| 13 Dec 2024 |
 netpleb | Redacted or Malformed Event | 20:58:09 |
| netpleb | Redacted or Malformed Event | 21:11:31 |
| netpleb | * I want to know whether I can control which encryption/decryption key is used by the TPM for when .tpm file are created. Rather than the tpm using some encryption/decryption key which was provided/burned-in or whatever by firmware, can I require it to use one of my own? (so long as I can safely add that key to the TPM) | 21:11:53 |
| 14 Dec 2024 |
 K900 | In reply to @netpleb:matrix.org
I am back with another dumb question. This time it is about using tpm2 though. Is this a good channel to ask it? Feels like if anybody knows the answer it is all of you in here. You want #users:nixos.org | 07:25:59 |
| 16 Dec 2024 |
 Mic92 | TPMs most of the time will try to generate their own generated key. I haven't heard of an import function yet. | 16:57:37 |
 Arian | TPMs for sure can import keys | 18:53:48 |
| Arian | TPM2_Import :) | 18:54:00 |
| K900 | Please stop posting in the decommissioned room | 18:56:31 |
| 17 Dec 2024 |
|  @philiptaron:matrix.org left the room. | 23:07:08 |
| 18 Dec 2024 |
| netpleb | I am confused as to how we are to know whether this room is decommissioned or not. | 19:22:46 |
| K900 | You aren't, because the room is extremely split brained | 19:23:38 |
| K900 | So it can't be modified in a way that's visible to most users | 19:23:51 |
| K900 | For Matrix state resolution reasons | 19:24:00 |
| netpleb | Yes, that works for importing keys into a hierarchy on the TPM. You can specify which "parent" key in the tpm should be used to encrypt the stuff you are importing too. The thing that is frustrating (at least to me) is that you cannot specify the "seed" which is used to derive, for example, the platform and endorsement keys. The TPM uses the TPM's random number generator for those seeds and then deterministically derives the keys. However, if nothing else but for audit purposes, it would be quite nice if we could force the TPM to use seeds of our choosing. Hope that makes sense. At least that is my current/limited/probably-wrong understanding. Sorry for posting again to decommissioned room :( | 19:26:28 |
| Mic92 | I don't think this room is decommissioned. | 19:27:08 |
 joepie91 🏳️🌈 | see, split brain :) | 19:27:26 |
| Mic92 | Those matrix links never works for me. | 19:28:30 |
| Arian | Just dont use the endorsement hierarchy? | 19:28:52 |
| Arian | Or can you also not set the seed for the owner hierarchy? | 19:29:04 |
| K900 | Oh wait | 19:31:12 |
| K900 | This is not the old #nix:nixos.org room | 19:31:20 |
| K900 | What the fuck is this room then | 19:31:46 |
| Mic92 | No. This is #systems-programming:nixos.org | 19:31:59 |
| K900 | Oh great | 19:32:10 |
| K900 | Then it's split brained | 19:32:12 |
| K900 | @hexa do the thing | 19:32:15 |
| netpleb | Right, as far as I can tell we cannot set the seed even for the owner hierarchy. But I also am very new to these APIs and may not be fully understanding. | 19:42:21 |
| K900 | Audit of what exactly | 19:44:53 |
| K900 | It makes no sense for the TPM security model to load outside keys | 19:45:01 |
| K900 | Because then you have other ways to leak keys | 19:45:08 |
