Forces TPM slot to be "Friendly", allowing NSS to avoid locking

crypto/nss_util.cc

Index: crypto/nss_util.cc
diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc
index 48f356c5c584f2b6399c9910a2305c1c37df14ae..9cdab159a8f1dbca0fbc75069f73dd40f35336d8 100644
--- a/crypto/nss_util.cc
+++ b/crypto/nss_util.cc
@@ -196,6 +196,30 @@ PK11SlotInfo* FindSlotWithTokenName(const std::string& token_name) {
 
 #endif  // defined(USE_NSS)
 
+#if defined(OS_CHROMEOS)
+void LogSlotInfo() {
+  AutoSECMODListReadLock auto_lock;
+  SECMODModuleList* head = SECMOD_GetDefaultModuleList();
+  VLOG(1) << "Current PK11 Slot Status:";
+  for (SECMODModuleList* item = head; item != NULL; item = item->next) {
+    int slot_count = item->module->loaded ? item->module->slotCount : 0;
+    for (int i = 0; i < slot_count; i++) {
+      PK11SlotInfo* slot = item->module->slots[i];
+      if (slot) {
+        VLOG(1) << "  ###############################";
+        VLOG(1) << "  Token Name   : " << PK11_GetTokenName(slot);
+        VLOG(1) << "  Slot Name    : " << PK11_GetSlotName(slot);
+        VLOG(1) << "  Slot ID      : " << PK11_GetSlotID(slot);
+        VLOG(1) << "  Is Friendly  : "
+            << (PK11_IsFriendly(slot) ? "True" : "False");
+        VLOG(1) << "  Default Flags: " << PK11_GetDefaultFlags(slot);
+        VLOG(1) << "  Need Login   : " << (PK11_NeedLogin(slot) ? "Yes" : "No");
+      }
+    }
+  }
+}
+#endif
+
 // A singleton to initialize/deinitialize NSPR.
 // Separate from the NSS singleton because we initialize NSPR on the UI thread.
 // Now that we're leaking the singleton, we could merge back with the NSS
@@ -543,13 +567,18 @@ class NSSInitSingleton {
             // slotParams=... -- selects RSA as the only mechanism, and only
             //   asks for the password when necessary (instead of every
             //   time, or after a timeout).
-            "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})");
+            "trustOrder=100 slotParams=(1={slotFlags=[RSA,PublicCerts] "

[Ryan Sleevi, 2012/03/30 18:29:26]

I believe you should update the 1= to 0=, based on your PK11_GetSlotID results

+            "askpw=only})");

[Ryan Sleevi, 2012/03/30 21:05:48]

One more thing to try here:

This will help determine how/why these flags may not be getting passed. This is
a short-term diagnostic step but should make it easier to debug.

if (chaps_module_ && chaps_module_->loaded) {
  int size = 0;
  PK11DefaultArrayEntry* entries = PK11_GetDefaultArrayEntry(&size);
  PK11DefaultArrayEntry* friendly_entry = NULL;
  for (int i = 0; i < size; ++i) {
    if (entries[i]->flag == SECMOD_FRIENDLY_FLAG) {
      friendly_entry = entries[i];
      break;
    }
  }
  for (int i = 0; i < chaps_module_->slotCount; ++i) {
    PK11SlotInfo* slot = chaps_module_->slots[i];
    // Force all slots in the TPM module to be friendly
    if (slot)
      PK11_UpdateSlotAttribute(slot, friendly_entry, PR_TRUE);
  }
}
LogSlotInfo();

[Ryan Sleevi, 2012/03/30 21:07:14]

Sorry, that should be:
for (int i = 0; friendly_entry && i < chaps_module_->slotCount; ++i) {

Although even a crash would be nice here :)

       }
       if (chaps_module_) {
         // If this gets set, then we'll use the TPM for certs with
         // private keys, otherwise we'll fall back to the software
         // implementation.
         tpm_slot_ = GetTPMSlot();
+
+        if (VLOG_IS_ON(1))
+          LogSlotInfo();
+
         callback.Run(tpm_slot_ != NULL);
         return;
       }
@@ -637,7 +666,6 @@ bool NSSInitSingleton::force_nodb_init_ = false;
 
 base::LazyInstance<NSSInitSingleton>::Leaky
     g_nss_singleton = LAZY_INSTANCE_INITIALIZER;
-
 }  // namespace
 
 #if defined(USE_NSS)