Forces TPM slot to be "Friendly", allowing NSS to avoid locking

crypto/nss_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 
 #include <nss.h>
 #include <plarena.h>
 #include <prerror.h>
@@ skipping 178 matching lines @@
       PK11SlotInfo* slot = item->module->slots[i];
       if (PK11_GetTokenName(slot) == token_name)
         return PK11_ReferenceSlot(slot);
     }
   }
   return NULL;
 }
 
 #endif  // defined(USE_NSS)
 
+#if defined(OS_CHROMEOS)
+void LogSlotInfo() {
+  AutoSECMODListReadLock auto_lock;
+  SECMODModuleList* head = SECMOD_GetDefaultModuleList();
+  VLOG(1) << "Current PK11 Slot Status:";
+  for (SECMODModuleList* item = head; item != NULL; item = item->next) {
+    int slot_count = item->module->loaded ? item->module->slotCount : 0;
+    for (int i = 0; i < slot_count; i++) {
+      PK11SlotInfo* slot = item->module->slots[i];
+      if (slot) {
+        VLOG(1) << "  ###############################";
+        VLOG(1) << "  Token Name   : " << PK11_GetTokenName(slot);
+        VLOG(1) << "  Slot Name    : " << PK11_GetSlotName(slot);
+        VLOG(1) << "  Slot ID      : " << PK11_GetSlotID(slot);
+        VLOG(1) << "  Is Friendly  : "
+            << (PK11_IsFriendly(slot) ? "True" : "False");
+        VLOG(1) << "  Default Flags: " << PK11_GetDefaultFlags(slot);
+        VLOG(1) << "  Need Login   : "
+            << (PK11_NeedLogin(slot) ? "Yes" : "No");
+        VLOG(1) << "  Is Hardware  :" << (PK11_IsHW(slot) ? "Yes" : "No");
+      }
+    }
+  }
+}
+#endif
+
 // A singleton to initialize/deinitialize NSPR.
 // Separate from the NSS singleton because we initialize NSPR on the UI thread.
 // Now that we're leaking the singleton, we could merge back with the NSS
 // singleton.
 class NSPRInitSingleton {
  private:
   friend struct base::DefaultLazyInstanceTraits<NSPRInitSingleton>;
 
   NSPRInitSingleton() {
     PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
@@ skipping 326 matching lines @@
       // This tries to load the Chaps module so NSS can talk to the hardware
       // TPM.
       if (!chaps_module_) {
         chaps_module_ = LoadModule(
             kChapsModuleName,
             kChapsPath,
             // trustOrder=100 -- means it'll select this as the most
             //   trusted slot for the mechanisms it provides.
             // slotParams=... -- selects RSA as the only mechanism, and only
             //   asks for the password when necessary (instead of every
-            //   time, or after a timeout).
-            "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})");
+            //   time, or after a timeout).  Turn on the "Friendly" flag
+            // with "PublicCerts" so NSS doesn't try to lock things
+            // unnecessarily.
+            "trustOrder=100 slotParams=(0={slotFlags=[RSA,PublicCerts],"

[wtc, 2012/04/03 00:25:49]

Please try replacing the last comma (right before the closing
quote) with a space.  The NSS PKCS #11 Module Specs page says:
  
  slotParams - space separated list of name/value pairs
  where the name is a slotID and the value is a space
                                                ^^^^^
  separated list of parameters related to that slotID.
  ^^^^^^^^^

So we should use a space instead of a comma there.

Why did you change the slotID from 1= to 0= ?

+            "askpw=only})");
       }
-      if (chaps_module_) {
+      if (chaps_module_ && chaps_module_->loaded) {
+        int size = 0;
+        PK11DefaultArrayEntry* entries = PK11_GetDefaultArray(&size);
+        PK11DefaultArrayEntry* friendly_entry = NULL;
+        for (int i = 0; i < size; ++i) {
+          if (entries[i].flag == SECMOD_FRIENDLY_FLAG) {
+            friendly_entry = &entries[i];
+            break;
+          }
+        }
+
         // If this gets set, then we'll use the TPM for certs with
         // private keys, otherwise we'll fall back to the software
         // implementation.
         tpm_slot_ = GetTPMSlot();
+
+        // Force the TPM slot to be "Friendly", since it seems to ignore setting
+        // "PublicCerts" above, and otherwise NSS does some unnecessary locking,
+        // and slows things down.
+        if (tpm_slot_ && friendly_entry)
+          PK11_UpdateSlotAttribute(tpm_slot_, friendly_entry, PR_TRUE);
+
+        if (VLOG_IS_ON(1))
+          LogSlotInfo();
+
         callback.Run(tpm_slot_ != NULL);
         return;
       }
     }
     callback.Run(false);
   }
-#endif
+#endif  // defined(OS_CHROMEOS)
 
 #if defined(USE_NSS)
   // Load nss's built-in root certs.
   SECMODModule* InitDefaultRootCerts() {
     SECMODModule* root = LoadModule("Root Certs", "libnssckbi.so", NULL);
     if (root)
       return root;
 
     // Aw, snap.  Can't find/load root cert shared library.
     // This will make it hard to talk to anybody via https.
@@ skipping 60 matching lines @@
   // is fixed, we will no longer need the lock.
   base::Lock write_lock_;
 #endif  // defined(USE_NSS)
 };
 
 // static
 bool NSSInitSingleton::force_nodb_init_ = false;
 
 base::LazyInstance<NSSInitSingleton>::Leaky
     g_nss_singleton = LAZY_INSTANCE_INITIALIZER;
-
 }  // namespace
 
 #if defined(USE_NSS)
 void EarlySetupForNSSInit() {
   FilePath database_dir = GetInitialConfigDirectory();
   if (!database_dir.empty())
     UseLocalCacheOfNSSDatabaseIfNFS(database_dir);
 }
 #endif
 
@@ skipping 147 matching lines @@
 
 PK11SlotInfo* GetPublicNSSKeySlot() {
   return g_nss_singleton.Get().GetPublicNSSKeySlot();
 }
 
 PK11SlotInfo* GetPrivateNSSKeySlot() {
   return g_nss_singleton.Get().GetPrivateNSSKeySlot();
 }
 
 }  // namespace crypto