| 16 Jul 2021 |
 andi- | The best of none of the worlds? | 14:52:47 |
 @grahamc:nixos.org | bingo | 14:53:07 |
| @grahamc:nixos.org | okay new learning | 15:01:07 |
| @grahamc:nixos.org | In reply to @grahamc:nixos.org
like, I think the nvram is for "I don't have a filesystem yet!" stuff, plus perhaps password attempt counters this isn't stored in an arbitrary location in nvram, and it isn't on a per-secret basis, but an overal property of the TPM: a counter of failures:
[nix-shell:~]# tpm2 getcap properties-variable > prop-vals.2
[nix-shell:~]# diff prop-vals.1 prop-vals.2
29c29
< TPM2_PT_LOCKOUT_COUNTER: 0x7
---
> TPM2_PT_LOCKOUT_COUNTER: 0x8
| 15:02:21 |
| @grahamc:nixos.org |
Note that the DA lockout counter decrements automatically every TPM_PT_LOCKOUT_INTERVAL seconds, in your case 100s.
| 15:04:29 |
| @grahamc:nixos.org | mine is:
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
so 2 hours | 15:04:42 |
| @grahamc:nixos.org | I sure wish there was some crash course already put together on all this | 15:05:57 |
| andi- | I'll book one with DS once you are at that point. There is a friends&family discount, right? | 15:06:25 |
| @grahamc:nixos.org | haha | 15:07:36 |
| @grahamc:nixos.org | I should get a TPM simulator instead of putting my actual TPM in lockout | 15:09:01 |
| @grahamc:nixos.org | did you figure out how to run the simulator? | 15:10:51 |
| @grahamc:nixos.org | a very annoying thing about TPMs is the management thing | 15:22:05 |
| andi- | I haven't continued that journey yet. I'm trying to get things organzied for the weekend. Not going to have much more time besides during the Nights. | 16:20:04 |
| andi- invited  Mic92. | 16:35:10 |
| Mic92 joined the room. | 16:35:19 |
| Mic92 | I kinda stopped using my yubikey as well | 16:35:34 |
| Mic92 | Is there an ssh-agent for tpm2? | 16:36:34 |
| Mic92 | Otherwise I am ready: https://www.lenovo.com/us/en/laptops/thinkpad/thinkpad-x/ThinkPad-X13-Intel-/p/20T2CTO1WWENUS0/customize | 16:36:48 |
| andi- | You can use the TPM as pkcs11 device | 16:36:49 |
| andi- | I've been doing that for a few days now | 16:36:59 |
| Mic92 | Does openssh supports pkcs11? | 16:37:29 |
| Mic92 | I rather prefer over gnupg codebase | 16:37:39 |
| Mic92 | * I rather prefer theirs over gnupg codebase | 16:37:48 |
| andi- | Yeah, you basically enable the tpm2 settings in the nixos options. Including the pkcs11 shim and then:
ssh-keygen -D /run/current-system/sw/lib/libtpm2_pkcs11.so
| 16:37:59 |
| Mic92 | Nice. | 16:38:10 |
| andi- | Yeah except that on current unstable you have to patch the tpm2-tss lib or rather remove our dlopen patch. | 16:38:37 |
| andi- | I've not had a moment to upstream that yet. | 16:38:46 |
| andi- | You can also follows this guide: https://incenp.org/notes/2020/tpm-based-ssh-key.html minus all the compiling | 16:40:11 |
| andi- | Mic92: are you aware of a password manager that uses pkcs11 and isn't using GPG? Age is still not able to do that IIRC. | 16:43:58 |
| andi- | (It has a bunch of repos around that topic but I've not managed to understand why they need so many) | 16:44:04 |
