View Issue Details

IDProjectCategoryView StatusLast Update
0017021CentOS-7opencryptokipublic2020-02-07 16:47
Status newResolutionopen 
Product Version7.7-1908 
Target VersionFixed in Version 
Summary0017021: TPM1.1 hardware tokens cannot be initialized with "tpmtoken_init" due to token database corruption
Descriptiontpmtoken_init creates a data store in /var/lib/opencryptoki/tpm/$USER. When creating the data store the $USER part of the path gets lost and files like NVTOK.DAT and all files under TOK_OBJ are created in the wrong directory. The result is the token data base is corrupted and keys cannot be created. This results in a C_Login failed: 0x00000102 (258) error.
This behavior started in opencryptoki-3.11.0-3. If this version is removed and replaced with opencryptoki-3.2.2 (from centOS6) the process works.
Steps To ReproduceThis requires a TPM hardware token, I used one on a SuperMicro X9:
        Label: IBM PKCS#11 TPM Token
        Manufacturer: IBM Corp.
        Model: TPM v1.1 Token

Install trousers, tpm-tools, tpm-tools-pkcs11, opencryptoki*
Enable the token in the BIOS
Initialize the token for tpm. First set Owner and SRK passwords:
change the SRK password to empty with
       tpm_changeownerauth -s
fix SRK access
       tpm_restrictsrk -a
Initialize token wit
After completion of this step the /var/log/opencryptoki/tpm/$USER should contain a directory of $USER. The $USER dir should contain 3 files and a TPM_TOK directory which may contain 9 files.
With version 3.11.0-x and newer, the TPM_TOK dir is empty and some files are created at the /var/log/opencryptoki/tpm level.

File creation can be seen by running tpmtoken_init under strace. It is evident in the log from strace that the $USER portion of the path for these files is getting dropped.

Additional InformationCentOS6(64 bit) version 3.2.2 works as expected.
TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-02-07 16:47 OPederson New Issue