| 16 Jul 2021 |
 @grahamc:nixos.org | takeownership does 2 thinsg afaik:
- resets the seed which is used for all the root key calculations
- sets a password used to reset counters
| 12:14:06 |
| @grahamc:nixos.org | so you can set a policy saying increment a counter on decrypt attempt, and refuse if it goes about 10, then you need the ownership password to reset it | 12:14:51 |
 andi- | Ok, so that part is then stored in the NV RAM of the TPM? | 12:15:35 |
| @grahamc:nixos.org | yeah | 12:15:43 |
| @grahamc:nixos.org | you don't need any special credential to use the roots | 12:15:55 |
| @grahamc:nixos.org |
I am still a bit confused by the requirement of different secrets to decrypt one secret.
| 12:16:49 |
| andi- | Does the internal seed change the PCR values? I guess it shouldn't... | 12:16:54 |
| @grahamc:nixos.org | I think this is because you're maybe not ever going to decrypt it | 12:16:56 |
| @grahamc:nixos.org | but maybe you're just using it for attestation | 12:17:07 |
| @grahamc:nixos.org | I don't think the seed has anything to do with the PCR, yeah | 12:18:16 |
| @grahamc:nixos.org | Redacted or Malformed Event | 12:19:07 |
| @grahamc:nixos.org | ah here we are | 12:20:30 |
| @grahamc:nixos.org | you can get what the TPM calls a "quote" which is the PCRs signed by the TPM, in a way you can trust itis actually the PCRs and not falsified | 12:21:03 |
