tpm2-pk11
tpm2-pk11 copied to clipboard
Published
20 hours ago •
irtimmer
irtimmer
C_GetTokenInfo for provider libtpm2-pk11.so slot 0 failed: 48
I am trying to create an SSH key in the TPM of my laptop.
Generating a key:
yoga ~ # tpm2_createprimary -H o -g sha256 -G rsa -C po.ctx
ObjectAttribute: 0x00030072
CreatePrimary Succeed ! Handle: 0x800000ff
yoga ~ # tpm2_create -c po.ctx -g sha256 -G rsa -u key.pub -r key.priv
algorithm:
value: sha256
raw: 0xb
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
raw: 0x60072
type:
value: rsa
raw: 0x1
rsa: bb84a32ec4c674ba64a8c5824cb70be4cf5d14371e3d91c5c02d1e0f25b70e9721209dcccc032603a805200d9526d054bf55ad0ebd7afcef92bc30325ebc19e7bd84552c3d3e618b91f41c5fb03efba437998b05f6f4cf3674066b36ce9d0e178685d192085b73d23ad05265a7facbe25fc69b33662d6ac75a58ec329333e6181d76fbd728120eed32b0613892d73a37f9c811a8706e8dc3ad07480972e73e4d661f36e26b0477a7bed02d99f6fa145565fd56bdcc2f9b9af064f060608313c2991fb9d392e72428f4d48a700745efb313e474aa87a85bb020821b75fca8594cccad34c36a2fe10ba4d913c6ae17b68c9a9d55bb7556837a1c8da815a7a5188b
yoga ~ # tpm2_load -c po.ctx -u key.pub -r key.priv -C obj.ctx
Load succ.
LoadedHandle: 0x80000100
yoga ~ # tpm2_evictcontrol -A o -c obj.ctx -H 0x81010010
persistentHandle: 0x81010010
My ~/.tpm2/config looks like this:
# Type can be device/socket/tabrmd
type device
# Hostname to connect when using socket
hostname localhost
# Port number of TPM socket to connect to
port 2321
# Device to use as TPM
device /dev/tpm0
# Sign using encrypt in case TPM doesn't support hash format
# For example SSH use SHA512 which isn't supported by all TPM's
# Enabling this option requires key's to be encryption keys instead of signing only keys
sign-using-encrypt true
# Set login_required in case keys are protected by a password
# Notice currently only a single password for all keys is supported
# Depending on the TPM settings, providing wrong passwords can lead to a lockout
login-required false
ssh-keygen fails:
yoga ~ # ssh-keygen -D libtpm2-pk11.so
C_GetTokenInfo for provider libtpm2-pk11.so slot 0 failed: 48
cannot read public key from pkcs11
yoga ~ # tpm2_listpersistent
persistent-handle[0]:0x81000001 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt
persistent-handle[1]:0x81000100 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
persistent-handle[2]:0x81010010 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
yoga ~ # tpm2_readpublic -H 0x81010010
name: 000b751a312ea4ec6cae94d2a5041ab4b8c8e313cd06f242a7629a077d410dd0ad77
qualified name: 000bce568fdc5716ca53590ca396bd9f260f4cfa93e0a12421312a580540eb6721cb
algorithm:
value: sha256
raw: 0xb
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
raw: 0x60072
type:
value: rsa
raw: 0x1
rsa: bb84a32ec4c674ba64a8c5824cb70be4cf5d14371e3d91c5c02d1e0f25b70e9721209dcccc032603a805200d9526d054bf55ad0ebd7afcef92bc30325ebc19e7bd84552c3d3e618b91f41c5fb03efba437998b05f6f4cf3674066b36ce9d0e178685d192085b73d23ad05265a7facbe25fc69b33662d6ac75a58ec329333e6181d76fbd728120eed32b0613892d73a37f9c811a8706e8dc3ad07480972e73e4d661f36e26b0477a7bed02d99f6fa145565fd56bdcc2f9b9af064f060608313c2991fb9d392e72428f4d48a700745efb313e474aa87a85bb020821b75fca8594cccad34c36a2fe10ba4d913c6ae17b68c9a9d55bb7556837a1c8da815a7a5188b
Please configure a log file in config and set the log level to 5 (debug) and upload the log file after running ssh-keygen
For some reason logging into a file just creates an empty file.
yoga ~ # grep -v "^#" ~/.tpm2/config
type tabrmd
hostname localhost
port 2321
device /dev/tpm0
sign-using-encrypt false
login-required false
log-level 5
log /tmp/tpm2-pk11.log
yoga ~ # ls -lah /tmp/tpm2-pk11.log
ls: cannot access '/tmp/tpm2-pk11.log': No such file or directory
yoga ~ # ssh-keygen -D libtpm2-pk11.so
C_GetTokenInfo for provider libtpm2-pk11.so slot 0 failed: 48
cannot read public key from pkcs11
yoga ~ # ls -lah /tmp/tpm2-pk11.log
-rw-r--r--. 1 root root 0 Sep 18 00:27 /tmp/tpm2-pk11.log
with log stderr I get the following:
yoga ~ # ssh-keygen -D libtpm2-pk11.so
2018-09-18 00:28:31 [tpm-pk11] C_GetInfo
2018-09-18 00:28:31 [tpm-pk11] C_GetSlotList: present = true
2018-09-18 00:28:31 [tpm-pk11] C_GetSlotList: present = true
2018-09-18 00:28:31 [tpm-pk11] C_GetTokenInfo: id = 4660
C_GetTokenInfo for provider libtpm2-pk11.so slot 0 failed: 48
2018-09-18 00:28:31 [tpm-pk11] C_Finalize
cannot read public key from pkcs11
Looking at the log it looks like tpm-pk11 is unable to connect to the TPM. However I don't know why. In the opening post tpm-pk11 is configured to directly connect to the device which can fail if it's already in use, by for example the TPM2 Access Broker, unless the kernel access broker is enabled or if the user do not have access to the device. However in your last post it's configured to use the TPM2 Access Broker which is also the default for the tpm2 tools and that should work if tpm2_listpersistent is also working.