entd: Cope with timeout during user pin initialization
Turns out that when we fail due to a timeout when initializing the user pin, we end up without some
important files in the TOK_OBJ directory. This patch detects that problem and removes the broken
token. It also makes sure the script emits a log line explaining what it found each time it runs.
BUG=chromium-os:6064
TEST=tested various permutations in chroot.
Change-Id: I60c6131224da24bae71abd4c9287216688f1e5cf
Review URL: http://codereview.chromium.org/3200009
diff --git a/bin/fix_pkcs11_token.sh b/bin/fix_pkcs11_token.sh
index 8957196..5b938ab 100755
--- a/bin/fix_pkcs11_token.sh
+++ b/bin/fix_pkcs11_token.sh
@@ -14,13 +14,28 @@
USER_TOKEN_DIR="/home/$USERNAME/user/.tpm"
-if [ -e "$USER_TOKEN_DIR/PUBLIC_ROOT_KEY.pem" -a \
- ! -e "$USER_TOKEN_DIR/PRIVATE_ROOT_KEY.pem" ]; then
- # A token with a public key but no private key is a sign that
- # initialization timed out. The only way to recover seems to be to wipe
- # out the whole token and try again.
- logger "PKCS#11 token appears to be broken, deleting: $USER_TOKEN_DIR/*"
- rm -rf "$USER_TOKEN_DIR"/*
+log() {
+ if [ -t 1 ]; then
+ echo "$@" 1>&2
+ else
+ logger -t $(basename "$0") "$@"
+ fi
+}
+
+if [ ! -e "$USER_TOKEN_DIR/PUBLIC_ROOT_KEY.pem" ]; then
+ log "No PKCS#11 token found for $USERNAME."
+else
+ if [ -e "$USER_TOKEN_DIR/PRIVATE_ROOT_KEY.pem" -a \
+ -e "$USER_TOKEN_DIR/TOK_OBJ/70000000" ]; then
+ log "PKCS#11 token for $USERNAME looks ok."
+ else
+ # If these files are missing, it's a sign that initialization timed out.
+ # The only way to recover seems to be to wipe out the whole token and try
+ # again.
+ log "PKCS#11 token for $USERNAME appears to be broken, deleting:" \
+ "$USER_TOKEN_DIR/*"
+ rm -rf "$USER_TOKEN_DIR"/*
+ fi
fi
# Ensure the directories exist