Tom Lendacky <toml <at> us.ibm.com> writes: ... > > > > 6. tpm_restrictsrk -a > > > > > > > > 7. tpmtoken_init -l debug ... > > > > Confirm password:123456 > > > > C_SetPIN success > > > > C_CloseSession success > > > > C_OpenSession success > > > > C_Login failed: 0x00000102 (258) > > > > > > This fails because the load of the Public root key failed - and that > > > failed because it was wrapped by the *old* SRK. To get rid of the old > > > public root key, you can just blow away /var/lib/opencryptoki/tpm. > > > > > > Kent ... > > > > Sure, I do rm -rf /var/lib/opencryptoki/tpm > > > > pkcs11_startup > > > > /etc/init.d/opencryptoki restart > > > > and try again but no go for most systems. > > > > > > > > Hi Kent. Thank you for the reply. > > > > As you can see I do rm -rf the tpm dir, run pkcs11_startup and > > restart pkcsslotd > > often with the same unfortunate result.You might want to check the > > ownership and/or permissions of the tpm dir.I seem to recall there were sometimes issues in this area. Kent can probablypost what the proper ownership and permissions should look like for thedirectory and files.Tom > > > > Is there any other place that TPM stuff is "remembered"? > >
Thank you Tom. This makes sense but I have tried different combinations to no avail. Maybe the problem is that I am doing everything as root? /etc/group: .. pkcs11:x:113:root tss:x:114: and before "tpmtoken_init -l debug" # ls -lat /var/lib/opencryptoki total 24 drwxrwxrwx 4 root pkcs11 4096 Sep 11 12:54 . -rw-r--r-- 1 root root 4 Sep 11 12:54 .slotpid -rw-rwxr-- 1 root root 267 Sep 11 12:54 pk_config_data drwxrwxr-x 3 root pkcs11 4096 Sep 11 12:54 swtok drwxrwxr-x 2 root pkcs11 4096 Sep 11 12:54 tpm drwxr-xr-x 38 root root 4096 Sep 10 19:47 .. # ls -lat /var/lib/opencryptoki/tpm total 8 drwxrwxrwx 4 root pkcs11 4096 Sep 11 12:54 .. drwxrwxr-x 2 root pkcs11 4096 Sep 11 12:54 . after FAILED "tpmtoken_init -l debug" # tpmtoken_init -l debug C_GetFunctionList success C_Initialize success C_GetSlotList success Slots present: 2 C_GetSlotList success Retrieving slot information for SlotID 0 C_GetSlotInfo success Slot description: Linux 3.2.0-29-generic-pae Linux (TPM) Slot manufacturer: Linux 3.2.0-29-generic-pae Token is present Retrieving token information for SlotID 0 C_GetTokenInfo success Token Label: IBM PKCS#11 TPM Token Token manufacturer: IBM Corp. Token model: TPM v1.1 Token Token is not initialized C_InitToken success C_OpenSession success C_Login success A new TPM security officer password is needed. The password must be between 4 and 8 characters in length. Enter new password: Confirm password: C_SetPIN success C_CloseSession success C_OpenSession success C_Login failed: 0x00000102 (258) C_CloseSession success C_Finalize success tpmtoken_init failed # ls -latR /var/lib/opencryptoki/tpm /var/lib/opencryptoki/tpm: total 20 -rw-rw-r-- 1 root pkcs11 48 Sep 11 12:56 MK_SO -rw-rw-r-- 1 root pkcs11 232 Sep 11 12:56 NVTOK.DAT drwxrwxr-x 3 root pkcs11 4096 Sep 11 12:56 . drwx------ 3 root root 4096 Sep 11 12:56 root drwxrwxrwx 4 root pkcs11 4096 Sep 11 12:54 .. /var/lib/opencryptoki/tpm/root: total 100 drwx------ 3 root root 4096 Sep 11 12:56 . drwxrwxr-x 3 root pkcs11 4096 Sep 11 12:56 .. -rw------- 1 root root 232 Sep 11 12:56 NVTOK.DAT -rwx------ 1 root root 82168 Sep 11 12:56 .stmapfile drwx------ 2 root root 4096 Sep 11 12:56 TOK_OBJ /var/lib/opencryptoki/tpm/root/TOK_OBJ: total 8 drwx------ 2 root root 4096 Sep 11 12:56 . drwx------ 3 root root 4096 Sep 11 12:56 .. /usr/sbin/tcsd and /usr/sbin/pkcsslotd are running ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ opencryptoki-users mailing list opencryptoki-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opencryptoki-users
