View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0017021||CentOS-7||opencryptoki||public||2020-02-07 16:47||2020-02-07 16:47|
|Target Version||Fixed in Version|
|Summary||0017021: TPM1.1 hardware tokens cannot be initialized with "tpmtoken_init" due to token database corruption|
|Description||tpmtoken_init creates a data store in /var/lib/opencryptoki/tpm/$USER. When creating the data store the $USER part of the path gets lost and files like NVTOK.DAT and all files under TOK_OBJ are created in the wrong directory. The result is the token data base is corrupted and keys cannot be created. This results in a C_Login failed: 0x00000102 (258) error.|
This behavior started in opencryptoki-3.11.0-3. If this version is removed and replaced with opencryptoki-3.2.2 (from centOS6) the process works.
|Steps To Reproduce||This requires a TPM hardware token, I used one on a SuperMicro X9:|
Label: IBM PKCS#11 TPM Token
Manufacturer: IBM Corp.
Model: TPM v1.1 Token
Install trousers, tpm-tools, tpm-tools-pkcs11, opencryptoki*
Enable the token in the BIOS
Initialize the token for tpm. First set Owner and SRK passwords:
change the SRK password to empty with
fix SRK access
Initialize token wit
After completion of this step the /var/log/opencryptoki/tpm/$USER should contain a directory of $USER. The $USER dir should contain 3 files and a TPM_TOK directory which may contain 9 files.
With version 3.11.0-x and newer, the TPM_TOK dir is empty and some files are created at the /var/log/opencryptoki/tpm level.
File creation can be seen by running tpmtoken_init under strace. It is evident in the log from strace that the $USER portion of the path for these files is getting dropped.
|Additional Information||CentOS6(64 bit) version 3.2.2 works as expected.|
|Tags||No tags attached.|