C_GetTokenInfo for provider libtpm2-pk11.so slot 0 failed: 48

[varesa]

I am trying to create an SSH key in the TPM of my laptop.

Generating a key:

yoga ~ # tpm2_createprimary -H o -g sha256 -G rsa -C po.ctx

ObjectAttribute: 0x00030072

CreatePrimary Succeed ! Handle: 0x800000ff

yoga ~ # tpm2_create -c po.ctx -g sha256 -G rsa -u key.pub -r key.priv

algorithm:
  value: sha256
  raw: 0xb
attributes:
  value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
  raw: 0x60072
type: 
  value: rsa
  raw: 0x1
  rsa: bb84a32ec4c674ba64a8c5824cb70be4cf5d14371e3d91c5c02d1e0f25b70e9721209dcccc032603a805200d9526d054bf55ad0ebd7afcef92bc30325ebc19e7bd84552c3d3e618b91f41c5fb03efba437998b05f6f4cf3674066b36ce9d0e178685d192085b73d23ad05265a7facbe25fc69b33662d6ac75a58ec329333e6181d76fbd728120eed32b0613892d73a37f9c811a8706e8dc3ad07480972e73e4d661f36e26b0477a7bed02d99f6fa145565fd56bdcc2f9b9af064f060608313c2991fb9d392e72428f4d48a700745efb313e474aa87a85bb020821b75fca8594cccad34c36a2fe10ba4d913c6ae17b68c9a9d55bb7556837a1c8da815a7a5188b
yoga ~ # tpm2_load -c po.ctx -u key.pub -r key.priv -C obj.ctx


Load succ.
LoadedHandle: 0x80000100

yoga ~ # tpm2_evictcontrol -A o -c obj.ctx -H 0x81010010

persistentHandle: 0x81010010

My ~/.tpm2/config looks like this:

# Type can be device/socket/tabrmd
type device
# Hostname to connect when using socket
hostname localhost
# Port number of TPM socket to connect to
port 2321
# Device to use as TPM
device /dev/tpm0
# Sign using encrypt in case TPM doesn't support hash format
# For example SSH use SHA512 which isn't supported by all TPM's
# Enabling this option requires key's to be encryption keys instead of signing only keys
sign-using-encrypt true
# Set login_required in case keys are protected by a password
# Notice currently only a single password for all keys is supported
# Depending on the TPM settings, providing wrong passwords can lead to a lockout
login-required false

ssh-keygen fails:

yoga ~ # ssh-keygen -D libtpm2-pk11.so

C_GetTokenInfo for provider libtpm2-pk11.so slot 0 failed: 48
cannot read public key from pkcs11

yoga ~ # tpm2_listpersistent
persistent-handle[0]:0x81000001 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt
persistent-handle[1]:0x81000100 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
persistent-handle[2]:0x81010010 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
yoga ~ # tpm2_readpublic -H 0x81010010
name: 000b751a312ea4ec6cae94d2a5041ab4b8c8e313cd06f242a7629a077d410dd0ad77
qualified name: 000bce568fdc5716ca53590ca396bd9f260f4cfa93e0a12421312a580540eb6721cb
algorithm:
  value: sha256
  raw: 0xb
attributes:
  value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
  raw: 0x60072
type: 
  value: rsa
  raw: 0x1
  rsa: bb84a32ec4c674ba64a8c5824cb70be4cf5d14371e3d91c5c02d1e0f25b70e9721209dcccc032603a805200d9526d054bf55ad0ebd7afcef92bc30325ebc19e7bd84552c3d3e618b91f41c5fb03efba437998b05f6f4cf3674066b36ce9d0e178685d192085b73d23ad05265a7facbe25fc69b33662d6ac75a58ec329333e6181d76fbd728120eed32b0613892d73a37f9c811a8706e8dc3ad07480972e73e4d661f36e26b0477a7bed02d99f6fa145565fd56bdcc2f9b9af064f060608313c2991fb9d392e72428f4d48a700745efb313e474aa87a85bb020821b75fca8594cccad34c36a2fe10ba4d913c6ae17b68c9a9d55bb7556837a1c8da815a7a5188b

[irtimmer]

Please configure a log file in config and set the log level to 5 (debug) and upload the log file after running ssh-keygen

[varesa]

For some reason logging into a file just creates an empty file.

yoga ~ # grep -v "^#" ~/.tpm2/config
type tabrmd
hostname localhost
port 2321
device /dev/tpm0
sign-using-encrypt false
login-required false
log-level 5
log /tmp/tpm2-pk11.log

yoga ~ # ls -lah /tmp/tpm2-pk11.log
ls: cannot access '/tmp/tpm2-pk11.log': No such file or directory

yoga ~ # ssh-keygen -D libtpm2-pk11.so

C_GetTokenInfo for provider libtpm2-pk11.so slot 0 failed: 48
cannot read public key from pkcs11

yoga ~ # ls -lah /tmp/tpm2-pk11.log
-rw-r--r--. 1 root root 0 Sep 18 00:27 /tmp/tpm2-pk11.log

with log stderr I get the following:

yoga ~ # ssh-keygen -D libtpm2-pk11.so

2018-09-18 00:28:31 [tpm-pk11] C_GetInfo
2018-09-18 00:28:31 [tpm-pk11] C_GetSlotList: present = true
2018-09-18 00:28:31 [tpm-pk11] C_GetSlotList: present = true
2018-09-18 00:28:31 [tpm-pk11] C_GetTokenInfo: id = 4660
C_GetTokenInfo for provider libtpm2-pk11.so slot 0 failed: 48
2018-09-18 00:28:31 [tpm-pk11] C_Finalize
cannot read public key from pkcs11

[irtimmer]

Looking at the log it looks like tpm-pk11 is unable to connect to the TPM. However I don't know why. In the opening post tpm-pk11 is configured to directly connect to the device which can fail if it's already in use, by for example the TPM2 Access Broker, unless the kernel access broker is enabled or if the user do not have access to the device. However in your last post it's configured to use the TPM2 Access Broker which is also the default for the tpm2 tools and that should work if tpm2_listpersistent is also working.