From 2f2fe87b3b95e278c389c0dedba45df93ae76340 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Wed, 1 Mar 2017 19:52:06 -0500 Subject: Flip default connection method from "serial" to "daemon". --- Makefile | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/Makefile b/Makefile index 86a8c57..9322855 100644 --- a/Makefile +++ b/Makefile @@ -72,19 +72,32 @@ UNAME := $(shell uname) CFLAGS += -g3 -fPIC -Wall -std=c99 -I${LIBHAL_SRC} LIBS := ${LIBHAL_BLD}/libhal.a ${LIBTFM_BLD}/libtfm.a -# At present, the RPC daemon works on Linux but not on OSX, because the current daemon -# protocol runs over SOCK_SEQPACKET sockets, which Apple doesn't support. In the long run -# this will be a non-issue, as we expect to reimplement the daemon protocol using a secure -# channel which will almost certainly run over SOCK_STREAM instead of SOCK_SEQPACKET. +# libhal supports two different methods of connecting to the HSM: # -# But this is all moot, because the HSM code to support use of multiple FPGA cores in -# parallel doesn't quite work properly yet, so the daemon doesn't really buy us anything -# useful, and just adds a bit of extra complexity to setup on Linux. +# * Directly, via the USB serial port (LIBHAL_TARGET = serial), or # -# So, for the moment, the default LIBHAL_TARGET is "serial" on all platforms. If for some -# reason you want to try out the daemon on Linux, just change this to "daemon". +# * Via a multiplexing daemon which listens on a PF_UNIX socket and +# can interleave connections from multiple clients onto the single +# USB serial port (LIBHAL_TARGET = daemon). +# +# Without the daemon, one can only have one PKCS #11 "application" at +# a time. This is a problem for packages like OpenDNSSEC, which have +# multiple programs which want to be able to talk to the HSM at once, +# so the default is (now) daemon mode. +# +# The original RPC daemon was a C program using a protocol based on +# SOCK_SEQPACKET, which worked on Linux but not on OSX (Apple doesn't +# support SOCK_SEQPACKET). The current RPC daemon is a Python program +# using SLIP framing over a SOCK_STREAM connection; since we were +# already using SLIP framing on the USB serial port, this is easy. +# +# Conceptually, the daemon is not really part of the conversation +# between libhal and the HSM, it's just a multiplexer. In the long +# run, the traffic between libhal and the HSM will use some kind of +# secure channel protocol, which we'll probably want to run over a +# SOCK_STREAM connection in any case. -LIBHAL_TARGET := serial +LIBHAL_TARGET := daemon ifeq "${UNAME}" "Darwin" SONAME := libcryptech-pkcs11.dylib -- cgit v1.2.3