Forces TPM slot to be "Friendly", allowing NSS to avoid locking

crypto/nss_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 
 #include <nss.h>
 #include <plarena.h>
 #include <prerror.h>
@@ skipping 178 matching lines @@
       PK11SlotInfo* slot = item->module->slots[i];
       if (PK11_GetTokenName(slot) == token_name)
         return PK11_ReferenceSlot(slot);
     }
   }
   return NULL;
 }
 
 #endif  // defined(USE_NSS)
 
+#if defined(OS_CHROMEOS)
+void LogSlotInfo() {
+  AutoSECMODListReadLock auto_lock;
+  SECMODModuleList* head = SECMOD_GetDefaultModuleList();
+  VLOG(1) << "Current PK11 Slot Status:";
+  for (SECMODModuleList* item = head; item != NULL; item = item->next) {
+    int slot_count = item->module->loaded ? item->module->slotCount : 0;
+    for (int i = 0; i < slot_count; i++) {
+      PK11SlotInfo* slot = item->module->slots[i];
+      if (slot) {
+        VLOG(1) << "  ###############################";
+        VLOG(1) << "  Token Name   : " << PK11_GetTokenName(slot);
+        VLOG(1) << "  Slot Name    : " << PK11_GetSlotName(slot);
+        VLOG(1) << "  Slot ID      : " << PK11_GetSlotID(slot);
+        VLOG(1) << "  Is Friendly  : "
+            << (PK11_IsFriendly(slot) ? "True" : "False");
+        VLOG(1) << "  Default Flags: " << PK11_GetDefaultFlags(slot);
+        VLOG(1) << "  Need Login   : " << (PK11_NeedLogin(slot) ? "Yes" : "No");
+      }
+    }
+  }
+}
+#endif
+
 // A singleton to initialize/deinitialize NSPR.
 // Separate from the NSS singleton because we initialize NSPR on the UI thread.
 // Now that we're leaking the singleton, we could merge back with the NSS
 // singleton.
 class NSPRInitSingleton {
  private:
   friend struct base::DefaultLazyInstanceTraits<NSPRInitSingleton>;
 
   NSPRInitSingleton() {
     PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
@@ skipping 327 matching lines @@
       // TPM.
       if (!chaps_module_) {
         chaps_module_ = LoadModule(
             kChapsModuleName,
             kChapsPath,
             // trustOrder=100 -- means it'll select this as the most
             //   trusted slot for the mechanisms it provides.
             // slotParams=... -- selects RSA as the only mechanism, and only
             //   asks for the password when necessary (instead of every
             //   time, or after a timeout).
-            "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})");
+            "trustOrder=100 slotParams=(1={slotFlags=[RSA,PublicCerts] "

[Ryan Sleevi, 2012/03/30 18:29:26]

I believe you should update the 1= to 0=, based on your PK11_GetSlotID results

+            "askpw=only})");

[Ryan Sleevi, 2012/03/30 21:05:48]

One more thing to try here:

This will help determine how/why these flags may not be getting passed. This is
a short-term diagnostic step but should make it easier to debug.

if (chaps_module_ && chaps_module_->loaded) {
  int size = 0;
  PK11DefaultArrayEntry* entries = PK11_GetDefaultArrayEntry(&size);
  PK11DefaultArrayEntry* friendly_entry = NULL;
  for (int i = 0; i < size; ++i) {
    if (entries[i]->flag == SECMOD_FRIENDLY_FLAG) {
      friendly_entry = entries[i];
      break;
    }
  }
  for (int i = 0; i < chaps_module_->slotCount; ++i) {
    PK11SlotInfo* slot = chaps_module_->slots[i];
    // Force all slots in the TPM module to be friendly
    if (slot)
      PK11_UpdateSlotAttribute(slot, friendly_entry, PR_TRUE);
  }
}
LogSlotInfo();

[Ryan Sleevi, 2012/03/30 21:07:14]

Sorry, that should be:
for (int i = 0; friendly_entry && i < chaps_module_->slotCount; ++i) {

Although even a crash would be nice here :)

       }
       if (chaps_module_) {
         // If this gets set, then we'll use the TPM for certs with
         // private keys, otherwise we'll fall back to the software
         // implementation.
         tpm_slot_ = GetTPMSlot();
+
+        if (VLOG_IS_ON(1))
+          LogSlotInfo();
+
         callback.Run(tpm_slot_ != NULL);
         return;
       }
     }
     callback.Run(false);
   }
 #endif
 
 #if defined(USE_NSS)
   // Load nss's built-in root certs.
@@ skipping 67 matching lines @@
   // is fixed, we will no longer need the lock.
   base::Lock write_lock_;
 #endif  // defined(USE_NSS)
 };
 
 // static
 bool NSSInitSingleton::force_nodb_init_ = false;
 
 base::LazyInstance<NSSInitSingleton>::Leaky
     g_nss_singleton = LAZY_INSTANCE_INITIALIZER;
-
 }  // namespace
 
 #if defined(USE_NSS)
 void EarlySetupForNSSInit() {
   FilePath database_dir = GetInitialConfigDirectory();
   if (!database_dir.empty())
     UseLocalCacheOfNSSDatabaseIfNFS(database_dir);
 }
 #endif
 
@@ skipping 147 matching lines @@
 
 PK11SlotInfo* GetPublicNSSKeySlot() {
   return g_nss_singleton.Get().GetPublicNSSKeySlot();
 }
 
 PK11SlotInfo* GetPrivateNSSKeySlot() {
   return g_nss_singleton.Get().GetPrivateNSSKeySlot();
 }
 
 }  // namespace crypto