source-git / opencryptoki

Clone
Source Code
GIT

Files

c8 c8s master
  1.   c8s
  2.   doc
  3.   system_resources
Blob Blame History Raw 
The following are the system resources used by openCryptoki as of
openCryptoki-3.8 release.

1.Shared memory = 1 per token + 1 segment between pkcsslotd & api = 7 max currently
    a. Between pkcsslotd and api
       The pkcsslotd daemon has its own shared memory segment that it creates
       and shares with API. Part of the data is now passed through sockets but
       there is still some data shared via shared memory.

    b. Each token has its own shared memory segment. Opencryptoki processes
       attach to the token segment and shared memory acts as a global state
       tracking mechanism.
       # ls /dev/shm 
       var.lib.opencryptoki.ccatok   var.lib.opencryptoki.swtok
       var.lib.opencryptoki.ep11tok  var.lib.opencryptoki.tpm.root
       var.lib.opencryptoki.lite

2. Sockets - 1
Unix socket between pkcsslotd and api to transfer slot information.

3. Files
    a. Lock files - 1 global API LCK file + 1 per token (except tpm)  = 6 max
       currently + 1 lock file per user on tpm token
       # ls -lh /var/lock/opencryptoki/     
       LCK..APIlock
       ccatok/LCK..ccatok
       ep11tok/LCK..ep11tok
       icsf/LCK..icsf
       lite/LCK..lite
       swtok/LCK..swtok
       tpm/<USER>/LCK..tpm

    b. Trace files - These are generated based on the environment variable
       OPENCRYPTOKI_TRACE_LEVEL per process in /var/log/opencryptoki. No max
       limit.

    c. Config files - 2
       # ls -lh /etc/opencryptoki/
       total 8.0K
       -rw-r--r--. 1 root root 390 Mar 31 10:55 ep11tok.conf
       -rw-r--r--. 1 root root 674 Mar 31 10:55 opencryptoki.conf

    d. Token data files - 3 files per token + 1 additional RACF file for icsf
    token + 1 MK_PRIVATE file for tpm token = 20
       NVTOK.DAT - Token data like user pin, so pin etc
       MK_SO - Master key used for internal encryption hashed with SOPIN. This
               file does not exist on tpm token.
       MK_USER - Master key used for internal encryption hashed with USERPIN.
                 This file does not exist on tpm token.
       RACF - icsf racf password encrypted. tpm token has wrapped keys per user
              /var/lib/opencryptoki/tpm/${USER}/PRIVATE_ROOT_KEY.pem
              /var/lib/opencryptoki/tpm/${USER}/PUBLIC_ROOT_KEY.pem

    e. Token object files - 1 OBJ_IDX file per token and the private object
       files. = 6 + as many number of private token objects for tokens
       OBJ_IDX - A list of current token objects.

4. Semaphores
The following depend on the number of processes accessing openCryptoki on the system.
    a. The structure API_Proc_Struct_t is allocated per process. It has a thread
       level mutex and a session level mutex to lock btree accesses. So two
       mutexes per process.

    b. Per process Global Mutex used in API. - 1

    c. There are 5 mutexes used in common directory per process - 5
       pthread_mutex_t native_mutex ; 
       MUTEX pkcs_mutex, obj_list_mutex, sess_list_mutex, login_mutex;

The following are mutexes local to tokens.
    d. Soft token has two mutexes - 1
    e. ica token  - 1

5. There are 5 global btrees (in memory) for holding the session mapping
information, session objects, public token and private token objects
information.

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation