Key Management System for Cosmos Validators.
https://cosmos.network/
This repository contains tmkms, a lightweight service intended to be deployed
alongside the gaiad service (ideally on separate physical hosts) which provides
the following:
Early adopters interested in using YubiHSM2 devices for Cosmos Validator key
storage can install the (forthcoming) tmkms v0.0.1 "Preview Release" using
the instructions below.
NOTE: This release does not yet support validator signing. See the following issues for the remaining blockers:
tmkms should build on any [supported Rust platform] which is also supported
by [libusb]. Below are some of the available tier 1, 2, and 3 Rust platforms
which are also supported by libusb.
NOTE: tmkms is presently tested on Linux/x86_64. We don't otherwise guarantee
support for any of the platforms below, but they theoretically meet the necessary
prerequisites for support.
Rust supports the following CPU architectures:
Tier 1:
a.k.a. "guaranteed to work"
i686 (32-bit Intel)x86_64 ("AMD64", "x64") - recommendedTier 2:
a.k.a. "may work". Note that hardware accelerated AES (used for communication with YubiHSM2) is not supported on these platforms and they have not been rigorously tested for side-channel attack resistance.
arm (32-bit ARM)aarch64 (64-bit ARM)mips (32-bit MIPS)mips64 (64-bit MIPS)powerpc (32-bit PowerPC)powerpc64 (64-bit PowerPC)sparc64 (64-bit SPARC)You will need the following prerequisites:
apt install libusb-1.0-0-devyum install libusb1-develbrew install libusbTo install tmkms, do the following:
RUSTFLAGS environment variable: export RUSTFLAGS=-Ctarget-feature=+aescargo tool:
$ cargo install tmkms
tmkms.toml file to a local directory (e.g. ~/.tmkms):https://github.com/tendermint/kms/blob/master/tmkms.toml.example
Edit it to match your desired configuration.
YubiHSM2 devices from Yubico are the main HSM solution supported by Tendermint KMS at this time (Ledger support forthcoming!)
The tmkms yubihsm subcommand provides YubiHSM2 setup, information, and
testing features:
tmkms yubihsm detect - list all YubiHSM2 devices detected via USBtmkms yubihsm keys - manage keys on the device
tmkms yubihsm keys generate <id> - generate an Ed25519 signing key with the given ID number (e.g. 1)tmkms yubihsm keys list - list all Ed25519 signing keys in the YubiHSM2tmkms yubihsm keys test <id> - perform a signing test using the given keyThe following are instructions for setting up a development environment. They assume you've already followed steps 1 & 2 from the Installation section above (i.e. installed rustup and the noted nightly Rust released).
rustup component add rustfmt-previewrustup component add clippy-previewAlternatively, you can build a Docker image from the [Dockerfile] in the top level of the repository, which is what is used to run tests in CI.
Before opening a pull request, please run the checks below:
Run the test suite with:
cargo test --all-features
Make sure your code is well-formatted by running:
cargo fmt
Lint your code (i.e. check it for common issues) with:
cargo clippy
Copyright © 2018 Tendermint
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.