can tmkms and yubihsm-connector coexist?
pbostrom opened this issue · comments
I have another non-Cosmos node that requires yubihsm-connector. If I start tmkms while yubihsm-connector is running, yubihsm-connector errors:
err="libusb: i/o error [code -1]" len=28 n=0
failed usb proxy X-Request-ID=ce8c0321-0d81-6c11-8055-13d6f83c2206 error="libusb: i/o error [code -1]"
If I try to start yubihsm-connector while tmkms is running, I get
ERRO[0004] failed usb proxy X-Request-ID=a0cece36-14a6-619e-057a-c01d581438c7 error="usb: claim: libusb: device or resource busy [code -6]"
I saw that initially in #37 that tmkms talked to yubihsm-connector. Would it be possible to revert this functionality as an option, so that I could specify a running yubihsm-connector instead of using libusb?
That’s an option. Another I’d like to explore is embedding a small (locahost-only) web server which provides the same API.
I assume your goal is to use yubihsm-shell?
I'm running a Loom validator which uses the connector API.
I tried to set:
[[providers.yubihsm]]
adapter = { type = "http", connector = { addr = "localhost", port = 12345, timeout_ms = 1000 } }
but I get
$ tmkms start
17:53:42 [INFO] tmkms 0.4.0-beta1 starting up...
error: YubiHSM2 USB adapter support required, sorry
If I modified this to use HTTP would the HttpConnector Just Work?
https://github.com/tendermint/kms/blob/0f501cb87a530df57317ff3b8ebbac69e9b3fa65/src/config/provider/yubihsm.rs#L29-L56
I'd like to create a PR that chooses the http or usb adapter depending on the adapter type in [[providers.yubihsm]]
In the meantime, If anyone else is interested, I just patched my KMS to force the HTTP connector:
diff --git a/src/config/provider/yubihsm.rs b/src/config/provider/yubihsm.rs
index 88c0fce..756ab12 100644
--- a/src/config/provider/yubihsm.rs
+++ b/src/config/provider/yubihsm.rs
@@ -4,8 +4,8 @@ use abscissa::{
secrets::{BorrowSecret, DebugSecret, Secret},
util::Zeroize,
};
-use std::{process, str::FromStr};
-use yubihsm::{device::SerialNumber, Credentials, HttpConfig, UsbConfig};
+use std::process;
+use yubihsm::{Credentials, HttpConfig};
/// The (optional) `[providers.yubihsm]` config section
#[derive(Clone, Deserialize, Debug)]
@@ -26,7 +26,6 @@ pub struct YubihsmConfig {
impl YubihsmConfig {
/// Get the `yubihsm::HttpConfig` or exit if unconfigured
- #[allow(dead_code)]
pub fn http_config(&self) -> HttpConfig {
match self.adapter {
AdapterConfig::Http { ref connector } => connector.clone(),
@@ -36,23 +35,6 @@ impl YubihsmConfig {
}
}
}
-
- /// Get the `yubihsm::UsbConfig` or exit if unconfigured
- pub fn usb_config(&self) -> UsbConfig {
- match self.adapter {
- AdapterConfig::Http { .. } => {
- status_err!("YubiHSM2 USB adapter support required, sorry");
- process::exit(1);
- }
- AdapterConfig::Usb { timeout_ms } => UsbConfig {
- serial: self
- .serial_number
- .as_ref()
- .map(|serial| SerialNumber::from_str(serial).unwrap()),
- timeout_ms,
- },
- }
- }
}
/// Configuration for an individual YubiHSM
diff --git a/src/yubihsm.rs b/src/yubihsm.rs
index 75be095..a38154a 100644
--- a/src/yubihsm.rs
+++ b/src/yubihsm.rs
@@ -28,7 +28,7 @@ pub fn client() -> MutexGuard<'static, Client> {
#[cfg(not(feature = "yubihsm-mock"))]
fn init_connector() -> Connector {
// TODO: `HttpConnector` support
- Connector::usb(&config().usb_config())
+ Connector::http(&config().http_config())
}