Closed Maitre-Hiboux closed 3 years ago
Looks like they didn't set up the p11 configure time options. I hardly use p11, but IIRC you can set up some type of a module file and each p11 kit version seems to behave differently. Theirs a sample config in misc/p11-kit/tpm2_pkcs11.module, that works in most systems. I think you need to get that to the p11kit modules location and ensure the library is on your path.
I'm assuming you looked through:
First thank you kindly for your answer.
I totally went through the link you just gave. Though in this doc the init followed by the token creation seems enough for p11-kit to notice it. It doesn't work like it for me. I
assume your remark on p11 configure options may be right. I never use P11 before so I have very little knowledge of it so time to learn. I'll git a look at the module you're talking about and check if it is present in p11kit modules location. Thanks for this insight !
I'll come back to give the result of all this.
OK,
So as you said i created the module file :
$ cat /usr/share/p11-kit/modules/tpm2_pkcs11.module
module: libtpm2_pkcs11.so
critical: no
There using :
$ p11-kit -v list-modules
p11-kit: couldn't load module: /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so: /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so: cannot open shared object file: No such file or directory
There instead of doing a proper symlink like I should have I did a dirty symlink (I'll fix it soon enough) :
$ sudo cp /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.1 /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so
And then ... TADAAAA :
$ p11-kit -v list-modules
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.23
token: System Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.23
flags:
write-protected
token-initialized
opensc-pkcs11: opensc-pkcs11.so
library-description: OpenSC smartcard framework
library-manufacturer: OpenSC Project
library-version: 0.21
tpm2_pkcs11: libtpm2_pkcs11.so
library-description: TPM2.0 Cryptoki
library-manufacturer: tpm2-software.github.io
library-version: 0.0
token: label
manufacturer: Infineon
model: SLB9670
serial-number: 0000000000000000
hardware-version: 1.38
firmware-version: 7.85
flags:
rng
login-required
user-pin-initialized
token-initialized
token:
manufacturer: Infineon
model: SLB9670
serial-number: 0000000000000000
hardware-version: 1.38
firmware-version: 7.85
flags:
rng
login-required
So I'll look a bit further to ensure everything is working fine. Anyway thanks a lot for your help !
Ok it works perfectly as expected now ! Managed to get my csr. Once again thanks a lot. I'll close the issue.
Thanks for digging into this and solving it AND posting back for others.
OS : Debian 10
TPM2 packages versions :
(Those are the Debian 11 Bullseye packages backported to Debian 10)
How to reproduces the issue :
It all goes on without error messages, but then if i do :
I don't have the one i just created, same witrh p11-kit :
No tpm2 here.
Though using tpm2pkcs11-tool
My aim is to use the generate_csr script here : https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/EAP-TLS.md#certificate-signing-request-csr-generation
And it requires this link.
If you need any more detail let me know !
Thanks in advance.