[Cryptech-Commits] [sw/pkcs11] branch ksng updated: Flip default connection method from "serial" to "daemon".

git at cryptech.is git at cryptech.is
Thu Mar 2 00:52:30 UTC 2017


This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch ksng
in repository sw/pkcs11.

The following commit(s) were added to refs/heads/ksng by this push:
     new 2f2fe87  Flip default connection method from "serial" to "daemon".
2f2fe87 is described below

commit 2f2fe87b3b95e278c389c0dedba45df93ae76340
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Wed Mar 1 19:52:06 2017 -0500

    Flip default connection method from "serial" to "daemon".
---
 Makefile | 33 +++++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

diff --git a/Makefile b/Makefile
index 86a8c57..9322855 100644
--- a/Makefile
+++ b/Makefile
@@ -72,19 +72,32 @@ UNAME := $(shell uname)
 CFLAGS	+= -g3 -fPIC -Wall -std=c99 -I${LIBHAL_SRC}
 LIBS	:= ${LIBHAL_BLD}/libhal.a ${LIBTFM_BLD}/libtfm.a
 
-# At present, the RPC daemon works on Linux but not on OSX, because the current daemon
-# protocol runs over SOCK_SEQPACKET sockets, which Apple doesn't support.  In the long run
-# this will be a non-issue, as we expect to reimplement the daemon protocol using a secure
-# channel which will almost certainly run over SOCK_STREAM instead of SOCK_SEQPACKET.
+# libhal supports two different methods of connecting to the HSM:
 #
-# But this is all moot, because the HSM code to support use of multiple FPGA cores in
-# parallel doesn't quite work properly yet, so the daemon doesn't really buy us anything
-# useful, and just adds a bit of extra complexity to setup on Linux.
+# * Directly, via the USB serial port (LIBHAL_TARGET = serial), or
 #
-# So, for the moment, the default LIBHAL_TARGET is "serial" on all platforms.  If for some
-# reason you want to try out the daemon on Linux, just change this to "daemon".
+# * Via a multiplexing daemon which listens on a PF_UNIX socket and
+#   can interleave connections from multiple clients onto the single
+#   USB serial port (LIBHAL_TARGET = daemon).
+#
+# Without the daemon, one can only have one PKCS #11 "application" at
+# a time.  This is a problem for packages like OpenDNSSEC, which have
+# multiple programs which want to be able to talk to the HSM at once,
+# so the default is (now) daemon mode.
+#
+# The original RPC daemon was a C program using a protocol based on
+# SOCK_SEQPACKET, which worked on Linux but not on OSX (Apple doesn't
+# support SOCK_SEQPACKET).  The current RPC daemon is a Python program
+# using SLIP framing over a SOCK_STREAM connection; since we were
+# already using SLIP framing on the USB serial port, this is easy.
+#
+# Conceptually, the daemon is not really part of the conversation
+# between libhal and the HSM, it's just a multiplexer.  In the long
+# run, the traffic between libhal and the HSM will use some kind of
+# secure channel protocol, which we'll probably want to run over a
+# SOCK_STREAM connection in any case.
 
-LIBHAL_TARGET := serial
+LIBHAL_TARGET := daemon
 
 ifeq "${UNAME}" "Darwin"
   SONAME  := libcryptech-pkcs11.dylib

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the Commits mailing list