| 16 Jul 2021 |
 @grahamc:nixos.org | ah | 12:13:35 |
 andi- | and the root is also the part that takes the two passwords? | 12:13:37 |
| @grahamc:nixos.org | ah, no | 12:13:43 |
| @grahamc:nixos.org | heh | 12:13:45 |
| @grahamc:nixos.org | takeownership does 2 thinsg afaik:
- resets the seed which is used for all the root key calculations
- sets a password used to reset counters
| 12:14:06 |
| @grahamc:nixos.org | so you can set a policy saying increment a counter on decrypt attempt, and refuse if it goes about 10, then you need the ownership password to reset it | 12:14:51 |
| andi- | Ok, so that part is then stored in the NV RAM of the TPM? | 12:15:35 |
| @grahamc:nixos.org | yeah | 12:15:43 |
| @grahamc:nixos.org | you don't need any special credential to use the roots | 12:15:55 |
| @grahamc:nixos.org |
I am still a bit confused by the requirement of different secrets to decrypt one secret.
| 12:16:49 |
| andi- | Does the internal seed change the PCR values? I guess it shouldn't... | 12:16:54 |
| @grahamc:nixos.org | I think this is because you're maybe not ever going to decrypt it | 12:16:56 |
