed to remember the index | 00:43:45 |
| Mic92 (Old) | In reply to @grahamc:nixos.org
damn this file has a LOT of history Well there might be still a need in microcontrollers. | 03:15:37 |
| andi- | In reply to @grahamc:nixos.org
I don't know how you're supposed to remember the index But that is much better than expecting the applications to synchronize. If you look at that bash script from yesterday: They probably stuff it in their JSON blob? | 07:56:01 |
 manveru | https://github.com/NixOS/nixpkgs/pull/130568 if anyone wants to review | 17:00:57 |
| andi- | manveru: have you been using this on unstable with pkcs11 with e.g. OpenSSH? I've had to patch your tpm2-tss derivation to use pkcs11 | 17:02:29 |
| manveru | Not yet, I'm just getting started trying to use tpm :) | 17:03:36 |
| manveru | Pretty sure there's no tpm drv from me... | 17:04:02 |
| @grahamc:nixos.org | andi-: okay so you CAN specify an index when defining the region, but there are defined allocations https://trustedcomputinggroup.org/wp-content/uploads/RegistryOfReservedTPM2HandlesAndLocalities_v1p1_pub.pdf | 20:02:33 |
| @grahamc:nixos.org | [nix-shell:~]# tss2 getplatformcertificates
WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /nix/store/cmkbhbf74dzy2kaxsamvkr2pbiqvhx89-tpm2-tss-3.0.3/var/run/tpm2-tss/eventlog/ does not exist, creating
WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /root//.local/share/tpm2-tss/user/keystore does not exist, creating
WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /nix/store/cmkbhbf74dzy2kaxsamvkr2pbiqvhx89-tpm2-tss-3.0.3/var/lib/tpm2-tss/system/keystore/policy does not exist, creating
sigh
| 20:19:05 |
| andi- | That is normal :d | 20:19:18 |
