'Re: [TrouSerS-users] Trouble with tpmtoken_init'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       trousers-users
Subject:    Re: [TrouSerS-users] Trouble with tpmtoken_init
From:       Kent Yoder <shpedoikal () gmail ! com>
Date:       2012-09-10 18:58:49
Message-ID: CAM0nabGg88VRp4+iGoGPqacjwaUi+f4vp9F4_f1UG8sTH6JTNQ () mail ! gmail ! com
[Download RAW message or body]

Hi Rick,

On Fri, Sep 7, 2012 at 11:37 PM, rick <slamb@xtcn.com> wrote:
> Can anyone help? Here are the steps I take:
>
> 1. Install fresh copy of Ubuntu 12.04 i386 server onto a Dell Optiplex 755 (a
> machine referenced by other TPM examples and known to work).
>
> 2. Go to bios Security->TPM settings and CLEAR and ACKNOWLEDGE and ACTIVATE.
>
> 3. power down the machine.  Power up the machine.  Log in as root.
>
> 4. apt-get install tpm-tools  Which pulls in trousers and opencryptoki and
> successfully starts tcsd.
>
> 5. tpm_takeownership
> Enter owner password:<CR>
> Confirm password:<CR>
> Enter SRK password:<CR>
> Confirm password:<CR>
> ...2 min wait....
>
> 6. tpm_restrictsrk -a
>
> 7. tpmtoken_init -l debug
> C_GetFunctionList success
> C_Initialize success
> C_GetSlotList success
> Slots present: 2
> C_GetSlotList success
> Retrieving slot information for SlotID 0
> C_GetSlotInfo success
> Slot description: Linux 3.2.0-29-generic-pae Linux (TPM)
> Slot manufacturer: Linux 3.2.0-29-generic-pae
> Token is present
> Retrieving token information for SlotID 0
> C_GetTokenInfo success
> Token Label: IBM PKCS#11 TPM Token
> Token manufacturer: IBM Corp.
> Token model: TPM v1.1 Token
> Token is not initialized
> C_InitToken success
> C_OpenSession success
> C_Login success
> A new TPM security officer password is needed. The password must be between 4
> and 8 characters in length.
> Enter new password:123456    (yes: using 87654321 here fails /w pkcs err 0xA1)

  This means that the opencryptoki data on disk is still hanging
around from your last attempt at init.  That will include a key
wrapped by the *previous* SRK.

> Confirm password:123456
> C_SetPIN success
> C_CloseSession success
> C_OpenSession success
> C_Login failed: 0x00000102 (258)

  This fails because the load of the Public root key failed - and that
failed because it was wrapped by the *old* SRK.  To get rid of the old
public root key, you can just blow away /var/lib/opencryptoki/tpm.

Kent

> C_CloseSession success
> C_Finalize success
> tpmtoken_init failed
>
>
> Any clues?
>
> Sure, I do rm -rf /var/lib/opencryptoki/tpm
>    pkcs11_startup
>    /etc/init.d/opencryptoki restart
> and try again but no go for most systems.
>
> My gut says it might be a HSM slot identity problem since opensc tools get
> confused between sw and tpm slots when slot numbers are used to identify them.
> But I am not the expert.
>
> It would really be good if there was a way to get this to work out of the box.
>
> Thank you,
> -Rick
>
> [1] I recently gave up and just built my own MPU board /w a atmel 3204 chip and
> my own pkcs11 library (10 1024rsa/s instead of the 1 rsa/s using opencryptoki).
>
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> TrouSerS-users mailing list
> TrouSerS-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/trousers-users



-- 
IBM LTC Security

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
TrouSerS-users mailing list
TrouSerS-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/trousers-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic