Re: [opencryptoki-users] help on pkcs11 talking to tpm chip
Brought to you by:
ebarretto
Menu
▾
▴
Re: [opencryptoki-users] help on pkcs11 talking to tpm chip
|
From: Kent Y. <shp...@gm...> - 2007-11-14 16:19:35
|
Hi Sanjay, On Nov 13, 2007 10:48 PM, Sanjay Sha <san...@gm...> wrote: > Enabling debugging actually reveals some more information: > > ~:# tpmtoken_init -k tpm > Warning: The TPM token has already been initialized. Reinitializing the TPM > token will cause all TPM token data to be lost. > Clear the TPM token data? [y/N]: y > Enter the TPM security officer password: > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" > not found in the store! > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" > not found in the store! FYI the above errors aren't really errors. :-) The TPM token is search for the root keys that it automatically loads as part of the protection it does for the PCKS#11 data store. These keys don't exist yet because you haven't set up the SO and USER pins. > A new TPM security officer password is needed. The password must be between > 6 and 127 characters in length. > Enter new password: > Confirm password: This looks like a bug in tpmtoken_init. I think it should be prompting you for the user password after SO pin, so apparently setting the SO pin is failing here. > > ~:# pkcsconf -c 0 -p > Enter user PIN: ***** > Enter the new user PIN: *** > Re-enter the new user PIN: *** > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" > not found in the store! > LOG_ERR TPM_STDLL tpm_specific.c:623 ERROR: token_find_key failed. > rc=0x8f000000 > LOG_ERR TPM_STDLL tpm_specific.c:1494 ERROR: token_load_public_root_key > failed. rc=0x6 > Error logging in: 0x102 0x102 is user pin not initialized, you'd need to run pkcsconf -u first. Also, tpmtoken_init was meant to be a complete replacement for the pkcsconf steps. Once tomtoken_init succeeds, your TPM token should be ready to use. > > > ~:# pkcsconf -c 0 -P > Enter the SO PIN: ******** > Enter the new SO PIN: ****** > Re-enter the new SO PIN: ****** > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" > not found in the store! > LOG_ERR TPM_STDLL tpm_specific.c:309 ERROR: Tspi_Key_GetPubKey failed: > rc=0x1 Ok, the GetPubKey call is being used to grab the SRK pub key, which is failing with an authentication error. As the openCryptoki TPM token code is written now, the SRK password must be a hash of 0 bytes. You can set this up by just hitting enter when you're prompted for a new password in tpm_changeownerauth -s. Try setting the SRK password and then just run tpmtoken_init to see if that works. Thanks, Kent > LOG_ERR TPM_STDLL tpm_specific.c:1179 ERROR: token_wrap_sw_key failed. > rc=0x1 > LOG_ERR TPM_STDLL tpm_specific.c:1835 ERROR: FAILED creating SO tree. > ST MSG TPM_STDLL new_host.c:1224 whammy > > I am trying to read docs to understand this error message, but since you are > the experts, you can > tell me what is going wrong fairly easily. Please let me know. > > > > Thank you, > Sanjay > -- > 49:02:1f:d9:d5:10:98:58:12:af:56:e4:f1:34:cf:7e -Sunj > www.sanjaysha.com > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > -- Kent Yoder IBM LTC Security Dev. |
