| 27 Feb 2023 |
 baloo | which isn't necessarily a good thing | 21:25:30 |
 ElvishJerricco | I guess if you don't want that then you can just not create the SRK :P | 21:25:57 |
| ElvishJerricco | or create it so it requires auth to use | 21:26:04 |
| baloo | yeah, you can attach a policy or an auth to an SRK | 21:27:37 |
|  @aktaboot:tchncs.de joined the room. | 23:40:30 |
| 1 Mar 2023 |
|  Fabián Heredia changed their display name from fabianhjr to Fabián Heredia. | 06:05:13 |
 Julian Stecklina (Old) | https://kb.cert.org/vuls/id/782720 | 09:17:06 |
| Julian Stecklina (Old) | That's pretty bad | 09:17:17 |
| Julian Stecklina (Old) | "... arbitrary code execution within the TPM ..." | 09:18:16 |
 raitobezarius | In the spec! Beautiful | 10:10:59 |
 @grahamc:nixos.org | stunning | 13:14:34 |
| @grahamc:nixos.org | is it actually in the spec, or in a reference implementation? | 13:15:39 |
| raitobezarius | I read it as "in the spec" | 13:16:13 |
| raitobezarius |
Apply an update The Trusted Computing Group (TCG) has released an update to their Errata for TPM2.0 Library Specification with instructions to address these vulnerabilities.
| 13:16:14 |
| raitobezarius | Also, they did find the vuln I think in some implems | 13:17:19 |
| @grahamc:nixos.org | Im trying to find a diff of the spec ... | 13:17:22 |
| raitobezarius | https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-Library-Spec-v1.59-Errata-v1.4_pub.pdf | 13:17:44 |
| raitobezarius | Version 1.4 | 13:17:46 |
| @grahamc:nixos.org | ah nice, I was only finding the full reference | 13:18:01 |
| raitobezarius | 
Download image.png | 13:18:05 |
| raitobezarius | 2.6.1, 2.6.2, 2.6.3 | 13:18:10 |
| raitobezarius | It's indeed the "reference code" provided in the specification | 13:18:27 |
| @grahamc:nixos.org | ah, ok, cool, so the code is in the spec, but as a reference and not actually the rules of how a tpm must operate | 13:18:53 |
| raitobezarius | Yeah, it's not protocol-level vuln I suppose | 13:19:03 |
| @grahamc:nixos.org | whew | 13:19:28 |
| raitobezarius | cc baloo if you can bump libtpms in nixpkgs | 13:34:23 |
| baloo | Yeah the spec also provide a sample implementation. I know libtpms just imports that.
I don’t know if the spec mandates that you use this implementation | 15:24:11 |
| baloo | What I can tell you is that it is sometimes easier to go look at the code to make sense of the spec (especially around credentials) | 15:24:48 |
| baloo | Yeah I’ll bump the libtpms | 15:26:28 |
| baloo | https://github.com/NixOS/nixpkgs/pull/219016 | 16:34:32 |
