| 27 Feb 2023 |
 ElvishJerricco | * (but only for systemd-cryptenroll/cryptsetup; no support for systemd-creds yet) | 21:00:30 |
| ElvishJerricco | The short version: The TPM just creates keys in memory by default, without storing them, and requiring authorization. Whenever someone sets the authorization, they should tell the TPM to create a special key called the SRK and store it so that others can use the TPM via the SRK without authorization. Systemd now supports this method. | 21:03:45 |
| ElvishJerricco | * The short version: The TPM just creates keys in internal memory by default, without storing them, and requiring authorization. Whenever someone sets the authorization, they should tell the TPM to create a special key called the SRK and store it so that others can use the TPM via the SRK without authorization. Systemd now supports this method. | 21:04:25 |
| ElvishJerricco | * The short version: The TPM just creates internally reproducible keys in internal memory by default, without storing them, and requiring authorization. Whenever someone sets the authorization, they should tell the TPM to create a special key called the SRK and store it so that others can use the TPM via the SRK without authorization. Systemd now supports this method. | 21:04:51 |
 baloo | but if noone took ownership there wouldn't be a need to require authorization in the first place? | 21:12:58 |
| baloo | or am I missing something | 21:13:08 |
| ElvishJerricco | baloo: That's correct. And that's why it works currently; systemd expects no one to have taken ownership | 21:15:12 |
| baloo | alright, makes sense | 21:15:34 |
| ElvishJerricco | Minor clarification, when creating a key, you choose if it needs authorization to create child keys. It would seem the SRK is expected to be created without any authorization requirement for creating children. I think. | 21:20:40 |
| ElvishJerricco | but of course root keys always need the authorization of the hierarchy | 21:21:06 |
| ElvishJerricco | * but of course creating root keys always needs the authorization of the hierarchy | 21:21:22 |
| baloo | upside of SRK, the key gets stored in the TPM, and you need to wait a couple seconds to do a key derivation from the root secret. | 21:21:33 |
| ElvishJerricco | You mean you don't need to wait? The key is stored so it needn't be derived | 21:23:16 |
| baloo | yeah, sorry | 21:23:29 |
| ElvishJerricco | yea that's one upside. The other is that people who don't have owner auth can still use the TPM for some stuff | 21:24:12 |
| baloo | when creating a subkey, you feed in a template and tpm uses that as input parameter to do key derivation. Which takes 800ms for an RSA 2048bits or so. | 21:24:20 |
| ElvishJerricco | right | 21:24:33 |
| ElvishJerricco | like disk encryption; with the SRK, you don't need owner auth to do disk encryption | 21:25:15 |
| baloo | which isn't necessarily a good thing | 21:25:30 |
| ElvishJerricco | I guess if you don't want that then you can just not create the SRK :P | 21:25:57 |
| ElvishJerricco | or create it so it requires auth to use | 21:26:04 |
| baloo | yeah, you can attach a policy or an auth to an SRK | 21:27:37 |
|  @aktaboot:tchncs.de joined the room. | 23:40:30 |
| 1 Mar 2023 |
|  Fabián Heredia changed their display name from fabianhjr to Fabián Heredia. | 06:05:13 |
 Julian Stecklina (Old) | https://kb.cert.org/vuls/id/782720 | 09:17:06 |
| Julian Stecklina (Old) | That's pretty bad | 09:17:17 |
| Julian Stecklina (Old) | "... arbitrary code execution within the TPM ..." | 09:18:16 |
 raitobezarius | In the spec! Beautiful | 10:10:59 |
 @grahamc:nixos.org | stunning | 13:14:34 |
| @grahamc:nixos.org | is it actually in the spec, or in a reference implementation? | 13:15:39 |
