diff options
| -rw-r--r-- | Makefile | 33 |
1 files changed, 23 insertions, 10 deletions
@@ -72,19 +72,32 @@ UNAME := $(shell uname) CFLAGS += -g3 -fPIC -Wall -std=c99 -I${LIBHAL_SRC} LIBS := ${LIBHAL_BLD}/libhal.a ${LIBTFM_BLD}/libtfm.a -# At present, the RPC daemon works on Linux but not on OSX, because the current daemon -# protocol runs over SOCK_SEQPACKET sockets, which Apple doesn't support. In the long run -# this will be a non-issue, as we expect to reimplement the daemon protocol using a secure -# channel which will almost certainly run over SOCK_STREAM instead of SOCK_SEQPACKET. +# libhal supports two different methods of connecting to the HSM: # -# But this is all moot, because the HSM code to support use of multiple FPGA cores in -# parallel doesn't quite work properly yet, so the daemon doesn't really buy us anything -# useful, and just adds a bit of extra complexity to setup on Linux. +# * Directly, via the USB serial port (LIBHAL_TARGET = serial), or # -# So, for the moment, the default LIBHAL_TARGET is "serial" on all platforms. If for some -# reason you want to try out the daemon on Linux, just change this to "daemon". +# * Via a multiplexing daemon which listens on a PF_UNIX socket and +# can interleave connections from multiple clients onto the single +# USB serial port (LIBHAL_TARGET = daemon). +# +# Without the daemon, one can only have one PKCS #11 "application" at +# a time. This is a problem for packages like OpenDNSSEC, which have +# multiple programs which want to be able to talk to the HSM at once, +# so the default is (now) daemon mode. +# +# The original RPC daemon was a C program using a protocol based on +# SOCK_SEQPACKET, which worked on Linux but not on OSX (Apple doesn't +# support SOCK_SEQPACKET). The current RPC daemon is a Python program +# using SLIP framing over a SOCK_STREAM connection; since we were +# already using SLIP framing on the USB serial port, this is easy. +# +# Conceptually, the daemon is not really part of the conversation +# between libhal and the HSM, it's just a multiplexer. In the long +# run, the traffic between libhal and the HSM will use some kind of +# secure channel protocol, which we'll probably want to run over a +# SOCK_STREAM connection in any case. -LIBHAL_TARGET := serial +LIBHAL_TARGET := daemon ifeq "${UNAME}" "Darwin" SONAME := libcryptech-pkcs11.dylib |