Puppet Class: tpm::pkcs11

Defined in:
manifests/pkcs11.pp

Overview

Manage the tpm-enabled PKCS #11 interface

If the SO_PIN_LOCKED flag gets thrown, you will have to reset your interface

by deleting the /var/lib/opencryptoki/tpm/root/NVTOK.DAT file.

Parameters:

  • so_pin (String) (defaults to: passgen( "${facts['fqdn']}_pkcs_so_pin", { 'length' => 8 } ))

    4-8 character password used for the Security Officer pin.

  • user_pin (String) (defaults to: passgen( "${facts['fqdn']}_pkcs_user_pin", { 'length' => 8 } ))

    4-8 character password used for the user pin.



10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
 
# File 'manifests/pkcs11.pp', line 10

class tpm::pkcs11 (
  String $so_pin   = passgen( "${facts['fqdn']}_pkcs_so_pin", { 'length' => 8 } ),
  String $user_pin = passgen( "${facts['fqdn']}_pkcs_user_pin", { 'length' => 8 } ),
){
  ##################################################################################################################
  # Here's a nice doc on how to set up the PKCS #11 interface
  # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html
  # http://trousers.sourceforge.net/pkcs11.html
  ##################################################################################################################
  package { 'opencryptoki': ensure => latest }
  package { 'opencryptoki-tpmtok': ensure => latest }
  package { 'tpm-tools-pkcs11': ensure => latest }

  service { 'pkcsslotd':
    ensure => running,
    enable => true,
  }

  tpmtoken { 'TPM PKCS#11 Token':
    ensure   => present,
    so_pin   => '87654321',
    user_pin => '87654321'
  }

}