Hardware Security Module (HSM) support #3363
Description
As demonstrated by the hsm-research repository, it should be possible to use an HSM (like a Yubikey, other smartcard reader, or the TPM) for cryptography with rumqtt (MQTT) and perhaps HTTPS. Next step is to implement handling of HSM directly in thin-edge.io.
Due to the musl dynamic loader not working when musl is statically linked, an additional service running on the host will be used that loads PKCS#11 dynamic module and exposes the signing functionality.
Phase 1: Integrate cryptoki crate inside tedge (complete)
Use cryptoki crate directly in thin-edge to establish an MQTT connection using a key that comes not from the filesystem, but from the USB security module (e.g. Yubikey)
Phase 2: Explore the tedge-pkcs11 interface
Explore the possibility of moving the cryptoki crate usage outside of the tedge itself and relocated it to a new service (in a different binary) which can be built using glibc, and then the tedge (compiled with musl) can communicate with the service via a unix socket (created by the service).
- create a new thin-edge service,
tedge-p11-server - have the server do cryptoki interactions, expose the sign operation using a UNIX socket
- make necessary changes to packaging to add service definition and configuration
Phase 3: Improvements and polish
- Define a more formal protocol used for communication between thin-edge p11 clients and the server
- return a config error before connecting (i.e. at the config parsing stage) if
device.cryptoki.enableistrue, but module path is not set - include the HSM configuration in the
tedge connectsummary - upstream libloading musl patch
- extend support to aws and azure clouds
- testing: use softHSM for mocking HSMs and testing of the signing flow