Librem 5 OpenPGP Card stopped working

adamd · July 16, 2023, 2:06pm

I just tried to ssh to our server which accepts keys only from my L5 and was denied. The L5 never asked me for my pin.

I then went to CLI and typed

purism@pureos:~$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

It seems if I restart the pcscd service all is fixed.
Log entries of pcsd before the restart…

root@pureos:/home/purism# journalctl -f -u pcscd
-- Journal begins at Fri 2023-05-26 07:28:06 EDT. --
Jul 16 10:00:07 pureos pcscd[2056]: 00005554 commands.c:246:CmdPowerOn Invalid slot number
Jul 16 10:00:07 pureos pcscd[2056]: 00000070 ifdhandler.c:1251:IFDHPowerICC() PowerUp failed
Jul 16 10:00:07 pureos pcscd[2056]: 00000014 winscard.c:338:SCardConnect() Error powering up card: 2148532246 0x80100016
Jul 16 10:00:07 pureos pcscd[2056]: 00000009 winscard.c:344:SCardConnect() Card Not Powered
Jul 16 10:00:09 pureos pcscd[2056]: 01933500 commands.c:246:CmdPowerOn Invalid slot number
Jul 16 10:00:09 pureos pcscd[2056]: 00005527 commands.c:246:CmdPowerOn Invalid slot number
Jul 16 10:00:09 pureos pcscd[2056]: 00011666 commands.c:246:CmdPowerOn Invalid slot number
Jul 16 10:00:09 pureos pcscd[2056]: 00000061 ifdhandler.c:1251:IFDHPowerICC() PowerUp failed
Jul 16 10:00:09 pureos pcscd[2056]: 00000013 winscard.c:338:SCardConnect() Error powering up card: 2148532246 0x80100016
Jul 16 10:00:09 pureos pcscd[2056]: 00000008 winscard.c:344:SCardConnect() Card Not Powered

Restarting doesn’t look much better but for whatever reason it fixes the problem.
log entries during / after restarting the pcscd service…

Jul 16 10:01:41 pureos systemd[1]: Stopping PC/SC Smart Card Daemon...
Jul 16 10:01:41 pureos systemd[1]: pcscd.service: Succeeded.
Jul 16 10:01:41 pureos systemd[1]: Stopped PC/SC Smart Card Daemon.
Jul 16 10:01:41 pureos systemd[1]: Starting PC/SC Smart Card Daemon...
Jul 16 10:01:46 pureos systemd[1]: Started PC/SC Smart Card Daemon.
Jul 16 10:01:46 pureos pcscd[2706]: 00000000 commands.c:246:CmdPowerOn Invalid slot number
Jul 16 10:01:46 pureos pcscd[2706]: 00006531 commands.c:246:CmdPowerOn Invalid slot number
Jul 16 10:01:46 pureos pcscd[2706]: 00005928 commands.c:246:CmdPowerOn Invalid slot number
Jul 16 10:01:46 pureos pcscd[2706]: 00000023 ifdhandler.c:1251:IFDHPowerICC() PowerUp failed
Jul 16 10:01:46 pureos pcscd[2706]: 00000017 eventhandler.c:305:EHStatusHandlerThread() Error powering up card: 2148532246 0x80100016

So I can restart pcscd service after every reboot but I would prefer a permanent fix. Any idea how I should proceed fixing / troubleshooting this issue? What further information can I provide to help?

irvinewade · July 18, 2023, 2:00am

Was this working previously?

adamd · July 18, 2023, 12:25pm

This has been working since I installed the OpenPGP card many months ago. Never had to restart pcscd until very recently.

guru · July 18, 2023, 6:11pm

I have not running pcscd all the time, somehow it gets launched when I use gpg (or pass) to decrypt the secrets and afterwards it terminates again. Here is my setup from October 2021:


How to setup the OpenPGP card in the Purism L5 phone
              guru@unixarea.de, October 2021


updated March 2022;

https://puri.sm/posts/openpgp-in-your-pocket/
(includes video about inserting the card)

https://source.puri.sm/angus.ainslie/ttxs-firmware/-/blob/purism/PURISM.md
https://source.puri.sm/firmware/ttxs-firmware/-/blob/purism/PURISM.md

install and get the software:

$ cd ~/guru
$ sudo apt install stm32flash git
$ git clone https://source.puri.sm/angus.ainslie/ttxs-firmware

$ cd ttxs-firmware

Upgrade the smart card reader firmware:

$ ./scripts/stm_reflash.sh

...
stm32flash 0.5

http://stm32flash.sourceforge.net/

Using Parser : Raw BINARY
Interface serial_posix: 57600 8E1
Version      : 0x31
Option 1     : 0x00
Option 2     : 0x00
Device ID    : 0x0435 (STM32L43xxx/44xxx)
- RAM        : Up to 48KiB  (12544b reserved by bootloader)
- Flash      : Up to 256KiB (size first sector: 1x2048)

- Option RAM : 16b
- System RAM : 28KiB
Write to memory
Erasing memory
Wrote address 0x08002388 (100.00%) Done.


And set up the smart card:

$ ./scripts/smartcard_setup.sh

There have been issues, see also:

https://forums.puri.sm/t/openpgp-card-waiting-for-the-first-reader/15189
https://source.puri.sm/Librem5/OS-issues/-/issues/119

What helped was:

# stty -F /dev/ttymxc2 raw cstopb -parenb cs8 115200 
# pcscd -f --debug

The startup of pcscd is to be configured here and start is via systemctl:

# vim /lib/systemd/system/pcscd.service
# systemctl status pcscd
# systemctl stop pcscd
# systemctl start pcscd

Setting up the card

$ gpg --card-status
Reader ...........: TTXS serial 00 00
Application ID ...: D27600012401030400050000A6FE0000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: ZeitControl
Serial number ....: 0000A6FE
Name of cardholder: [not set]
Language prefs ...: de
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]


$ gpg --change-pin  # changed the PIN and Admin PIN

$ gpg --card-edit   # generated the keys

$ export GNUPGHOME=/home/guru/.gnupg

$ pass init 'CCID L5'
Password store initialized for guru@unixarea.de
$ pass insert -m test
...


$ gpg --with-keygrip -K
/home/purism/.gnupg/pubring.kbx
-------------------------------
sec>  rsa2048 2021-10-30 [SC]
      336EB96892FE9FE7F6AD01D6529B7423F3608141
      Keygrip = FCBA9E53DF1AF8D6E8D82B0418A01FA33264F704
      Card serial no. = 0005 0000A6FE
uid           [ultimate] Matthias Apitz (GnuPG CCID L5) <guru@unixarea.de>
ssb>  rsa2048 2021-10-30 [A]
      Keygrip = EE34E2B1F932D1567A6E21023F4D65B71CF953FF
ssb>  rsa2048 2021-10-30 [E]
      Keygrip = C544F16750F7F55DCEF781CF57C232015DDF1F90

the '>' means that these keys are on the card;

export the pub key with:

$ gpg --export --armor > ccid-L5-export-key-guru.pub


lock the card again:

$ gpgconf --reload scdaemon

I added this to the pass cmd:

$ tail -8 /usr/bin/pass

# power down the OpenPGP card
# guru@unixarea.de
#
gpgconf --reload scdaemon
sleep 2

exit 0

so the card gets locked again after each operation with the pass cmd.

adamd · July 18, 2023, 6:45pm

There are a lot of steps here including flashing the firmware, setting up the card, etc. I’m not yet going to try starting from scratch yet but will keep it in mind. Its not too painful to just restart the service and I could even create a script to do this automatically after startup to see what effect it would have. I’ll look more into this later but more tips are welcome.

irvinewade · July 18, 2023, 11:07pm

Then I guess one step towards troubleshooting would be to work out whether there has been a regression i.e. what (relevant) packages have changed? can they be reverted?

Alternatively, have any settings changed?

dos · July 18, 2023, 11:33pm

For the record, smartcard reader is configured out-of-box these days and setting it up manually again can conflict with existing configuration.

guru · July 19, 2023, 5:43am

@dos, what do you mean exactly with this, the config of the service has still the date when I configured this, for example:

 purism@pureos:~$ ls -l /lib/systemd/system/pcscd.service
-rw-r--r-- 1 root root 302 Mar 28  2022 /lib/systemd/system/pcscd.service
purism@pureos:~$ cat /lib/systemd/system/pcscd.service
[Unit]
Description=PC/SC Smart Card Daemon
Requires=pcscd.socket
Documentation=man:pcscd(8)

[Service]
ExecStartPre=/bin/bash -c "echo 1 > /sys/class/leds/smc_en/brightness && sleep 2"
ExecStart=/usr/sbin/pcscd --foreground --auto-exit
ExecReload=/usr/sbin/pcscd --hotplug

[Install]
Also=pcscd.socket

dos · July 19, 2023, 8:52am

I meant what I said - this is configured by default these days in librem5-base-defaults and your changes can be removed.

guru · July 19, 2023, 12:59pm

I investigated a bit how (nowadays) the pieces fit together:

there is no pcscd daemon running all the time; can be checked with ps ax | grep psc
the systemd has a LISTEN on a socket, created by a service pcscd.socket :

 purism@pureos:~$ systemctl status pcscd.socket
● pcscd.socket - PC/SC Smart Card Daemon Activation Socket
     Loaded: loaded (/lib/systemd/system/pcscd.socket; enabled; vendor preset: >
     Active: active (listening) since Wed 2023-07-19 08:24:36 CEST; 6h ago
   Triggers: ● pcscd.service
     Listen: /run/pcscd/pcscd.comm (Stream)
     CGroup: /system.slice/pcscd.socket

Jul 19 08:24:36 pureos systemd[1]: Listening on PC/SC Smart Card Daemon Activat>

When the card is requested from gnupg this is done via the above socket and systemd starts the pcscd:

purism@pureos:~$ systemctl status pcscd
● pcscd.service - PC/SC Smart Card Daemon
     Loaded: loaded (/lib/systemd/system/pcscd.service; indirect; vendor preset>
    Drop-In: /usr/lib/systemd/system/pcscd.service.d
             └─librem5.conf
     Active: active (running) since Wed 2023-07-19 14:54:49 CEST; 6s ago
TriggeredBy: ● pcscd.socket
       Docs: man:pcscd(8)
    Process: 5288 ExecStartPre=/bin/bash -c echo 1 > /sys/class/leds/smc_en/bri>
    Process: 5289 ExecStartPre=/bin/bash -c echo 1 > /sys/class/leds/smc_en/bri>
   Main PID: 5290 (pcscd)
      Tasks: 6 (limit: 3059)
     Memory: 812.0K
        CPU: 66ms
     CGroup: /system.slice/pcscd.service
             └─5290 /usr/sbin/pcscd --foreground --auto-exit

Jul 19 14:54:42 pureos systemd[1]: Starting PC/SC Smart Card Daemon...
Jul 19 14:54:49 pureos systemd[1]: Started PC/SC Smart Card Daemon.

I will get back in a few days my other L5 after some hardware change and flashed; and will check which files from my older configuration in October 2021 are now to be deleted.

adamd · July 19, 2023, 3:16pm

I think the answer may be here:

I’ll do some testing soon and report back.

guru · July 19, 2023, 4:04pm

I have this since ages in my config:

purism@pureos:~$ cat .gnupg/scdaemon.conf
disable-ccid
card-timeout 3

guru · July 19, 2023, 6:14pm

I have this on my L5:

purism@pureos:~$ ls -l /usr/lib/aarch64-linux-gnu/libpcsclite.*
lrwxrwxrwx 1 root root    20 Feb 16  2021 /usr/lib/aarch64-linux-gnu/libpcsclite.so.1 -> libpcsclite.so.1.0.0
-rw-r--r-- 1 root root 47000 Feb 16  2021 /usr/lib/aarch64-linux-gnu/libpcsclite.so.1.0.0

and I do use pass as my only password manager for many years on all my UNIXes (SuSE Linux, L5, FreeBSD, MacOS)

carlosgonz · July 19, 2023, 8:52pm

Algún día yo tambien seré un Gurú.

guru · July 20, 2023, 9:04am

I started with UNIX ~1985 with porting a BSD UNIX to an IBM mainframe /370 (a computer with the size of a classroom). Later in the 90s, I read in a book the following phrase (it’s a pity that I can’t find the exact place and words anymore in Internet, I don’t even know if it was in German or English). Here it is loosely as I remember:
Sometimes you will find a UNIX Guru. Please be nice to him, pay his drink, but do not ask him any stuff, because his language is not yours anymore.

PS: I wrote this also with the intention that someone else knows the place of an exact citate of the phrase. Thanks in advance.