TMKMS Input/Output error and Resource busy messages with Yubihsm
social244305-Architect opened this issue · 4 comments
I am getting following errors using TMKMS with Yubihsm 2. Input/Output error is more frequent than Resource Busy message. I am not missing blocks when this error is generated so that's a good thing.
Dec 15 20:00:20 dellxr11 tmkms[249864]: #33[2m2022-12-15T20:00:20.157860Z#033[0m #33[31mERROR#033[0m #33[2mtmkms::client#033[0m#033[2m:#33[0m [stride-1@tcp://xxx.xxx.xxx.xxx:26638] signing operation failed: signature error: protocol error: protocol error: I/O error: Input/Output Error
Dec 15 20:00:21 dellxr11 tmkms[249864]: #33[2m2022-12-15T20:00:21.798046Z#033[0m #33[31mERROR#033[0m #33[2mtmkms::client#033[0m#033[2m:#33[0m [stride-1@tcp://xxx.xxx.xxx.xxx:26638] signing operation failed: signature error: protocol error: protocol error: USB error: Resource busy
Setup includes multiple instances of tmkms running with different config files. I don't see any impact to signing operation at the moment.
The USB backend is not designed for multiple concurrent processes.
If you want that, you need to use yubihsm-connector to export an HTTP service, and have tmkms connect to that
I saw following in yubihsm dcoumentation:
On a single YubiHSM 2 it is possible to establish up to 16 independent and concurrent Sessions. Note that while multiple concurrent Sessions can be active at a given time, the device still serves as a rendezvous point. This means that time-consuming operations, like generating a long RSA key, will block commands in other Sessions. Sessions are addressed with a number in the range [0-15].
Based on this, looks like Yubihsm is processing as a Single threaded process. Will a single TMKMS process with multiple chains perform better than multiple TMMKS with separate config files?
The sessions are orthogonal to processes. They represent an authenticated encrypted channel to the YubiHSM.
Please read the documentation for yubihsm-connector. It’s designed exactly for these use cases.
Thanks for your quick replies. I will check the connector documentation.