Re: [opencryptoki-users] why TPM TOKEN is not found

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Farrag,

Is TPM enabled in BIOS? If not, you would need to enable it in BIOS
settings.

Make sure 'tpm_setpresence' command works.

By default, tpm sets its owner and SRK passwords to a secret that is 20
bytes of zeros.  But opencryptoki hardcodes the tpm's owner and SRK secret
to be the empty string.

 The empty string is NOT the same as 20 bytes of zeros. So we need to sync
these up.
 There are 2 ways to do this; we can either change tpm's passwords or tell
opencryptoki tpm's correct passwords.

1.  I think easiest to change tpm's passwords to empty string.

    a. when you take ownership, set SRK and owner password to empty string
to match opencryptoki.

       - Take ownership of the tpm
	# tpm_takeownership

	when prompted for owner and SRK password, hit enter.
	thus setting it to empty string which opencryptoki has hardcoded.

   b. If you have already taken ownership, then you can use
      tpm_changeownerauth to set the password to the empty string for
opencryptoki.

2. Instead of changing tpm, change opencryptoki to match tpm

- Take ownership of the tpm
	# tpm_takeownership -z -y

Now change it to tpm's well known secret in opencryptoki,
export OCK_SRK_SECRET="0000000000000000000000000000000000000000"
export OCK_SRK_MODE=TSS_SECRET_MODE_SHA1

You either do 1 or 2, not both. Good luck.

Thanks,
Vineetha Pai
Linux Security Development, LTC
notes - vp...@us...

From:	"Farrag, Osama" <Osa...@jh...>
To:	"ope...@li..."
            <ope...@li...>
Date:	05/06/2016 03:28 AM
Subject:	[opencryptoki-users] why TPM TOKEN is not found

I am trying to use opencryptoki with TPM, but after configuring and
buildling opencryptoki on system with trousers running and TPM ownership
is setup and SRK is created I am not able to have my TPM token recognized?

Here is what I did

1- I configured and make opencryoki on my centos7 machine using

>> sh bootstrap.sh

>> ./configure --enable-debug --enable-testcases
--enable-tpmtok --disable-ccatok

:
:

Enabled features:
		 Debug build:		 		 yes
		 Testcases:		 		 yes
		 Daemon build:		 		 yes
		 Library build:		 		 yes
		 Systemd service:		 no

Enabled token types:
		 ICA token:		 		 no
		 CCA token:		 		 no
		 Software token:		 		 yes
		 EP11 token:		 		 no
		 TPM token:		 		 yes
		 ICSF token:		 		 no

Token-specific features:
		 pkcsep11migrate build:		 no

CFLAGS=-g -O2 -gdwarf-2 -g3 -O0 -DDEBUG   -DPKCS64 -D_XOPEN_SOURCE=600
-Wall -Wno-pointer-sign
-DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\"
-DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\"
-DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\"
-DOCK_LOGDIR=\"$(logdir)\"

First I verified  trousers is running

>> ps -A | grep tcsd
 13582 ?        00:00:00 tcsd

I also ran

tpm_version
  TPM 1.2 Version Info:
  Chip Version:        1.2.5.81
  Spec Level:          2
  Errata Revision:     3
  TPM Vendor ID:       WEC
  Vendor Specific data: 0000
  TPM Version:         01010000
  Manufacturer Info:   57454300

I have successfully taken ownership of TPM and SRK is already setup in the
TPM hardware

I checked the contents of the openCryptoKi configuration file;

vi /etc/opencryptoki/opencryptoki.conf

slot 0
{
stdll = libpkcs11_tpm.so
}

slot 1
{
stdll = libpkcs11_ica.so
}

slot 2
{
stdll = libpkcs11_cca.so
}

slot 3
{
stdll = libpkcs11_sw.so
}

slot 4
{
stdll = libpkcs11_ep11.so
confname = ep11tok.conf
}

But when I used pkcsconf -s to verify that TPM token is present

sudo pkcsconf -s
Š

Slot #3 Info
		 Description: Linux
		 Manufacturer: IBM
		 Flags: 0x1 (TOKEN_PRESENT)
		 Hardware Version: 0.0
		 Firmware Version: 0.0

Only libpkcs11_sw is present?

What is missing: does the package default build does not include the TPM?
Or is the configuration file is not correct?

[attachment "default[3].xml" deleted by Vineetha Pisharath hari
pai/Poughkeepsie/IBM] [attachment "default[4].xml" deleted by Vineetha
Pisharath hari pai/Poughkeepsie/IBM]
------------------------------------------------------------------------------

Find and fix application performance issues faster with Applications
Manager
Applications Manager provides deep performance insights into multiple tiers
of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
opencryptoki-users mailing list
ope...@li...
https://lists.sourceforge.net/lists/listinfo/opencryptoki-users