search

irtimmer / tpm2-pk11

[DEPRECATED] PKCS#11 Module for TPM 2.0
BSD 2-Clause "Simplified" License
68 stars 24 forks source link

Install libtpm2-pk11.so as an sub-module of p11-kit #53

Closed liuqun closed 6 years ago

liuqun commented 6 years ago

  1. Install libtpm2-pk11.so into /usr/lib/x86_64-linux-gnu/pkcs11

  2. Add a module configure file in /usr/share/p11-kit/modules for example /usr/share/pkcs11/modules/libtpm2-pk11.module

opensc-pkcs11.so and gnome-keyring-pkcs11.so seem to be good on my x86_64 Ubuntu desktop:

$ find /usr/share/p11-kit/modules
/usr/share/p11-kit/modules/opensc-pkcs11.module
/usr/share/p11-kit/modules/p11-kit-trust.module
/usr/share/p11-kit/modules/gnome-keyring.module

$ ls -l /usr/lib/x86_64-linux-gnu/pkcs11/
total 1508
-rw-r--r-- 1 root root   84624 Jul 31  2017 gnome-keyring-pkcs11.so
lrwxrwxrwx 1 root root      26 Jul 24  2017 onepin-opensc-pkcs11.so -> ../onepin-opensc-pkcs11.so
lrwxrwxrwx 1 root root      19 Jul 24  2017 opensc-pkcs11.so -> ../opensc-pkcs11.so
-rw-r--r-- 1 root root 1211432 Jul 15  2017 p11-kit-client.so
-rw-r--r-- 1 root root  244584 Jul 15  2017 p11-kit-trust.so
lrwxrwxrwx 1 root root      16 Jul 24  2017 pkcs11-spy.so -> ../pkcs11-spy.so

see https://p11-glue.github.io/p11-glue/p11-kit/manual/config-example.html

Update: Currently, p11tool --list-token only shows me "pkcs11:model=p11-kit-trust"

$ p11tool --list-tokens
Token 0:
    URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
    Label: System Trust
    Type: Trust module
    Manufacturer: PKCS#11 Kit
    Model: p11-kit-trust
    Serial: 1
    Module: p11-kit-trust.so
$ cat /usr/share/p11-kit/modules/p11-kit-trust.module
# See pkcs11.conf(5) to understand this file

# This is a module config for the 'included' p11-kit trust module
module: p11-kit-trust.so

# This setting affects the order that trust policy and other information
# is looked up when going across various modules. Other trust policy modules
# need to specify the priority where they slot into things.
priority: 1

# Mark this module as a viable source of trust policy information
trust-policy: yes

# This is for drop-in compatibility with glib-networking and gcr. Those
# projects used this non-standard attribute to denote slots to use to
# retrieve trust information.
x-trust-lookup: pkcs11:library-description=PKCS%2311%20Kit%20Trust%20Module
liuqun commented 6 years ago

See also issue #55: “No matching objects found” while executing p11tool --list-privkeys pkcs11:model=TPM2

liuqun commented 6 years ago

Fixed by commit https://github.com/irtimmer/tpm2-pk11/commit/64f0fbb18e052abdc52c467a3ad6f6763b0f6955 with an additional patch in PR https://github.com/irtimmer/tpm2-pk11/pull/59