| 1 Mar 2023 |
 Julian Stecklina (Old) | "... arbitrary code execution within the TPM ..." | 09:18:16 |
 raitobezarius | In the spec! Beautiful | 10:10:59 |
 @grahamc:nixos.org | stunning | 13:14:34 |
| @grahamc:nixos.org | is it actually in the spec, or in a reference implementation? | 13:15:39 |
| raitobezarius | I read it as "in the spec" | 13:16:13 |
| raitobezarius |
Apply an update The Trusted Computing Group (TCG) has released an update to their Errata for TPM2.0 Library Specification with instructions to address these vulnerabilities.
| 13:16:14 |
| raitobezarius | Also, they did find the vuln I think in some implems | 13:17:19 |
| @grahamc:nixos.org | Im trying to find a diff of the spec ... | 13:17:22 |
| raitobezarius | https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-Library-Spec-v1.59-Errata-v1.4_pub.pdf | 13:17:44 |
| raitobezarius | Version 1.4 | 13:17:46 |
| @grahamc:nixos.org | ah nice, I was only finding the full reference | 13:18:01 |
| raitobezarius | 
Download image.png | 13:18:05 |
| raitobezarius | 2.6.1, 2.6.2, 2.6.3 | 13:18:10 |
| raitobezarius | It's indeed the "reference code" provided in the specification | 13:18:27 |
| @grahamc:nixos.org | ah, ok, cool, so the code is in the spec, but as a reference and not actually the rules of how a tpm must operate | 13:18:53 |
| raitobezarius | Yeah, it's not protocol-level vuln I suppose | 13:19:03 |
| @grahamc:nixos.org | whew | 13:19:28 |
| raitobezarius | cc baloo if you can bump libtpms in nixpkgs | 13:34:23 |
 baloo | Yeah the spec also provide a sample implementation. I know libtpms just imports that.
I don’t know if the spec mandates that you use this implementation | 15:24:11 |
| baloo | What I can tell you is that it is sometimes easier to go look at the code to make sense of the spec (especially around credentials) | 15:24:48 |
| baloo | Yeah I’ll bump the libtpms | 15:26:28 |
| baloo | https://github.com/NixOS/nixpkgs/pull/219016 | 16:34:32 |
| baloo | now the fun begins: sending that to vendors of TPMs and see if they are affected :D | 16:54:40 |
| baloo | got beat to it, but I don't think I can share the response from vendor.
But I can say our product is not affected? | 17:06:43 |
| baloo | make of that what you will | 17:06:51 |
| Julian Stecklina (Old) | baloo: where are you actually working at? :) (If you want to share) | 17:15:42 |
| baloo | arista networks | 17:15:56 |
| baloo | the NDR division deploys nixos in production | 17:16:58 |
| Julian Stecklina (Old) | Ah, nice | 17:17:07 |
| 2 Mar 2023 |
|  j-k joined the room. | 11:52:10 |
