Re: PKCS#11 Module for TPM availiable

Thu, 27 Aug 2009 11:23:19 -0700 

Marc Kaeser wrote:

r...@lenovo:/usr/sbin# ./pkcsconf -t
LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost.
LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1
LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: 0xa0e6c901 
Token #0 Info:
   Label: TestToken
   Manufacturer: IBM Corp.
   Model: TPM v1.1 Token
   Serial Number: 123
Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) 
   Sessions: -1/-1
   R/W Sessions: -1/-1
   PIN Length: 6-127
   Public Memory: 0xFFFFFFFF/0xFFFFFFFF
   Private Memory: 0xFFFFFFFF/0xFFFFFFFF
   Hardware Version: 1.0
   Firmware Version: 1.0
   Time: 11:00:55 PM
Token #1 Info:
   Label: IBM OS PKCS#11
   Manufacturer: IBM Corp.
   Model: IBM SoftTok
   Serial Number: 123
Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) 
   Sessions: -1/-1
   R/W Sessions: -1/-1
   PIN Length: 4-8
   Public Memory: 0xFFFFFFFF/0xFFFFFFFF
   Private Memory: 0xFFFFFFFF/0xFFFFFFFF
   Hardware Version: 1.0
   Firmware Version: 1.0
   Time: 11:00:55 PM
LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0e6c901 
r...@lenovo:/usr/sbin# ./pkcsconf -s
LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost.
LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1
LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: 0xa0e60102 
Slot #0 Info
   Description: Linux 2.6.28.9 Linux (TPM)
   Manufacturer: Linux 2.6.28.9
   Flags: 0x5 (TOKEN_PRESENT|HW_SLOT)
   Hardware Version: 0.0
   Firmware Version: 1.1
Slot #1 Info
   Description: Linux 2.6.28.9 Linux (Soft)
   Manufacturer: Linux 2.6.28.9
   Flags: 0x1 (TOKEN_PRESENT)
   Hardware Version: 0.0
   Firmware Version: 1.1
LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0e60102 


Note that you have both the TPM token and the software token enabled. 
The PKCS#11 interface is able to advertise both, it will depend on NSS 
to choose which to use.



Also note that both tokens needs to be initialized and have their User 
and Security Officer PINs changed (USER_PIN_TO_BE_CHANGED and 
SO_PIN_TO_BE_CHANGED flags)


you can do it using pkcsconf:

Initialize the token:
 pkcsconf -c 0 -I

Initialize SO pin (note that the default SO PIN is 87654321):
 pkcsconf -c 0 -P

Initialize User pin (use the SO PIN you just defined above):
 pkcsconf -c 0 -u


Do the same for the software token (pkcsconf -c 1 ...) if you'd like to 
use it as well.



After all is done, you should see something like the following with 
pkcsconf -t:


kl...@klausk:~$ /usr/sbin/pkcsconf -t
Token #1 Info:
        Label: KlausK Tests Token
        Manufacturer: IBM Corp.
        Model: IBM SoftTok
        Serial Number: 123

	Flags: 0x44D 
(RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED)

        Sessions: -1/-1
        R/W Sessions: -1/-1
        PIN Length: 4-8
        Public Memory: 0xFFFFFFFF/0xFFFFFFFF
        Private Memory: 0xFFFFFFFF/0xFFFFFFFF
        Hardware Version: 1.0
        Firmware Version: 1.0
        Time: 03:21:15 PM

(and the same for the TPM token)


Note the TOKEN_INITIALIZED flag, and also that *_PIN_TO_BE_CHANGED flags 
are gone.


Let us know of your results.

 -Klaus
--
Klaus Heinrich Kiwi | kla...@br.ibm.com | http://blog.klauskiwi.com
Open Source Security blog :     http://www.ratliff.net/blog
IBM Linux Technology Center :   http://www.ibm.com/linux/ltc

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto























					Reply via email to