[prev in list] [next in list] [prev in thread] [next in thread]
List: ubuntu-devel-discuss
Subject: A bug in opencryptoki?
From: Greg Staniak <greg () metail ! co ! uk>
Date: 2016-08-12 10:11:53
Message-ID: CADU6uVEn5eUk5=dUyLUTmOJSRA3mF0Q=BvBhO_D3XJaoCrfG1g () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
I've been trying to set up EAP-TLS .1x auth for our wifi users, utililzing
the opencryptoki daemon to access TPM slots through the PKCS#11 interface.
I managed to get this working for the root account, but hit a problem when
using a user account -- I could see the TPM hardware via the tcsd daemon:
$ tpm_version
TPM 1.2 Version Info:
Chip Version: 1.2.66.5
Spec Level: 2
Errata Revision: 3
TPM Vendor ID: ATML
TPM Version: 01010000
Manufacturer Info: 41544d4c
$ tpm_selftest -l debug
Tspi_Context_Create success
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Tspi_TPM_SelfTestFull success
Tspi_TPM_GetTestResult success
TPM Test Results: 0000
tpm_selftest succeeded
Tspi_Context_FreeMemory success
Tspi_Context_Close success
then configured opencryptoki to connect to it using slot #0, but any
attempt at using the TPM storage using opencryptoki was failing for a
regular user (that had been added to the 'pkcs11' group). This was the
result for root:
# pkcsconf -i
PKCS#11 Info
Version 2.20
Manufacturer: IBM
Flags: 0x0
Library Description: Meta PKCS11 LIBRARY
Library Version 3.4
# pkcsconf -t
Token #0 Info:
Label: IBM PKCS#11 TPM Token
Manufacturer: IBM Corp.
Model: TPM v1.1 Token
Serial Number: 123
Flags: 0x880045
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: 0/18446744073709551614
R/W Sessions: 18446744073709551615/18446744073709551614
PIN Length: 4-8
Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 18:10:21
# pkcsconf -s
Slot #0 Info
Description: TPM
Manufacturer: ATML
Flags: 0x1 (TOKEN_PRESENT)
Hardware Version: 1.2
Firmware Version: 66.5
as opposed to the regular user:
$ pkcsconf -i
C_GetSlotList returned 0 slots. Check that your tokens are installed
correctly.
$ pkcsconf -t
C_GetSlotList returned 0 slots. Check that your tokens are installed
correctly.
$ pkcsconf -s
C_GetSlotList returned 0 slots. Check that your tokens are installed
correctly.
A bit of digginng led to an strace run of the pkcsconf tool, which included
the following lines:
stat("/var/lib/opencryptoki/tpm/[redacted]", 0x7ffd5a4295b0) = -1 ENOENT
(No such file or directory)
mkdir("/var/lib/opencryptoki/tpm/[redacted]", 0700) = -1 EACCES (Permission
denied)
Looks like the slot storage for the TPM module is created as a per-user
directory in /var/lib/opencryptoki/tpm, but this directory's permissions
are:
/var/lib/opencryptoki# ll | grep tpm
drwxr-xr-x 3 root root 4096 Aug 11 18:10 tpm/
so a member of the 'pkcs11' group doesn't have permissions to create their
own storage directory. After changing the permissions on the parent to:
# ll /var/lib/opencryptoki/ | grep tpm
drwxrwxr-x 4 root pkcs11 4096 Aug 12 10:04 tpm/
I was able to see the TPM slots as a user:
$ pkcsconf -i
PKCS#11 Info
Version 2.20
Manufacturer: IBM
Flags: 0x0
Library Description: Meta PKCS11 LIBRARY
Library Version 3.4
$ pkcsconf -t
Token #0 Info:
Label: IBM PKCS#11 TPM Token
Manufacturer: IBM Corp.
Model: TPM v1.1 Token
Serial Number: 123
Flags: 0x880045
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: 0/18446744073709551614
R/W Sessions: 18446744073709551615/18446744073709551614
PIN Length: 4-8
Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 10:04:30
$ pkcsconf -s
Slot #0 Info
Description: TPM
Manufacturer: ATML
Flags: 0x1 (TOKEN_PRESENT)
Hardware Version: 1.2
Firmware Version: 66.5
and this appeared under the tpm diurectory:
# ll /var/lib/opencryptoki/tpm/
total 16
drwxrwxr-x 4 root pkcs11 4096 Aug 12 10:04 ./
drwxrwxr-x 5 root pkcs11 4096 Aug 11 13:15 ../
drwx------ 3 user user 4096 Aug 12 10:04 user/
drwx------ 3 root root 4096 Aug 11 18:10 root/
If I understand the intended usage of the pkcs11 tools correctly, this is a
bug/misconfiguration.
Best regards,
Greg
--
Greg Staniak <greg@metail.co.uk>
Systems and Devops Engineer
Metail
[Attachment #5 (text/html)]
<div dir="ltr"><div>Hi,<br><br></div><div>I've been trying to set up EAP-TLS .1x \
auth for our wifi users, utililzing the opencryptoki daemon to access TPM slots \
through the PKCS#11 interface. I managed to get this working for the root account, \
but hit a problem when using a user account -- I could see the TPM hardware via the \
tcsd daemon: <br><br>$ tpm_version <br> TPM 1.2 Version Info:<br> Chip Version: \
1.2.66.5<br> Spec Level: 2<br> Errata Revision: 3<br> \
TPM Vendor ID: ATML<br> TPM Version: 01010000<br> \
Manufacturer Info: 41544d4c<br><br>$ tpm_selftest -l debug<br>Tspi_Context_Create \
success<br>Tspi_Context_Connect success<br>Tspi_Context_GetTpmObject \
success<br>Tspi_TPM_SelfTestFull success<br>Tspi_TPM_GetTestResult success<br> TPM \
Test Results: 0000<br>tpm_selftest succeeded<br>Tspi_Context_FreeMemory \
success<br>Tspi_Context_Close success<br><br></div><div>then configured opencryptoki \
to connect to it using slot #0, but any attempt at using the TPM storage using \
opencryptoki was failing for a regular user (that had been added to the \
'pkcs11' group). This was the result for root:<br><br># pkcsconf \
-i<br>PKCS#11 Info<br> Version 2.20 <br> Manufacturer: IBM \
<br> Flags: 0x0 <br> Library Description: Meta PKCS11 LIBRARY \
<br> Library Version 3.4 <br><br># pkcsconf -t<br>Token #0 Info:<br> \
Label: IBM PKCS#11 TPM Token <br> Manufacturer: IBM Corp. \
<br> Model: TPM v1.1 Token <br> Serial Number: 123 \
<br> Flags: 0x880045 \
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)<br> \
Sessions: 0/18446744073709551614<br> R/W Sessions: \
18446744073709551615/18446744073709551614<br> PIN Length: 4-8<br> Public \
Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF<br> Private Memory: \
0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF<br> Hardware Version: 1.0<br> \
Firmware Version: 1.0<br> Time: 18:10:21<br><br># pkcsconf -s<br>Slot #0 \
Info<br> Description: TPM<br> Manufacturer: ATML<br> Flags: 0x1 \
(TOKEN_PRESENT)<br> Hardware Version: 1.2<br> Firmware Version: \
66.5<br><br></div><div>as opposed to the regular user:<br><br>$ pkcsconf \
-i<br>C_GetSlotList returned 0 slots. Check that your tokens are installed \
correctly.<br><br>$ pkcsconf -t<br>C_GetSlotList returned 0 slots. Check that your \
tokens are installed correctly.<br><br>$ pkcsconf -s<br>C_GetSlotList returned 0 \
slots. Check that your tokens are installed correctly.<br><br></div><div>A bit of \
digginng led to an strace run of the pkcsconf tool, which included the following \
lines:<br><br>stat("/var/lib/opencryptoki/tpm/[redacted]", 0x7ffd5a4295b0) \
= -1 ENOENT (No such file or \
directory)<br>mkdir("/var/lib/opencryptoki/tpm/[redacted]", 0700) = -1 \
EACCES (Permission denied)<br><br></div><div>Looks like the slot storage for the TPM \
module is created as a per-user directory in /var/lib/opencryptoki/tpm, but this \
directory's permissions are:<br><br>/var/lib/opencryptoki# ll | grep \
tpm<br>drwxr-xr-x 3 root root 4096 Aug 11 18:10 tpm/<br><br></div><div>so a \
member of the 'pkcs11' group doesn't have permissions to create their own \
storage directory. After changing the permissions on the parent to:<br><br># ll \
/var/lib/opencryptoki/ | grep tpm<br>drwxrwxr-x 4 root pkcs11 4096 Aug 12 10:04 \
tpm/<br><br></div><div>I was able to see the TPM slots as a user:<br><br>$ pkcsconf \
-i<br>PKCS#11 Info<br> Version 2.20 <br> Manufacturer: IBM \
<br> Flags: 0x0 <br> Library Description: Meta PKCS11 LIBRARY \
<br> Library Version 3.4 <br><br>$ pkcsconf -t<br>Token #0 Info:<br> \
Label: IBM PKCS#11 TPM Token <br> Manufacturer: IBM Corp. \
<br> Model: TPM v1.1 Token <br> Serial Number: 123 \
<br> Flags: 0x880045 \
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)<br> \
Sessions: 0/18446744073709551614<br> R/W Sessions: \
18446744073709551615/18446744073709551614<br> PIN Length: 4-8<br> Public \
Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF<br> Private Memory: \
0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF<br> Hardware Version: 1.0<br> \
Firmware Version: 1.0<br> Time: 10:04:30<br><br>$ pkcsconf -s<br>Slot #0 \
Info<br> Description: TPM<br> Manufacturer: ATML<br> Flags: 0x1 \
(TOKEN_PRESENT)<br> Hardware Version: 1.2<br> Firmware Version: \
66.5<br><br></div><div>and this appeared under the tpm diurectory:<br><br># ll \
/var/lib/opencryptoki/tpm/<br>total 16<br>drwxrwxr-x 4 root pkcs11 4096 Aug 12 10:04 \
./<br>drwxrwxr-x 5 root pkcs11 4096 Aug 11 13:15 ../<br>drwx------ 3 user user 4096 \
Aug 12 10:04 user/<br>drwx------ 3 root root 4096 Aug 11 18:10 \
root/<br><br><br></div><div>If I understand the intended usage of the pkcs11 tools \
correctly, this is a bug/misconfiguration. <br></div><div><br></div><div>Best \
regards,<br></div>Greg<br clear="all"><div><div><div><div class="gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr">-- <div>Greg Staniak <<a \
href="mailto:greg@metail.co.uk" \
target="_blank">greg@metail.co.uk</a>></div><div>Systems and Devops \
Engineer</div><div>Metail</div></div></div></div> </div></div></div>
--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic