diff options
| author | gspencer@chromium.org <gspencer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-03 21:58:07 +0000 |
|---|---|---|
| committer | gspencer@chromium.org <gspencer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-03 21:58:07 +0000 |
| commit | b2afd2518cbec88a31f484465b363dadc7d2555a (patch) | |
| tree | b517e6caf4dae0844d796071e09d3f704b8a75d5 /crypto | |
| parent | 8e7c85a49bc4824f8078e980960c98655573a0c1 (diff) | |
| download | chromium_src-b2afd2518cbec88a31f484465b363dadc7d2555a.zip chromium_src-b2afd2518cbec88a31f484465b363dadc7d2555a.tar.gz chromium_src-b2afd2518cbec88a31f484465b363dadc7d2555a.tar.bz2 | |
Forces TPM slot to be "Friendly", allowing NSS to avoid locking
Also added VLOG(1) logging for PKCS11 slot info.
BUG=chromium:118206
TEST=Ran on device, tried to repro bug, and was unable to. Confirmed that friendly bit was set (based on log output).
Review URL: https://chromiumcodereview.appspot.com/9969019
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@130474 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/nss_util.cc | 51 |
1 files changed, 48 insertions, 3 deletions
diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc index 48f356c..43912c2 100644 --- a/crypto/nss_util.cc +++ b/crypto/nss_util.cc @@ -196,6 +196,32 @@ PK11SlotInfo* FindSlotWithTokenName(const std::string& token_name) { #endif // defined(USE_NSS) +#if defined(OS_CHROMEOS) +void LogSlotInfo() { + AutoSECMODListReadLock auto_lock; + SECMODModuleList* head = SECMOD_GetDefaultModuleList(); + VLOG(1) << "Current PK11 Slot Status:"; + for (SECMODModuleList* item = head; item != NULL; item = item->next) { + int slot_count = item->module->loaded ? item->module->slotCount : 0; + for (int i = 0; i < slot_count; i++) { + PK11SlotInfo* slot = item->module->slots[i]; + if (slot) { + VLOG(1) << " ###############################"; + VLOG(1) << " Token Name : " << PK11_GetTokenName(slot); + VLOG(1) << " Slot Name : " << PK11_GetSlotName(slot); + VLOG(1) << " Slot ID : " << PK11_GetSlotID(slot); + VLOG(1) << " Is Friendly : " + << (PK11_IsFriendly(slot) ? "True" : "False"); + VLOG(1) << " Default Flags: " << PK11_GetDefaultFlags(slot); + VLOG(1) << " Need Login : " + << (PK11_NeedLogin(slot) ? "Yes" : "No"); + VLOG(1) << " Is Hardware :" << (PK11_IsHW(slot) ? "Yes" : "No"); + } + } + } +} +#endif + // A singleton to initialize/deinitialize NSPR. // Separate from the NSS singleton because we initialize NSPR on the UI thread. // Now that we're leaking the singleton, we could merge back with the NSS @@ -545,18 +571,38 @@ class NSSInitSingleton { // time, or after a timeout). "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})"); } - if (chaps_module_) { + if (chaps_module_ && chaps_module_->loaded) { + int size = 0; + PK11DefaultArrayEntry* entries = PK11_GetDefaultArray(&size); + PK11DefaultArrayEntry* friendly_entry = NULL; + for (int i = 0; i < size; ++i) { + if (entries[i].flag == SECMOD_FRIENDLY_FLAG) { + friendly_entry = &entries[i]; + break; + } + } + // If this gets set, then we'll use the TPM for certs with // private keys, otherwise we'll fall back to the software // implementation. tpm_slot_ = GetTPMSlot(); + + // Force the TPM slot to be "Friendly", since it seems to ignore setting + // "PublicCerts" above, and otherwise NSS does some unnecessary locking, + // and slows things down. + if (tpm_slot_ && friendly_entry) + PK11_UpdateSlotAttribute(tpm_slot_, friendly_entry, PR_TRUE); + + if (VLOG_IS_ON(1)) + LogSlotInfo(); + callback.Run(tpm_slot_ != NULL); return; } } callback.Run(false); } -#endif +#endif // defined(OS_CHROMEOS) #if defined(USE_NSS) // Load nss's built-in root certs. @@ -637,7 +683,6 @@ bool NSSInitSingleton::force_nodb_init_ = false; base::LazyInstance<NSSInitSingleton>::Leaky g_nss_singleton = LAZY_INSTANCE_INITIALIZER; - } // namespace #if defined(USE_NSS) |