[Cryptech Tech] "ksng" branch of Cryptech Alpha firmware now available as a binary package
sra at hactrn.net
Tue Jan 3 21:59:36 UTC 2017
At Tue, 3 Jan 2017 10:09:42 +0100, Yuri Schaeffer wrote:
> Moreover, ideally both daemons, but especially the signer run multiple
> threads. With any thread being able to do HSM operations. What I've
> heard from the Berlin workshop (I wasn't there myself) in order to get
> OpenDNSSEC 1.4 running the Signer could use at most one thread. I
> haven't tried multiple threads for that reason yet. Though I sounds like
> it has the same underlying issue.
We were unable to reproduce this as a threading issue per se during or
after the workshop. My suspicion is that it was an inter-process
locking problem, not an inter-thread locking problem. PKCS #11
doesn't do anything at all about inter-process locking (out of scope),
and, as you say, OpenDNSSEC's various daemons make no attempt to
synchronize with each other, so having multiple daemons trying to talk
to the same UART without a lock was, um, problematic. So we added a
lock, which is what you ran into.
As far as I know, the inter-thread PKCS #11 locking works. At the
moment, running multiple threads won't give you any kind of
performance boost (it'll probably cost performance due to threading
and lock overhead), but it shouldn't cause errors.
But of course this needs to be confirmed by testing.
More information about the Tech