Ubuntu
linux package

Lenovo X201, T410, T410s, W510: After suspend/resume any pkcs11 operation on the TPM token requiring the User PIN fails with CKR_USER_PIN_NOT_INITIALIZED

Bug #588830 reported by Jeremy Zimmer
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Expired
Medium
Unassigned

Bug Description

This seems similar to the USB issues after suspend resume (https://bugs.launchpad.net/oem-priority/+bug/566149), and is fixed by either reboot, or a hibernate/thaw cycle. However, unlike the USB issue, this is not fixed in the 2.6.32.14 kernel branch.

jeremy@ubuntu-t410s:~$ uname -a
Linux ubuntu-t410s 2.6.32-02063214-generic #02063214 SMP Thu May 27 09:11:03 UTC 2010 x86_64 GNU/Linux

Steps to reproduce:

Cold boot into the BIOS utility, under "security", activate and clear the security chip

install opensc, opencryptoki, tpm-tools

$ sudo tpm_takeownership (enter anything for the owner password, leave the SRK password blank)
$ sudo pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0 --init-token --label "Test TPM Token" --so-pin 87654321
$ sudo pkcsconf -c 0 -P -S 87654321 -n <choose a new SO PIN>
$ sudo pkcsconf -c 0 -p -U 12345678 -n <choose a new User PIN>
$ sudo pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0 -L -l
(Enter the user PIN you chose above when prompted, which won't produce additional output, but the command will exit 0)
...suspend/resume the laptop...
$ sudo pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0 -L -l
(Enter the user PIN again, this time it will exit 1, showing "CKR_USER_PIN_NOT_INITIALIZED")
...hibernate/thaw the laptop...
$ sudo pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0 -L -l
(Enter the user PIN, and it works again, exiting 0)

Revision history for this message
Jeremy Zimmer (jeremyz) wrote :
Revision history for this message
Jeremy Zimmer (jeremyz) wrote :
Revision history for this message
Jeremy Zimmer (jeremyz) wrote :
Revision history for this message
Jeremy Zimmer (jeremyz) wrote :
tags: added: glucid
Revision history for this message
Jeremy Zimmer (jeremyz) wrote :
Revision history for this message
Jeremy Zimmer (jeremyz) wrote :
Jeremy Foshee (jeremyfoshee)
tags: added: kernel-suspend
tags: added: kj-triage
Revision history for this message
Jeremy Zimmer (jeremyz) wrote :

Another data point:

On the Lenovo T61, which also uses the TPM 1.1, I see the same error directly after resume, but about 45-60 seconds later, logins (with the user PIN) start working again.

Brad Figg (brad-figg)
Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
penalvch (penalvch) wrote :

Jeremy Zimmer, this bug was reported a while ago and there hasn't been any activity in it recently. We were wondering if this is still an issue? If so, could you please test for this with the latest development release of Ubuntu? ISO CD images are available from http://cdimage.ubuntu.com/releases/ .

If it remains an issue, could you please run the following command in the development release from a Terminal (Applications->Accessories->Terminal), as it will automatically gather and attach updated debug information to this report:

apport-collect -p linux <replace-with-bug-number>

Also, could you please test the latest upstream kernel available following https://wiki.ubuntu.com/KernelMainlineBuilds ? It will allow additional upstream developers to examine the issue. Please do not test the kernel in the daily folder, but the one all the way at the bottom. Once you've tested the upstream kernel, please comment on which kernel version specifically you tested and remove the tag:
needs-upstream-testing

This can be done by clicking on the yellow pencil icon next to the tag located at the bottom of the bug description and deleting the text:
needs-upstream-testing

If this bug is fixed in the mainline kernel, please add the following tags:
kernel-fixed-upstream
kernel-fixed-upstream-VERSION-NUMBER

where VERSION-NUMBER is the version number of the kernel you tested.

If the mainline kernel does not fix this bug, please add the following tags:
kernel-bug-exists-upstream
kernel-bug-exists-upstream-VERSION-NUMBER

If you are unable to test the mainline kernel, please comment as to why specifically you were unable to test it and add the following tags:
kernel-unable-to-test-upstream
kernel-unable-to-test-upstream-VERSION-NUMBER

Please let us know your results. Thank you for your understanding.

Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.