| 27 Feb 2023 |
 ElvishJerricco | Minor clarification, when creating a key, you choose if it needs authorization to create child keys. It would seem the SRK is expected to be created without any authorization requirement for creating children. I think. | 21:20:40 |
| ElvishJerricco | but of course root keys always need the authorization of the hierarchy | 21:21:06 |
| ElvishJerricco | * but of course creating root keys always needs the authorization of the hierarchy | 21:21:22 |
 baloo | upside of SRK, the key gets stored in the TPM, and you need to wait a couple seconds to do a key derivation from the root secret. | 21:21:33 |
| ElvishJerricco | You mean you don't need to wait? The key is stored so it needn't be derived | 21:23:16 |
| baloo | yeah, sorry | 21:23:29 |
| ElvishJerricco | yea that's one upside. The other is that people who don't have owner auth can still use the TPM for some stuff | 21:24:12 |
| baloo | when creating a subkey, you feed in a template and tpm uses that as input parameter to do key derivation. Which takes 800ms for an RSA 2048bits or so. | 21:24:20 |
| ElvishJerricco | right | 21:24:33 |
| ElvishJerricco | like disk encryption; with the SRK, you don't need owner auth to do disk encryption | 21:25:15 |
| baloo | which isn't necessarily a good thing | 21:25:30 |
| ElvishJerricco | I guess if you don't want that then you can just not create the SRK :P | 21:25:57 |
| ElvishJerricco | or create it so it requires auth to use | 21:26:04 |
| baloo | yeah, you can attach a policy or an auth to an SRK | 21:27:37 |
|  aktaboot joined the room. | 23:40:30 |
| 1 Mar 2023 |
|  Fabián Heredia changed their display name from fabianhjr to Fabián Heredia. | 06:05:13 |
 Julian Stecklina (Old) | https://kb.cert.org/vuls/id/782720 | 09:17:06 |
| Julian Stecklina (Old) | That's pretty bad | 09:17:17 |
| Julian Stecklina (Old) | "... arbitrary code execution within the TPM ..." | 09:18:16 |
 raitobezarius | In the spec! Beautiful | 10:10:59 |
 @grahamc:nixos.org | stunning | 13:14:34 |
| @grahamc:nixos.org | is it actually in the spec, or in a reference implementation? | 13:15:39 |
| raitobezarius | I read it as "in the spec" | 13:16:13 |
| raitobezarius |
Apply an update The Trusted Computing Group (TCG) has released an update to their Errata for TPM2.0 Library Specification with instructions to address these vulnerabilities.
| 13:16:14 |
| raitobezarius | Also, they did find the vuln I think in some implems | 13:17:19 |
| @grahamc:nixos.org | Im trying to find a diff of the spec ... | 13:17:22 |
| raitobezarius | https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-Library-Spec-v1.59-Errata-v1.4_pub.pdf | 13:17:44 |
| raitobezarius | Version 1.4 | 13:17:46 |
| @grahamc:nixos.org | ah nice, I was only finding the full reference | 13:18:01 |
| raitobezarius | 
Download image.png | 13:18:05 |
