Hi,
I am trying pkcs11 via optee in imx93 board as described in https://www.nxp.com/design/training/unraveling-the-mysteries-of-securing-keys-leveraging-pkcs11-with... . I have just tried with basic token init setup with label and set user pin operation. After system reboot or power cycle all the changes are disappearing.
imx93-fs2-ls:~# pkcs11-tool --list-slots --module /usr/lib/libckteec.so.0
Available slots:
Slot 0 (0x0): OP-TEE PKCS11 TA - TEE UUID f9ea3659-a6fc-503c-bc69-4e61d1c41902
token state: uninitialized
Slot 1 (0x1): OP-TEE PKCS11 TA - TEE UUID f9ea3659-a6fc-503c-bc69-4e61d1c41902
token state: uninitialized
Slot 2 (0x2): OP-TEE PKCS11 TA - TEE UUID f9ea3659-a6fc-503c-bc69-4e61d1c41902
token state: uninitialized
imx93-fs2-ls:~#
imx93-fs2-ls:~# pkcs11-tool --module /usr/lib/libckteec.so.0 --init-token --label TEST --so-pin 1234
pkcs11-tool --module /usr/lib/libckteec.so.0 --label TEST --login --so-pin 1234 --iUsing slot 0 with a present token (0x0)
nit-pin --pin 5678Token successfully initialized
imx93-fs2-ls:~# pkcs11-tool --module /usr/lib/libckteec.so.0 --label TEST --login --so-pin 1234 --init-pin --pin 5678
Using slot 0 with a present token (0x0)
User PIN successfully initialized
root@schoelly-avnet-imx93-fs2-ls:~#
root@schoelly-avnet-imx93-fs2-ls:~# pkcs11-tool --list-slots --module /usr/lib/libckteec.so.0
Available slots:
Slot 0 (0x0): OP-TEE PKCS11 TA - TEE UUID f9ea3659-a6fc-503c-bc69-4e61d1c41902
token label : TEST
token manufacturer : Linaro
token model : OP-TEE TA
token flags : login required, rng, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.1
serial num : 0000000000000000
pin min/max : 4/128
Slot 1 (0x1): OP-TEE PKCS11 TA - TEE UUID f9ea3659-a6fc-503c-bc69-4e61d1c41902
token state: uninitialized
Slot 2 (0x2): OP-TEE PKCS11 TA - TEE UUID f9ea3659-a6fc-503c-bc69-4e61d1c41902
token state: uninitialized
imx93-fs2-ls:~#
but after reboot it is changing back to old state.
imx93-fs2-ls:~# pkcs11-tool --list-slots --module /usr/lib/libckteec.so.0
Available slots:
Slot 0 (0x0): OP-TEE PKCS11 TA - TEE UUID f9ea3659-a6fc-503c-bc69-4e61d1c41902
token state: uninitialized
Slot 1 (0x1): OP-TEE PKCS11 TA - TEE UUID f9ea3659-a6fc-503c-bc69-4e61d1c41902
token state: uninitialized
Slot 2 (0x2): OP-TEE PKCS11 TA - TEE UUID f9ea3659-a6fc-503c-bc69-4e61d1c41902
token state: uninitialized
But very rarely changes are kept (once it is available between cycles then it is continuing its state.)
SW: optee version: 3.19.0 (based on lf-6.1.1_1.0.0)
Hello,
Please accept my apologize for the delayed response, if this is still of interest for you, as far as I understood tokens are only valid in the session that was initialized, so it is common for the token to dissapear once the session is terminated (reboot).
Best regards/Saludos,
Aldo.