A bug in opencryptoki?

Greg Staniak greg at metail.co.uk
Fri Aug 12 10:12:18 UTC 2016 

Hi,

I've been trying to set up EAP-TLS .1x auth for our wifi users, utililzing
the opencryptoki daemon to access TPM slots through the PKCS#11 interface.
I managed to get this working for the root account, but hit a problem when
using a user account -- I could see the TPM hardware via the tcsd daemon:

$ tpm_version
  TPM 1.2 Version Info:
  Chip Version:        1.2.66.5
  Spec Level:          2
  Errata Revision:     3
  TPM Vendor ID:       ATML
  TPM Version:         01010000
  Manufacturer Info:   41544d4c

$ tpm_selftest -l debug
Tspi_Context_Create success
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Tspi_TPM_SelfTestFull success
Tspi_TPM_GetTestResult success
  TPM Test Results: 0000
tpm_selftest succeeded
Tspi_Context_FreeMemory success
Tspi_Context_Close success

then configured opencryptoki to connect to it using slot #0, but any
attempt at using the TPM storage using opencryptoki was failing for a
regular user (that had been added to the 'pkcs11' group). This was the
result for root:

# pkcsconf -i
PKCS#11 Info
    Version 2.20
    Manufacturer: IBM
    Flags: 0x0
    Library Description: Meta PKCS11 LIBRARY
    Library Version 3.4

# pkcsconf -t
Token #0 Info:
    Label: IBM PKCS#11 TPM Token
    Manufacturer: IBM Corp.
    Model: TPM v1.1 Token
    Serial Number: 123
    Flags: 0x880045
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
    Sessions: 0/18446744073709551614
    R/W Sessions: 18446744073709551615/18446744073709551614
    PIN Length: 4-8
    Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
    Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
    Hardware Version: 1.0
    Firmware Version: 1.0
    Time: 18:10:21

# pkcsconf -s
Slot #0 Info
    Description: TPM
    Manufacturer: ATML
    Flags: 0x1 (TOKEN_PRESENT)
    Hardware Version: 1.2
    Firmware Version: 66.5

as opposed to the regular user:

$ pkcsconf -i
C_GetSlotList returned 0 slots. Check that your tokens are installed
correctly.

$ pkcsconf -t
C_GetSlotList returned 0 slots. Check that your tokens are installed
correctly.

$ pkcsconf -s
C_GetSlotList returned 0 slots. Check that your tokens are installed
correctly.

A bit of digginng led to an strace run of the pkcsconf tool, which included
the following lines:

stat("/var/lib/opencryptoki/tpm/[redacted]", 0x7ffd5a4295b0) = -1 ENOENT
(No such file or directory)
mkdir("/var/lib/opencryptoki/tpm/[redacted]", 0700) = -1 EACCES (Permission
denied)

Looks like the slot storage for the TPM module is created as a per-user
directory in /var/lib/opencryptoki/tpm, but this directory's permissions
are:

/var/lib/opencryptoki# ll | grep tpm
drwxr-xr-x  3 root root   4096 Aug 11 18:10 tpm/

so a member of the 'pkcs11' group doesn't have permissions to create their
own storage directory. After changing the permissions on the parent to:

# ll /var/lib/opencryptoki/ | grep tpm
drwxrwxr-x  4 root pkcs11 4096 Aug 12 10:04 tpm/

I was able to see the TPM slots as a user:

$ pkcsconf -i
PKCS#11 Info
    Version 2.20
    Manufacturer: IBM
    Flags: 0x0
    Library Description: Meta PKCS11 LIBRARY
    Library Version 3.4

$ pkcsconf -t
Token #0 Info:
    Label: IBM PKCS#11 TPM Token
    Manufacturer: IBM Corp.
    Model: TPM v1.1 Token
    Serial Number: 123
    Flags: 0x880045
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
    Sessions: 0/18446744073709551614
    R/W Sessions: 18446744073709551615/18446744073709551614
    PIN Length: 4-8
    Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
    Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
    Hardware Version: 1.0
    Firmware Version: 1.0
    Time: 10:04:30

$ pkcsconf -s
Slot #0 Info
    Description: TPM
    Manufacturer: ATML
    Flags: 0x1 (TOKEN_PRESENT)
    Hardware Version: 1.2
    Firmware Version: 66.5

and this appeared under the tpm diurectory:

# ll /var/lib/opencryptoki/tpm/
total 16
drwxrwxr-x 4 root pkcs11 4096 Aug 12 10:04 ./
drwxrwxr-x 5 root pkcs11 4096 Aug 11 13:15 ../
drwx------ 3 user user 4096 Aug 12 10:04 user/
drwx------ 3 root root   4096 Aug 11 18:10 root/


If I understand the intended usage of the pkcs11 tools correctly, this is a
bug/misconfiguration.

Best regards,
Greg
-- 
Greg Staniak <greg at metail.co.uk>
Systems and Devops Engineer
Metail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20160812/97117981/attachment.html>

More information about the Ubuntu-devel-discuss mailing list