# tmkms + yubihsm ## Prerequsites #### install yubiHSM2 drivers ``` ### Ubuntu $ wget https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2021-08-ubuntu2004-amd64.tar.gz ### debian 10 $ wget https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2021-08-debian10-amd64.tar.gz $ tar -xvf yubihsm2-sdk-2021-08-ubuntu2004-amd64.tar.gz $ cd yubihsm2-sdk $ sudo dpkg -i *.deb ### If error occours run [# apt --fix-broken install] // check whether the drivers are installed or not // This will host a connector at localhost:12345 $ yubihsm-connector -d ``` > #### Note: > > Going through the yubiHSM [quick guide](https://cutt.ly/nc5isfg) and [concepts](https://cutt.ly/bc5ilhs) is Highly recommended. #### Add a new user to KMS server. > After creating a new user, we have to add new settings to udev in order to let the user access YubiHSM2. > > While accessing YubiHSM2 without adding a new setting to udev, with an account which is not a root, we faced the error below. > > error: error connecting to YubiHSM2: protocol error: USB error: USB(bus=1,addr=22): error opening device: Access denied (insufficient permissions)) > > We were informed that by using the command below after applying udev is the right way, but since the command did not work, we reboot the server and tried once again. > > #udevadm control-reload-rules&&udevadm trigger ``` $ sudo su // Proceed with root account # mkdir /data_tmkms # useradd -m -d /data_tmkms/tmkms -G sudo tmkms -s /bin/bash // Add settings to udev # nano /etc/udev/rules.d/10-yubihsm.rules ... SUBSYSTEMS=="usb", ATTRS{product}=="YubiHSM", GROUP=="tmkms" ... // Reboot server # reboot ``` #### Install libusb, rust, pkg-config, tmkms on KMS Server > #### Note: > Try to install these prerequisites in both root user and non-root user. ``` $ sudo su // Proceed with tmkms account // Install libusb # apt install libusb-1.0-0-dev // install rust // Choose "1) Proceed with installation(default)" # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh # source $HOME/.cargo/env # cargo --version // install pkg-config # apt install pkg-config // Install tmkms # cd $HOME # git clone git@github.com:iqlusioninc/tmkms.git # cd tmkms # cargo install tmkms --features=yubihsm ### If you get an error: linker `cc` not found [run #] # tmkms version ``` ## Procedure #### initialize the tmkms config file. ``` // Commands must be exexuted as non-root user $ cd $HOME // simd can be customized // In this, We are accessing validator running on simd testnet. $ tmkms init simd ``` > #### Note: > This will output a `tmkms.toml` file, a `kms-identity.key` (used to authenticate the KMS to the validator), and create secrets and state subdirectories. > > Cutsomise the `tmkms.toml` according to the chain and validator requirements. > You can see the example `tmkms.toml` file [here](https://cutt.ly/Uv4p79k). #### customize the tmkms.toml file ``` $ cd $HOME/simd/ $ sudo nano tmkms.toml ... [[chain]] id = "simdnet" key_format = { type = "bech32", account_key_prefix = "cosmospub", consensus_key_prefix = "cosmosvalconspub" } state_file = "/home/juggernaut/simd/state/simdnet-consensus.json" [[providers.yubihsm]] adapter = { type = "usb" } auth = { key = 1, password = "password" } specific YubiHSM to connect to (optional) keys = [ { key = 3, type = "consensus", chain_ids = ["simdnet"]}, ] [[validator]] chain_id = "simdnet" addr = "tcp://<IP address where the validator is running>:46658" secret_key = "/home/juggernaut/simd/secrets/kms-identity.key" protocol_version = "v0.34" reconnect = true ... ``` > #### Note: > In the `[[validator]]` section `addr` is the socket connection which we will open in the validator's `config.toml` file. ` 143.000.000.244` is the IP address of cloud instance where we are running a testnet. #### setting up a simd testnet and validator in it. > To setup the testnet follow this [Hackmdfile.](https://cutt.ly/3c5zVTd) #### Add validator private key (priv_validator_key_json) to YubiHSM2 ``` $ scp root@143.000.000.17:/root/.simapp/config/priv_validator_key.json $HOME/simd/simd_priv_validator_key.json // enter root user $ sudo su // create a assymetric key with ID 4 using the simd_priv_validator_key.json file # tmkms yubihsm keys import -t json -i 3 -l simd-validator /path/to/the/imported/simd_priv_validator_key.json //see the created assymetric-key # tmkms yubihsm keys list -c /path/to/tmkms.toml Listing keys in YubiHSM #0013202099: - 0x0003: [cons] cosmosvalconspubxxxxxxk4eq4y7g0n label: "simd-validator" ``` > #### Note: > Always start tmkms server before you start testnet. #### run the tmkms server ``` $ sudo su # tmkms start -c /path/to/tmkms.toml ``` > #### Note: > You will get an error that `The connection has been refused`. > To remove this make some changes in testnet's `config.toml` file #### Change testnet's config.toml file ``` $ ssh root@<ip_adress> // This assumes that you have entered into root user of the instance # nano .simapp/config/config.toml // comment out This line `priv_validator_key_file = "config/priv_validator_key.json"` // Search for this keyword `priv_validator_laddr = ""` //Add the below line priv_validator_laddr = "tcp:0.0.0.0:46658" ``` > Restart the simd testnet chain > You can see the message validator successfully connected in `tmkms` server logs. > #### Note: > You can delete the `priv_validator_key.json` from the config files. or store it in secure place for backup.