| 6 Aug 2021 |
 @grahamc:nixos.org | is the event log plausibly at another location than /sys/class/tpm/tpm0/device ? | 13:16:52 |
| @grahamc:nixos.org | * is the event log plausibly at another location than /sys/kernel/security/tpm0/binary_bios_measurements ? | 13:17:04 |
| 8 Aug 2021 |
 andi- | https://gitlab.gnome.org/GNOME/libsecret/-/merge_requests/90 <3 | 15:13:42 |
| andi- | ^ GSoC project using TPM2 as backend for libsecret passwords. Exactly what I wanted to build... | 15:14:05 |
| 11 Aug 2021 |
 Mic92 (Old) | It's weird that dkms does not handle kmod signatures by default: https://gist.github.com/lijikun/22be09ec9b178e745758a29c7a147cc9 | 14:16:46 |
| Mic92 (Old) | That look painful to set up | 14:17:23 |
| Mic92 (Old) | I wonder if NixOS also should sign kernel modules | 14:22:52 |
| andi- | I think we used to sign with a random key during compilation but that has been thrown away for reproducibility | 14:23:25 |
| andi- | That is for in-tree modules. Not sure about out of tree modules. | 14:24:29 |
| Mic92 (Old) | I think for out-of-tree modules one could have a build hook | 14:25:07 |
| andi- | and the signing key is a (separate) output of the actual kernel build? | 14:25:30 |
| Mic92 (Old) | Yes. It could be actually a build hook in the kernel. Every out-of-tree kernel module already has this as a depedency | 14:27:54 |
| Mic92 (Old) | *dependency | 14:27:57 |
| @grahamc:nixos.org | I'd love to see development in that area, it'd be a bit tricky to know you're supposed to have access to the signing key | 15:44:08 |
| Mic92 (Old) | I just stumbled over this features for the first time when modifying some runc hypervisor. | 15:48:29 |
| andi- | we could have a disallowedRequisites = [ kernel.signingKey ]; as very minimal "safety" against having the key world readable on the system (by accident). That is obviously not a silver bullet. Everyone that can build software against the systems nixpkgs checkout could generate properly signed modules and given that it would have to be deterministic you could probably just generate the key "offline" on another box.. | 15:52:46 |
| andi- | What exactly are we gaining again? :D | 15:52:55 |
| Mic92 (Old) | So would need an activation phase that signs all keys afterwards? | 16:10:35 |
| 13 Aug 2021 |
| @grahamc:nixos.org | the work I'm doing around secureboot support is based on a more involved bootloader "install" step which could support signing modules | 19:47:39 |
| 18 Aug 2021 |
| Mic92 (Old) | https://github.com/NixOS/nixpkgs/pull/134577 | 05:30:59 |
| @grahamc:nixos.org | tpm2_unseal -c ${dev.tpm2KeyFile.persistentObject} -p ${dev.tpm2KeyFile.authString} > /crypt-ramfs/tpm/unsealed
| 14:47:23 |
| @grahamc:nixos.org | I'm thinking this should be starting an auth session (I think that is the right term) and using the session key for subsequent calls so that the channel with the TPM is all encrypted | 14:48:23 |
| @grahamc:nixos.org | is tpm2_startauthsession the command which does that? | 14:48:52 |
|  Roos joined the room. | 18:47:17 |
| 29 Aug 2021 |
|  vika (she/her) 🏳️⚧️ joined the room. | 09:45:57 |
| 31 Aug 2021 |
|  Florian | W3F changed their display name from Florian | W3F to Florian | W3F - OoO. | 08:11:03 |
| 2 Sep 2021 |
|  tnias joined the room. | 21:50:46 |
| 4 Sep 2021 |
|  [0x4A6F] joined the room. | 09:55:44 |
| 9 Sep 2021 |
|  sugi joined the room. | 22:35:18 |
| 13 Sep 2021 |
| Florian | W3F changed their display name from Florian | W3F - OoO to Florian | W3F - OoO Mon/Tue. | 11:56:00 |
