|
Packit |
8681c6 |
The following are the system resources used by openCryptoki as of
|
|
Packit |
8681c6 |
openCryptoki-3.8 release.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
1.Shared memory = 1 per token + 1 segment between pkcsslotd & api = 7 max currently
|
|
Packit |
8681c6 |
a. Between pkcsslotd and api
|
|
Packit |
8681c6 |
The pkcsslotd daemon has its own shared memory segment that it creates
|
|
Packit |
8681c6 |
and shares with API. Part of the data is now passed through sockets but
|
|
Packit |
8681c6 |
there is still some data shared via shared memory.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
b. Each token has its own shared memory segment. Opencryptoki processes
|
|
Packit |
8681c6 |
attach to the token segment and shared memory acts as a global state
|
|
Packit |
8681c6 |
tracking mechanism.
|
|
Packit |
8681c6 |
# ls /dev/shm
|
|
Packit |
8681c6 |
var.lib.opencryptoki.ccatok var.lib.opencryptoki.swtok
|
|
Packit |
8681c6 |
var.lib.opencryptoki.ep11tok var.lib.opencryptoki.tpm.root
|
|
Packit |
8681c6 |
var.lib.opencryptoki.lite
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
2. Sockets - 1
|
|
Packit |
8681c6 |
Unix socket between pkcsslotd and api to transfer slot information.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
3. Files
|
|
Packit |
8681c6 |
a. Lock files - 1 global API LCK file + 1 per token (except tpm) = 6 max
|
|
Packit |
8681c6 |
currently + 1 lock file per user on tpm token
|
|
Packit |
8681c6 |
# ls -lh /var/lock/opencryptoki/
|
|
Packit |
8681c6 |
LCK..APIlock
|
|
Packit |
8681c6 |
ccatok/LCK..ccatok
|
|
Packit |
8681c6 |
ep11tok/LCK..ep11tok
|
|
Packit |
8681c6 |
icsf/LCK..icsf
|
|
Packit |
8681c6 |
lite/LCK..lite
|
|
Packit |
8681c6 |
swtok/LCK..swtok
|
|
Packit |
8681c6 |
tpm/<USER>/LCK..tpm
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
b. Trace files - These are generated based on the environment variable
|
|
Packit |
8681c6 |
OPENCRYPTOKI_TRACE_LEVEL per process in /var/log/opencryptoki. No max
|
|
Packit |
8681c6 |
limit.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
c. Config files - 2
|
|
Packit |
8681c6 |
# ls -lh /etc/opencryptoki/
|
|
Packit |
8681c6 |
total 8.0K
|
|
Packit |
8681c6 |
-rw-r--r--. 1 root root 390 Mar 31 10:55 ep11tok.conf
|
|
Packit |
8681c6 |
-rw-r--r--. 1 root root 674 Mar 31 10:55 opencryptoki.conf
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
d. Token data files - 3 files per token + 1 additional RACF file for icsf
|
|
Packit |
8681c6 |
token + 1 MK_PRIVATE file for tpm token = 20
|
|
Packit |
8681c6 |
NVTOK.DAT - Token data like user pin, so pin etc
|
|
Packit |
8681c6 |
MK_SO - Master key used for internal encryption hashed with SOPIN. This
|
|
Packit |
8681c6 |
file does not exist on tpm token.
|
|
Packit |
8681c6 |
MK_USER - Master key used for internal encryption hashed with USERPIN.
|
|
Packit |
8681c6 |
This file does not exist on tpm token.
|
|
Packit |
8681c6 |
RACF - icsf racf password encrypted. tpm token has wrapped keys per user
|
|
Packit |
8681c6 |
/var/lib/opencryptoki/tpm/${USER}/PRIVATE_ROOT_KEY.pem
|
|
Packit |
8681c6 |
/var/lib/opencryptoki/tpm/${USER}/PUBLIC_ROOT_KEY.pem
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
e. Token object files - 1 OBJ_IDX file per token and the private object
|
|
Packit |
8681c6 |
files. = 6 + as many number of private token objects for tokens
|
|
Packit |
8681c6 |
OBJ_IDX - A list of current token objects.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
4. Semaphores
|
|
Packit |
8681c6 |
The following depend on the number of processes accessing openCryptoki on the system.
|
|
Packit |
8681c6 |
a. The structure API_Proc_Struct_t is allocated per process. It has a thread
|
|
Packit |
8681c6 |
level mutex and a session level mutex to lock btree accesses. So two
|
|
Packit |
8681c6 |
mutexes per process.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
b. Per process Global Mutex used in API. - 1
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
c. There are 5 mutexes used in common directory per process - 5
|
|
Packit |
8681c6 |
pthread_mutex_t native_mutex ;
|
|
Packit |
8681c6 |
MUTEX pkcs_mutex, obj_list_mutex, sess_list_mutex, login_mutex;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The following are mutexes local to tokens.
|
|
Packit |
8681c6 |
d. Soft token has two mutexes - 1
|
|
Packit |
8681c6 |
e. ica token - 1
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
5. There are 5 global btrees (in memory) for holding the session mapping
|
|
Packit |
8681c6 |
information, session objects, public token and private token objects
|
|
Packit |
8681c6 |
information.
|