This is likely the TPM's SRK failing to load. The TPM Token will try to load the SRK using a NULL password. IIRC this can be set by just hitting enter when prompted for the password in tpm_changeownerauth -s.
2010/7/20 Alexander Loukissas (aloukiss) <alouk...@cisco.com>: > Actually a re-login was needed. However, now I get a different error: > > C_SetPIN failed: 0x00000006 (6) > > Alex > > -----Original Message----- > From: Kent Yoder [mailto:shpedoi...@gmail.com] > Sent: Tuesday, July 20, 2010 9:12 AM > To: Alexander Loukissas (aloukiss) > Cc: Klaus Heinrich Kiwi; opencryptoki-users@lists.sourceforge.net > Subject: Re: [opencryptoki-users] error initializing token > > Hmm, there are really only 2 reasons why that should fail... Does > `id` show your user in the pkcs11 group? Sometimes that requires a > logout/login to take effect? > > 2010/7/20 Alexander Loukissas (aloukiss) <alouk...@cisco.com>: >> Yup, there's a message saying: >> >> openCryptokiModule[2051]: api_interface.c:3397 Cannot Attach to Shared Memory >> >> This appears each time I run the tpmtoken_init command. >> >> Alex >> >> -----Original Message----- >> From: Kent Yoder [mailto:shpedoi...@gmail.com] >> Sent: Tuesday, July 20, 2010 9:04 AM >> To: Alexander Loukissas (aloukiss) >> Cc: Klaus Heinrich Kiwi; opencryptoki-users@lists.sourceforge.net >> Subject: Re: [opencryptoki-users] error initializing token >> >> Are there any messages in /var/log/messages? >> >> If you've installed packages from a distro, can you install the >> debugging rpms, export PKCS11_API_LOG_DEBUG=1, then try again and see >> if anything is logged. >> >> If you've installed from source, you'd need to configure >> --enable-debug, then make, make install and export the env var above. >> >> 2010/7/20 Alexander Loukissas (aloukiss) <alouk...@cisco.com>: >>> Both of these are true already, but still the error appears. >>> >>> Alex >>> >>> -----Original Message----- >>> From: Kent Yoder [mailto:shpedoi...@gmail.com] >>> Sent: Tuesday, July 20, 2010 8:24 AM >>> To: Alexander Loukissas (aloukiss) >>> Cc: Klaus Heinrich Kiwi; opencryptoki-users@lists.sourceforge.net >>> Subject: Re: [opencryptoki-users] error initializing token >>> >>> Hi Alex, >>> >>> Make sure pkcsslotd is running and that the user executing this >>> command is a member of the pkcs11 group. >>> >>> Kent >>> >>> On Tue, Jul 20, 2010 at 9:48 AM, Alexander Loukissas (aloukiss) >>> <alouk...@cisco.com> wrote: >>>> Thanks Klaus, >>>> >>>> I've actually tried doing what you've suggested but I still can't make it >>>> to work. In more detail, I get an error message when running the >>>> tpmtoken_init: C_Initialize failed: 0x00000002 (2). >>>> >>>> Any ideas on that? >>>> >>>> Thanks >>>> Alex >>>> >>>> -----Original Message----- >>>> From: Klaus Heinrich Kiwi [mailto:kla...@linux.vnet.ibm.com] >>>> Sent: Monday, July 19, 2010 6:47 PM >>>> To: Alexander Loukissas (aloukiss) >>>> Cc: opencryptoki-users@lists.sourceforge.net >>>> Subject: Re: [opencryptoki-users] error initializing token >>>> >>>> On Mon, 2010-07-19 at 17:18 -0500, Alexander Loukissas (aloukiss) wrote: >>>>> Hello, >>>>> >>>>> I've been playing around with opencryptoki and I've been seeing some >>>>> issues initializing the TPM token (token #0) on my machine. When running >>>>> "pkcsconf -I -c 0", I enter "87654321" as the SO PIN but I get "Error >>>>> initializing token: 0xA4". Looking up the header files in the >>>>> opencryptoki package, I found that this error corresponds to a >>>>> "CKR_PIN_LOCKED" error in usr/include/pkcs11/pkcs11types.h >>>>> >>>>> In more detail, I do exactly what is described here: >>>>> http://www.mail-archive.com/linux-...@vm.marist.edu/msg53084.html >>>>> >>>>> When trying the exact same steps for the soft token (token #1), all >>>>> succeeds and I end up with the (correct) flags 0x44D on that token. >>>>> >>>>> Would anyone have an idea where this problem could be coming from? I've >>>>> tried to clear out the TPM entirely from the BIOS, reclaim ownership, >>>>> etc, but it didn't help. >>>>> >>>>> For reference, I'm using an Intel DQ57TM motherboard with an on-board >>>>> TPM and Fedora Core 13. >>>> >>>> Hi Alexander. Thank you for your contact. >>>> >>>> Please try these instructions and let us know: >>>> http://trousers.sourceforge.net/pkcs11.html >>>> >>>> Basically, you'll need to set the SRK passphrase in your TPM to the >>>> "well-known password" (or something like it), that is, all zeros (there >>>> are switches for that in the tpm tools - see their man pages). >>>> >>>> After that, use "tpmtoken_init" to initialize token. >>>> >>>> We know it's counter-intuitive to not use the pkcsconf utility like we >>>> are able to in other tokens, but currently, due to the way the tpm token >>>> is built, we have no way of doing that relying solely on the PKCS#11 >>>> API. >>>> >>>> -Klaus >>>> >>>>> Thanks, >>>>> >>>>> Alexander Loukissas >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> This SF.net email is sponsored by Sprint >>>>> What will you do first with EVO, the first 4G phone? >>>>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>>>> _______________________________________________ >>>>> opencryptoki-users mailing list >>>>> opencryptoki-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >>>> >>>> >>>> -- >>>> Klaus Heinrich Kiwi | kla...@br.ibm.com >>>> IBM LTC Security Development | http://blog.klauskiwi.com >>>> http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> This SF.net email is sponsored by Sprint >>>> What will you do first with EVO, the first 4G phone? >>>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>>> _______________________________________________ >>>> opencryptoki-users mailing list >>>> opencryptoki-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >>>> >>> >> > ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ opencryptoki-users mailing list opencryptoki-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opencryptoki-users
