| 14 Sep 2022 |
 ElvishJerricco | Zhaofeng Li: So moving over here because it seems more relevant: That patch doesn't seem to apply to NixOS. Based on the Loaded initrd from command line option message you see when booting with systemd-boot, that code path in that patch doesn't seem to measure the initrd | 23:28:25 |
| ElvishJerricco | which is odd. I dunno why you'd only measure one of those two branches. Either it's measured elsewhere or this is a kernel bug | 23:30:45 |
| ElvishJerricco | Though honestly I guess it doesn't matter. The attacker can always override the cmdline if you're not using a UKI anyway. So UKI it is | 23:53:37 |
| 15 Sep 2022 |
 Zhaofeng Li | In reply to @elvishjerricco:matrix.org
Zhaofeng Li: So moving over here because it seems more relevant: That patch doesn't seem to apply to NixOS. Based on the Loaded initrd from command line option message you see when booting with systemd-boot, that code path in that patch doesn't seem to measure the initrd Wow, that's certainly very weird. What are those two code paths? | 01:16:07 |
| ElvishJerricco | Zhaofeng Li: This branch does measure it, but this branch doesn't, which seems to be the one we hit with nixos | 01:18:00 |
| Zhaofeng Li | Ah, so supplying initrd= via the cmdline doesn't trigger the measurement, awkward | 01:25:19 |
| ElvishJerricco | and I can't imagine why they wouldn't want to measure it. It seems perfectly possible there | 01:25:40 |
| ElvishJerricco | Like, just move the measurement call to after the if else if block or something | 01:26:25 |
| Zhaofeng Li | Nice opportunity to cook up a patch, it seems 👀 | 01:28:36 |
| Zhaofeng Li | Also an opportunity to move to using the initrd directive in systemd-boot instead of adding the initrd= in the cmdline | 01:29:09 |
| ElvishJerricco | Zhaofeng Li: We do use the initrd directive. But (and I can't remember where I read this), I believe systemd-boot just converts that directive into an initrd= cmdline option. | 01:31:41 |
| Zhaofeng Li | If this is the case, the systemd-boot docs are dangerously incorrect. This is very surprising. | 01:33:00 |
| ElvishJerricco | That's what this wiki says: https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/ | 01:33:48 |
| ElvishJerricco | Where are the docs wrong about this? | 01:34:05 |
| ElvishJerricco | And yea, my boot entries on my desktop have an initrd directive, but obviously I still get that "Loaded initrd from command line option" message | 01:34:39 |
| Zhaofeng Li | I mean, the docs are wrong about initrd being measured in PCR 9 under normal usecases (the initrd directive) | 01:36:47 |
| ElvishJerricco | oh yes | 01:36:57 |
| ElvishJerricco | yes that's certainly true | 01:37:01 |
| ElvishJerricco | I don't have a way to test that right now or else I'd try it out to make sure | 01:37:18 |
| ElvishJerricco | (one of the next things I'm going to do in my bootspec-secureboot adventure is add TPM support to qemu-vm so I can test that with NixOS tests as well) | 01:37:58 |
| ElvishJerricco | (but for now my steam deck is my only tpm enabled device and I very much do not have nixos on it yet) | 01:38:18 |
| Zhaofeng Li | (as you mentioned - haven't checked the docs myself as I'm on my phone) | 01:38:27 |
| ElvishJerricco | * (one of the next things I'm going to do in my bootspec-secureboot adventure is add TPM support to qemu-vm.nix so I can test that with NixOS tests as well) | 01:38:30 |
| 18 Sep 2022 |
|  greaka left the room. | 11:35:26 |
| 19 Sep 2022 |
|  Chinchilla Washington left the room. | 03:03:21 |
|  lassulus joined the room. | 15:43:04 |
| 24 Sep 2022 |
 @alexandre:iooss.fr | https://nixos.wiki/wiki/TPM I just started a new wiki page to help users to use their TPM on NixOS
There is still things that I don't understand, I have set security.tpm2.tctiEnvironment.enable=true and have the corresponding environment variables pointing to device,/dev/tpmrm0, but OpenSSH is still trying to init FAPI backend (and fail) | 13:21:04 |
| 30 Sep 2022 |
 Mic92 | Alexandre: nice. How do you backup such a key? | 11:53:10 |
| @alexandre:iooss.fr | In reply to @joerg:thalheim.io
Alexandre: nice. How do you backup such a key? I am still learning the spec, but maybe it is possible to import a key using tpm2-pkcs11 (which would allow a backup). It is clearly one of the question that needs to be answered on the wiki page ><" | 11:55:51 |
| 2 Oct 2022 |
 Leon | In reply to @alexandre:iooss.fr
https://nixos.wiki/wiki/TPM I just started a new wiki page to help users to use their TPM on NixOS
There is still things that I don't understand, I have set security.tpm2.tctiEnvironment.enable=true and have the corresponding environment variables pointing to device,/dev/tpmrm0, but OpenSSH is still trying to init FAPI backend (and fail) I think this might be something I've noticed all over the TPM2 domain. It seems that almost every tool chooses its own generic-sounding environment variable to rely on. | 19:16:40 |
