Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TMKMS Input/Output error and Resource busy messages with Yubihsm #682

Closed
social244305-Architect opened this issue Dec 15, 2022 · 4 comments
Closed

TMKMS Input/Output error and Resource busy messages with Yubihsm #682

social244305-Architect opened this issue Dec 15, 2022 · 4 comments

Comments

@social244305-Architect
Copy link

I am getting following errors using TMKMS with Yubihsm 2. Input/Output error is more frequent than Resource Busy message. I am not missing blocks when this error is generated so that's a good thing.

Dec 15 20:00:20 dellxr11 tmkms[249864]: #33[2m2022-12-15T20:00:20.157860Z#033[0m #33[31mERROR#033[0m #33[2mtmkms::client#033[0m#033[2m:#33[0m [stride-1@tcp://xxx.xxx.xxx.xxx:26638] signing operation failed: signature error: protocol error: protocol error: I/O error: Input/Output Error
Dec 15 20:00:21 dellxr11 tmkms[249864]: #33[2m2022-12-15T20:00:21.798046Z#033[0m #33[31mERROR#033[0m #33[2mtmkms::client#033[0m#033[2m:#33[0m [stride-1@tcp://xxx.xxx.xxx.xxx:26638] signing operation failed: signature error: protocol error: protocol error: USB error: Resource busy

Setup includes multiple instances of tmkms running with different config files. I don't see any impact to signing operation at the moment.
@tarcieri
Copy link
Collaborator

The USB backend is not designed for multiple concurrent processes.

If you want that, you need to use yubihsm-connector to export an HTTP service, and have tmkms connect to that

@social244305-Architect
Copy link
Author

I saw following in yubihsm dcoumentation:

On a single YubiHSM 2 it is possible to establish up to 16 independent and concurrent Sessions. Note that while multiple concurrent Sessions can be active at a given time, the device still serves as a rendezvous point. This means that time-consuming operations, like generating a long RSA key, will block commands in other Sessions. Sessions are addressed with a number in the range [0-15].

Based on this, looks like Yubihsm is processing as a Single threaded process. Will a single TMKMS process with multiple chains perform better than multiple TMMKS with separate config files?

@tarcieri
Copy link
Collaborator

The sessions are orthogonal to processes. They represent an authenticated encrypted channel to the YubiHSM.

Please read the documentation for yubihsm-connector. It’s designed exactly for these use cases.

@social244305-Architect
Copy link
Author

Thanks for your quick replies. I will check the connector documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tarcieri @social244305-Architect