tpm2-software / tpm2-pkcs11

A PKCS#11 interface for TPM2 hardware
https://tpm2-software.github.io
Other
275 stars 106 forks source link

P11tool or P11-kit not linked with the tpm2 pkcs11 stores and tokens created with tpm2_ptool #707

Closed Maitre-Hiboux closed 3 years ago

Maitre-Hiboux commented 3 years ago

OS : Debian 10

TPM2 packages versions :

libtpm2-pkcs11-1 : 1.5.0-4
libtpm2-pkcs11-1-dev : 1.5.0-4
libtpm2-pkcs11-tools : 1.5.0-4
python3-tpm2-pkcs11-tools : 1.5.0-4
tpm2-abrmd : 2.3.3-1+b2
tpm2-initramfs-tool : 0.2.2-2
tpm2-tools : 5.0-2

(Those are the Debian 11 Bullseye packages backported to Debian 10)

How to reproduces the issue :

$ export TPM2_PKCS11_STORE=/home/<user>/tmp
$ export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
$ export TPM2_PKCS11_TCTI="device:/dev/tpmrm0"

$ tpm2_ptool init

$ tpm2_ptool addtoken \
    --pid=1 \
    --sopin=0000 \
    --userpin=0000 \
    --label=label

$ tpm2_ptool addkey \
    --algorithm=rsa2048 \
    --label=label \
    --userpin=0000

$ tpm2_ptool config \
    --key tcti \
    --value "device:/dev/tpmrm0" \
    --label label

It all goes on without error messages, but then if i do :

$ p11tool --list-token-urls

pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust

I don't have the one i just created, same witrh p11-kit :

$ p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
opensc-pkcs11: opensc-pkcs11.so
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.21

No tpm2 here.

Though using tpm2pkcs11-tool

alias tpm2pkcs11-tool='pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.1'

$ tpm2pkcs11-tool -L
Available slots:
Slot 0 (0x1): label                           Infineon
  token label        : label
  token manufacturer : Infineon
  token model        : SLB9670
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 1.38
  firmware version   : 7.85
  serial num         : 0000000000000000
  pin min/max        : 0/128
Slot 1 (0x2):                                 Infineon
  token state:   uninitialized

$  tpm2pkcs11-tool -I
Cryptoki version 2.40
Manufacturer     tpm2-software.github.io
Library          TPM2.0 Cryptoki (ver 0.0)
Using slot 0 with a present token (0x1)

My aim is to use the generate_csr script here : https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/EAP-TLS.md#certificate-signing-request-csr-generation

And it requires this link.

If you need any more detail let me know !

Thanks in advance.

williamcroberts commented 3 years ago

Looks like they didn't set up the p11 configure time options. I hardly use p11, but IIRC you can set up some type of a module file and each p11 kit version seems to behave differently. Theirs a sample config in misc/p11-kit/tpm2_pkcs11.module, that works in most systems. I think you need to get that to the p11kit modules location and ensure the library is on your path.

I'm assuming you looked through:

Maitre-Hiboux commented 3 years ago

First thank you kindly for your answer.

I totally went through the link you just gave. Though in this doc the init followed by the token creation seems enough for p11-kit to notice it. It doesn't work like it for me. I

assume your remark on p11 configure options may be right. I never use P11 before so I have very little knowledge of it so time to learn. I'll git a look at the module you're talking about and check if it is present in p11kit modules location. Thanks for this insight !

I'll come back to give the result of all this.

Maitre-Hiboux commented 3 years ago

OK,

So as you said i created the module file :

$ cat /usr/share/p11-kit/modules/tpm2_pkcs11.module
module: libtpm2_pkcs11.so

critical: no

There using :

$ p11-kit -v list-modules
p11-kit: couldn't load module: /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so: /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so: cannot open shared object file: No such file or directory

There instead of doing a proper symlink like I should have I did a dirty symlink (I'll fix it soon enough) :

$ sudo cp /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.1 /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so

And then ... TADAAAA :

$ p11-kit -v list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
opensc-pkcs11: opensc-pkcs11.so
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.21
tpm2_pkcs11: libtpm2_pkcs11.so
    library-description: TPM2.0 Cryptoki
    library-manufacturer: tpm2-software.github.io
    library-version: 0.0
    token: label
        manufacturer: Infineon
        model: SLB9670
        serial-number: 0000000000000000
        hardware-version: 1.38
        firmware-version: 7.85
        flags:
               rng
               login-required
               user-pin-initialized
               token-initialized
    token: 
        manufacturer: Infineon
        model: SLB9670
        serial-number: 0000000000000000
        hardware-version: 1.38
        firmware-version: 7.85
        flags:
               rng
               login-required

So I'll look a bit further to ensure everything is working fine. Anyway thanks a lot for your help !

Maitre-Hiboux commented 3 years ago

Ok it works perfectly as expected now ! Managed to get my csr. Once again thanks a lot. I'll close the issue.

williamcroberts commented 3 years ago

Thanks for digging into this and solving it AND posting back for others.