Re: [opencryptoki-users] why TPM TOKEN is not found

Farrag, Osama Wed, 11 May 2016 17:59:38 -0700

A follow up; now that I choose to have well known secret. I am able to see that 
opencryptoki recognizes the TPM token #0



pkcsconf -t

Token #0 Info:

Label: IBM PKCS#11 TPM Token

Manufacturer: IBM Corp.

Model: TPM v1.1 Token

Serial Number: 123

Flags: 0x890045 
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_COUNT_LOW|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)

Sessions: 0/18446744073709551614

R/W Sessions: 18446744073709551615/18446744073709551614

PIN Length: 4-8

Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF

Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF

Hardware Version: 1.0

Firmware Version: 1.0

Time: 20:47:11

Token #3 Info:

Label: IBM OS PKCS#11

Manufacturer: IBM Corp.

Model: IBM SoftTok

Serial Number: 123

Flags: 0x880045 
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)

Sessions: 0/18446744073709551614

R/W Sessions: 18446744073709551615/18446744073709551614

PIN Length: 4-8

Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF

Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF

Hardware Version: 1.0

Firmware Version: 1.0

Time: 20:47:11

My TPM is Version 1.2, but opencryptoki says it is 1.1. The opencryptoki.cnf 
file is minimal, so only the path to the .so - no version or other information


version opencryptoki-3.1


# The following defaults are defined:

#       hwversion = 0.0

#       firmwareversion = 0.0

#       description = Linux

#       manufacturer = IBM

#

# The slot definitions below may be overriden and/or customized.

# For example:

#       slot 0

#       {

#          stdll = libpkcs11_cca.so

#          description = "OCK CCA Token"

#          manufacturer = "MyCompany Inc."

#          hwversion = 2.32

#          firmwareversion = 1.0

#       }

#

# See man(5) opencryptoki.conf for further information.

#

slot 0

{

stdll = /usr/local/lib/opencryptoki/stdll/libpkcs11_tpm.so

}


slot 1

{

stdll = libpkcs11_ica.so

}


slot 2

{

stdll = libpkcs11_cca.so

}


slot 3

{

stdll = libpkcs11_sw.so

}


slot 4

{

stdll = libpkcs11_ep11.so

confname = ep11tok.conf

}


When I try to do


pkcsconf -I -c 0

Enter the SO PIN:

Enter a unique token label: tpm

Incorrect PIN Entered.

I copied the all zeros secret from here, but it is not accepted. I tried also 
empty PIN <cr> but it does not work. Is the SO PIN supposed to be something 
else?

Thank you again
O. farrag

From: Osama Farrag <osama.far...@jhuapl.edu<mailto:osama.far...@jhuapl.edu>>
Date: Wednesday, May 11, 2016 at 8:38 PM
To: Vineetha Pisharath hari pai <vpis...@us.ibm.com<mailto:vpis...@us.ibm.com>>
Cc: 
"opencryptoki-users@lists.sourceforge.net<mailto:opencryptoki-users@lists.sourceforge.net>"
 
<opencryptoki-users@lists.sourceforge.net<mailto:opencryptoki-users@lists.sourceforge.net>>
Subject: Re: [opencryptoki-users] why TPM TOKEN is not found

Thanks for your help;

I choose method 2; my TPM has been setup with the 20 zeros secret; several 
other software tools that I experiment with now require/assume it is set that 
way. I have two slots 0 & 3.

Thank you again
Osama Farrag


From: Vineetha Pisharath hari pai 
<vpis...@us.ibm.com<mailto:vpis...@us.ibm.com>>
Date: Friday, May 6, 2016 at 10:23 AM
To: Osama Farrag <osama.far...@jhuapl.edu<mailto:osama.far...@jhuapl.edu>>
Cc: 
"opencryptoki-users@lists.sourceforge.net<mailto:opencryptoki-users@lists.sourceforge.net>"
 
<opencryptoki-users@lists.sourceforge.net<mailto:opencryptoki-users@lists.sourceforge.net>>
Subject: Re: [opencryptoki-users] why TPM TOKEN is not found


Hello Farrag,

Is TPM enabled in BIOS? If not, you would need to enable it in BIOS settings.

Make sure 'tpm_setpresence' command works.

By default, tpm sets its owner and SRK passwords to a secret that is 20 bytes 
of zeros. But opencryptoki hardcodes the tpm's owner and SRK secret to be the 
empty string.

The empty string is NOT the same as 20 bytes of zeros. So we need to sync these 
up.
There are 2 ways to do this; we can either change tpm's passwords or tell 
opencryptoki tpm's correct passwords.

1. I think easiest to change tpm's passwords to empty string.

a. when you take ownership, set SRK and owner password to empty string to match 
opencryptoki.

- Take ownership of the tpm
# tpm_takeownership

when prompted for owner and SRK password, hit enter.
thus setting it to empty string which opencryptoki has hardcoded.

b. If you have already taken ownership, then you can use
tpm_changeownerauth to set the password to the empty string for opencryptoki.


2. Instead of changing tpm, change opencryptoki to match tpm

- Take ownership of the tpm
# tpm_takeownership -z -y

Now change it to tpm's well known secret in opencryptoki,
export OCK_SRK_SECRET="0000000000000000000000000000000000000000"
export OCK_SRK_MODE=TSS_SECRET_MODE_SHA1


You either do 1 or 2, not both. Good luck.

Thanks,
Vineetha Pai
Linux Security Development, LTC
notes - vpis...@us.ibm.com<mailto:vpis...@us.ibm.com>

[Inactive hide details for "Farrag, Osama" ---05/06/2016 03:28:52 AM---I am 
trying to use opencryptoki with TPM, but after confi]"Farrag, Osama" 
---05/06/2016 03:28:52 AM---I am trying to use opencryptoki with TPM, but after 
configuring and buildling opencryptoki on system

From: "Farrag, Osama" <osama.far...@jhuapl.edu<mailto:osama.far...@jhuapl.edu>>
To: 
"opencryptoki-users@lists.sourceforge.net<mailto:opencryptoki-users@lists.sourceforge.net>"
 
<opencryptoki-users@lists.sourceforge.net<mailto:opencryptoki-users@lists.sourceforge.net>>
Date: 05/06/2016 03:28 AM
Subject: [opencryptoki-users] why TPM TOKEN is not found

________________________________




I am trying to use opencryptoki with TPM, but after configuring and
buildling opencryptoki on system with trousers running and TPM ownership
is setup and SRK is created I am not able to have my TPM token recognized?

Here is what I did

1- I configured and make opencryoki on my centos7 machine using

>> sh bootstrap.sh



>> ./configure --enable-debug --enable-testcases
--enable-tpmtok --disable-ccatok



:
:

Enabled features:
Debug build: yes
Testcases: yes
Daemon build: yes
Library build: yes
Systemd service: no


Enabled token types:
ICA token: no
CCA token: no
Software token: yes
EP11 token: no
TPM token: yes
ICSF token: no


Token-specific features:
pkcsep11migrate build: no


CFLAGS=-g -O2 -gdwarf-2 -g3 -O0 -DDEBUG   -DPKCS64 -D_XOPEN_SOURCE=600
-Wall -Wno-pointer-sign
-DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\"
-DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\"
-DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\"
-DOCK_LOGDIR=\"$(logdir)\"







First I verified  trousers is running

>> ps -A | grep tcsd
13582 ?        00:00:00 tcsd


I also ran

tpm_version
 TPM 1.2 Version Info:
 Chip Version:        1.2.5.81
 Spec Level:          2
 Errata Revision:     3
 TPM Vendor ID:       WEC
 Vendor Specific data: 0000
 TPM Version:         01010000
 Manufacturer Info:   57454300


I have successfully taken ownership of TPM and SRK is already setup in the
TPM hardware


I checked the contents of the openCryptoKi configuration file;

vi /etc/opencryptoki/opencryptoki.conf


slot 0
{
stdll = libpkcs11_tpm.so
}


slot 1
{
stdll = libpkcs11_ica.so
}


slot 2
{
stdll = libpkcs11_cca.so
}


slot 3
{
stdll = libpkcs11_sw.so
}


slot 4
{
stdll = libpkcs11_ep11.so
confname = ep11tok.conf
}




But when I used pkcsconf -s to verify that TPM token is present




sudo pkcsconf -sŠ

Slot #3 Info
Description: Linux
Manufacturer: IBM
Flags: 0x1 (TOKEN_PRESENT)
Hardware Version: 0.0
Firmware Version: 0.0


Only libpkcs11_sw is present?

What is missing: does the package default build does not include the TPM?
Or is the configuration file is not correct?



[attachment "default[3].xml" deleted by Vineetha Pisharath hari 
pai/Poughkeepsie/IBM] [attachment "default[4].xml" deleted by Vineetha 
Pisharath hari pai/Poughkeepsie/IBM] 
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z_______________________________________________
opencryptoki-users mailing list
opencryptoki-users@lists.sourceforge.net<mailto:opencryptoki-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/opencryptoki-users

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j

_______________________________________________
opencryptoki-users mailing list
opencryptoki-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opencryptoki-users

Re: [opencryptoki-users] why TPM TOKEN is not found

Reply via email to