entd: Restart on token init failure

bin/fix_pkcs11_token.sh

Index: bin/fix_pkcs11_token.sh
diff --git a/bin/fix_pkcs11_token.sh b/bin/fix_pkcs11_token.sh
new file mode 100755
index 0000000000000000000000000000000000000000..df236b71322adf67cd5f1caa0122a328fa56832b
--- /dev/null
+++ b/bin/fix_pkcs11_token.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+if [ -z "$1" ]; then
+  USERNAME="chronos"
+else
+  USERNAME="$1"
+fi
+
+PKCS11_GROUP="pkcs11"
+
+OPENCRYPTOKI_DIR="/var/lib/opencryptoki"
+USER_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/$USERNAME"
+ROOT_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/root"
+
+USER_TOKEN_DIR="/home/$USERNAME/user/.tpm"
+
+if [ -e "$USER_TOKEN_DIR/PUBLIC_ROOT_KEY.pem" -a \
+  ! -e "$USER_TOKEN_DIR/PRIVATE_ROOT_KEY.pem" ]; then
+  # A token with a public key but no private key is a sign that
+  # initialization timed out.  The only way to recover seems to be to wipe
+  # out the whole token and try again.
+  logger "PKCS#11 token appears to be broken, deleting: $USER_TOKEN_DIR/*"
+  rm -rf $USER_TOKEN_DIR/*

[Chris Masone, 2010/08/23 23:56:28]

perhaps "$USER_TOKEN_DIR"/*

to be as consistent as you can?

+fi
+
+# Ensure the directories exist
+mkdir -p "$OPENCRYPTOKI_DIR/tpm"
+chown -R "root:$PKCS11_GROUP" "$OPENCRYPTOKI_DIR"
+
+# Ensure that they point to the user volume
+[ -L "$USER_TOKEN_LINK" ] || \
+  ln -sf "$USER_TOKEN_DIR" "$USER_TOKEN_LINK"
+[ -L "$ROOT_TOKEN_LINK" ] || \
+  ln -sf "./$USERNAME" "$ROOT_TOKEN_LINK"
+
+# Always remove the old token entry.
+rm -f /var/lib/opencryptoki/pk_config_data
+
+# Creating this directory because if it's not there, token initialization
+# will neither create it nor populate it.
+mkdir -p "$USER_TOKEN_DIR/TOK_OBJ"
+
+# Configure the tpm as a token
+pkcs_slot 0 tpm
+
+# Make sure the user can access their own data
+chown -R "$USERNAME:$PKCS11_GROUP" "$USER_TOKEN_DIR"