| 16 Jul 2021 |
 andi- | So yesterday I was able to wipe my state without th ecorrect password IIRC. All I did was call tpm2_clear. | 13:16:47 |
| andi- | How do you protect against that? | 13:17:04 |
| andi- | IIRC I did set two passwords when I first setup secrets. | 13:17:24 |
 @grahamc:nixos.org | interesting | 13:21:19 |
| @grahamc:nixos.org | not sure you can actually | 13:21:38 |
| @grahamc:nixos.org | maybe you can | 13:21:44 |
| @grahamc:nixos.org | but I'm thinking about how the bios can wipe it too | 13:24:08 |
| andi- | That would mean that I must lock the tpm device away and only let root / a special user interact with it. | 13:24:25 |
| andi- | I read some text that said that there are some hardware keys to adjust it | 13:24:38 |
| @grahamc:nixos.org | you sort of need to do that anyway | 13:25:12 |
| @grahamc:nixos.org | because the nvram isn't partitioned or anything, it has no fs, you just have offsets in to the memory you write to | 13:25:35 |
| andi- | So you need to coordinate offsets across all your tools? e.g. OpenConnect and my kerberos daemon must each know where they can write? | 13:26:50 |
| @grahamc:nixos.org | mostly tools dont' need to write to the nvram I think | 13:27:15 |
| @grahamc:nixos.org | like, I think the nvram is for "I don't have a filesystem yet!" stuff, plus perhaps password attempt counters | 13:27:35 |
| andi- | I'll have to read a few more things on this... | 13:28:31 |
| @grahamc:nixos.org | me too :P | 13:34:29 |
| @grahamc:nixos.org | https://developers.tpm.dev/posts/15575774 got confirmation on my question about the private half not being sensitive | 13:40:53 |
| andi- | Interesting. What do you do with primary.ctx? Store somewhere? Destroy as you don't intend to ever change it? | 13:43:06 |
| @grahamc:nixos.org | destroy it and recreate every time | 13:43:19 |
| @grahamc:nixos.org | I believe createprimary creates an encryption key to communicate with the TPM with, and then gets the the key to sign | 13:43:56 |
| @grahamc:nixos.org | * I believe createprimary creates an encryption key to communicate with the TPM with, and then gets the TPM's key | 13:44:17 |
| @grahamc:nixos.org | the communication key is changing every time but that is fine, but the TPM's key is the same every time | 13:44:28 |
| @grahamc:nixos.org | if you run createprimary with th esam eargs a bunch of times the first half of the file is different every time and the second half is the same | 13:44:41 |
| andi- | ok, perhaps I should start with QEMU and some soft TPM to play around with this | 13:47:05 |
| andi- | less likely to screw up my SSH key that way :D | 13:47:14 |
| @grahamc:nixos.org | yes, I haven't moved my dataset's encryption to use the TPM yet either :P | 13:47:58 |
| andi- | When we used to say GPG is hard I think we really overstated it a bit in comparison | 13:48:33 |
| @grahamc:nixos.org | you know, I disagree | 13:48:45 |
| @grahamc:nixos.org | well | 13:48:54 |
| andi- | I am not defending GPG... | 13:49:05 |
