| 16 Jul 2021 |
 andi- | https://aboutcher.co.uk/2020/06/fedora-linux-luks-encryption-with-tpm-unlock/ this sounds so easy :D | 14:02:06 |
 hexa | oh right, clevis. | 14:02:51 |
| andi- | Getting clevis to work on NixOS would already be amazing. SSS for unlocking a community computer is a common enough use case. | 14:03:33 |
| hexa | right, that's when we looked into that | 14:03:59 |
| andi- | and tango is the remote attestation part to it | 14:05:09 |
 @grahamc:nixos.org | I clicked the link thinking "oh great, exactly what we need, yet another blog post with some obscure commands with dozens of flags that probably makes it work just barely well enough but not actually be thorough" | 14:08:15 |
| @grahamc:nixos.org | but it is short enough that I reasonably trust it! | 14:08:23 |
| andi- | So clevis probably puts the two public parts into the initrd? | 14:09:15 |
| @grahamc:nixos.org | maybe uses nvram | 14:09:27 |
| andi- | https://github.com/latchset/clevis/blob/f8132dfbfdce6db8b2195bc6cd34c46db369ba5d/src/pins/tpm2/clevis-encrypt-tpm2#L70 | 14:11:52 |
| andi- | apparently does. After that line all your other keys are gone? | 14:12:16 |
| andi- | More like here https://github.com/latchset/clevis/blob/f8132dfbfdce6db8b2195bc6cd34c46db369ba5d/src/pins/tpm2/clevis-encrypt-tpm2#L156-L157 | 14:12:23 |
| @grahamc:nixos.org | bash ;_; | 14:13:00 |
| andi- | Isn't that your favourite language? :) | 14:13:44 |
| @grahamc:nixos.org | :) | 14:13:53 |
| @grahamc:nixos.org | set -e # all good! | 14:13:58 |
| andi- | oh, I am confusing you with that other guy... | 14:14:17 |
| @grahamc:nixos.org | https://github.com/latchset/clevis/blob/f8132dfbfdce6db8b2195bc6cd34c46db369ba5d/src/pins/tpm2/clevis-encrypt-tpm2#L21-L25 | 14:16:11 |
| andi- | Any idea where that code is? | 14:18:49 |
| andi- | I've only found a dracut module with that name | 14:19:16 |
| @grahamc:nixos.org | I can't find it | 14:19:29 |
| andi- | I feel like I'd want to throw most of clevis away and implement it in Rust/Python/... instead | 14:41:06 |
| @grahamc:nixos.org | when people look at Nixpkgs and say "puke, bash" I say yes but it runs in a sandbox and is gone at the end | 14:50:52 |
| @grahamc:nixos.org | like yeah, puke, bash, but you're not forever cursed by its taint | 14:51:06 |
| andi- | "gone" I have an entire directory on my disk full of it that :D | 14:51:16 |
| @grahamc:nixos.org | it is inert! :) | 14:51:43 |
| andi- | so yeah, lets understand how all this stuff works before rewriting things from scratch | 14:51:49 |
| @grahamc:nixos.org | run clevis inside a nix-build with the sandbox disabled :see | 14:52:18 |
| @grahamc:nixos.org | * run clevis inside a nix-build with the sandbox disabled | 14:52:19 |
| @grahamc:nixos.org | 🙈 | 14:52:22 |
