Getting started under fedora core 13

Timothe Litt litt at acm.org
Fri Oct 8 22:13:19 BST 2010 

Having received my shiny new entropy key, thought I'd get started.  

It was rather an adventure - there were bugs to fix/work-around.
Several still need permanent fixes (code and doc) from the developers.

Here's what I did:

OS: Fedora core 13 (Kernel = 2.6.34.6)

I installed the x86_64 rpms for ekd and egd from the simtec website; 
lua stuff from fedora packages (which are newer than those on the website).

Plugging in the entropy key daemon yields:

Oct  8 14:41:41 kernel: usb 3-2: new full speed USB device using uhci_hcd
and address 3
Oct  8 14:41:41 kernel: usb 3-2: New USB device found, idVendor=20df,
idProduct=0001
Oct  8 14:41:41 kernel: usb 3-2: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
Oct  8 14:41:41 kernel: usb 3-2: Product: Entropy Key
Oct  8 14:41:41 kernel: usb 3-2: Manufacturer: Simtec Electronics
Oct  8 14:41:41 kernel: usb 3-2: SerialNumber: M/9mBjBLNzFFRyFD
Oct  8 14:41:41 kernel: cdc_acm 3-2:1.0: This device cannot do calls on its
own. It is not a modem.
Oct  8 14:41:41 kernel: cdc_acm 3-2:1.0: ttyACM0: USB ACM device

cat from /dev/ttyACM0 gets an infinite stream of "Unknown Input Character
0x20" and 
"k>Unable to send entropy.  Please re-key session.   J6cWOFgM"

So, we know the device is communicating (and not hitting kernel bug 
14103 mentioned on the website.)

ekeydctl list yields the rather mysterious:
	Internal error: /usr/sbin/ekeydctl:101: attempt to call field 'unix'
(a nil value)

Not being much of a lua person, I did find that line 101 of control.lua is:
	 local sock = type(sockorname) == "string" and
controlsockets[sockorname] or sockorname

But starting the daemon elucidates with the rather clearer:
  control.lua:755: control.lua:538: UNIX Domain sockets not supported by
LuaSocket

*** Problem 1:
	Why aren't domain sockets available?  Are you patching lua/socket?
If so,
	the patch needs to go upstream so fedora builds with it.  Fedora's
version
	is 2.0.2-4.fc12.

But to get started, comment out the UnixControlSocket directive in
ekeyd.conf
and provide a TCPControlSocket with a privileged port.

*** Problem 2:

	ekeyd starts, but doesn't echo [OK] as it should.  Easy fix:
--- /etc/init.d/ekeyd~  2010-09-06 09:42:58.000000000 -0400
+++ /etc/init.d/ekeyd   2010-10-08 15:31:35.830274733 -0400
@@ -34,12 +34,13 @@

 start() {
     echo -n $"Starting $prog: "
     $exec
     retval=$?
+    [ $retval -ne 0 ] && failure
+    [ $retval -eq 0 ] && success && touch $lockfile
     echo
-    [ $retval -eq 0 ] && touch $lockfile
     return $retval
 }

 stop() {
     echo -n $"Stopping $prog: "

But, there's an problem:
*** Problem 3:
	ekeydctl list generates a null list.

OK, perhaps udev isn't symlinking the entropy key...
	Yes, sure enough, there is no /dev/entropykey
	udevd is running - why didn't it see

Well, we can create that by hand.
	Now, looking at the udev rules and ekeyd.conf, it looks like 
	we need a symlink from /dev/entropykey/<serial> to the /dev/ttyACM0
device.

*** Problem 4:
	Er, that's going to be a challenge; note that my serial number
starts with
	M/.  Well, we can always create an M directory in /dev/entropykey
and put
	the rest of the serial number there.

	And now
*** Problem 5:
	/etc/init.d/ekeyd start
	Starting ekeyd: Input: : Bad file descriptor

OK, that doesn't work, remove the symlink (and the M directory).

What if I directly connect the device?
	ekeydctl add /dev/ttyACM0
And, sure enough"
	NR,OK,Status,Path,SerialNo
	1,NO,Long-Term-Key is bad,/dev/ttyACM0,M/9mBjBLNzFFRyFD

OK, let's re-key:

*** Problem 6:
	ekey-rekey  M/9mBjBLNzFFRyFD <master key>
	Unable to find any device node or socket for M/9mBjBLNzFFRyFD
	Looked in: /dev/entropykey/M.9mBjBLNzFFRyFD
/dev/entropykey/M_9mBjBLNzFFRyFD
/var/run/entropykeys/M.9mBjBLNzFFRyFD /var/run/entropykeys/M_9mBjBLNzFFRyFD

Well, there's a clue.  Looks like the '/' wants to be a '.' or a '_' in the
symlink.
	We can do that:
	ekeydctl remove /dev/ttyACM0
	ln -s
	ls -l /dev/entropykey/M.9mBjBLNzFFRyFD
	lrwxrwxrwx. 1 root root 12 Oct  8 16:03
/dev/entropykey/M.9mBjBLNzFFRyFD -> /dev/ttyACM0
	ekeydctl add /dev/entropykey/M.9mBjBLNzFFRyFD

And we can re-key!  And get stats...

*** Does it matter which character replaces '/'?

But:

*** Problem 7:
	/etc/init.d/ekeyd restart
	ekeydctl stats M/9mBjBLNzFFRyFD
	ERROR control.lua:210: attempt to index field '?' (a nil value)

	ekeydctl list
	NR,OK,Status,Path,SerialNo
	1,YES,Running OK,/dev/entropykey/M.9mBjBLNzFFRyFD,M/9mBjBLNzFFRyFD

The error goes away if one waits a minute or so - but it still shouldn't be
happening.

But we're not done:
	reboot the system

*** Problem 8:
	/dev/entropykey does not exist

This is problem 3 in disguise.  So we need a fixup script until
autoconfiguration works:

	cat /etc/sysconfig/ekeyd_config
	#!/bin/bash

	[ ! -d /dev/entropykey ] && mkdir -p /dev/entropykey
	cd /dev/entropykey && ln -sf /dev/ttyACM0 M.9mBjBLNzFFRyFD &&
/usr/sbin/ekeydctl add /dev/entropykey/M.9mBjBLNzFFRyFD

--- /etc/init.d/ekeyd~  2010-09-06 09:42:58.000000000 -0400
+++ /etc/init.d/ekeyd   2010-10-08 17:07:02.556296537 -0400
@@ -34,12 +34,18 @@

 start() {
     echo -n $"Starting $prog: "
     $exec
     retval=$?
+    if [ $retval -eq 0 ]; then
+       [ -f /etc/sysconfig/ekeyd_config ] && /etc/sysconfig/ekeyd_config
+       success
+       touch $lockfile
+    else
+       failure
+    fi
     echo
-    [ $retval -eq 0 ] && touch $lockfile
     return $retval
 }

 stop() {
     echo -n $"Stopping $prog: "


---------------------------------------------------------
This communication may not represent my employer's views,
if any, on the matters discussed.

More information about the EntropyKey-users mailing list