"Blinking" of HSM LED possible?

Peacekeeper · May 14, 2019, 9:02am

I have 4 HSM on one FreeBSD server. They are all labeled as “Nitrokey HSM” from Nitrokey. 2 of them are the HSM v2, but which ?
lsusb will provide:
Bus /dev/usb Device /dev/ugen0.5: ID 20a0:4230 Clay Logic
Bus /dev/usb Device /dev/ugen0.4: ID 20a0:4230 Clay Logic
Bus /dev/usb Device /dev/ugen0.2: ID 20a0:4230 Clay Logic
Bus /dev/usb Device /dev/ugen0.3: ID 20a0:4230 Clay Logic
Neither dmesg, sc-hsm-tool nor pkcs11-tool will wave a connection between the USB Slot and the reader-slot. With pkcs11-tool you could at least see the different versions of HSM on the different token-slots.
On RAID arrays you could enable the drive LED to blink to identify the right drive. As HSM also has a LED, I wonder if there is a function to do the same to identfy a NK HSM ?

jan · May 14, 2019, 9:19am

That’s a good point. On request we do physically label Nitrokeys with their serial number to distinguish and identify them. I guess this would solve your problem.

Still your suggestion is good and I created an issue ticket. However I don’t think it will be high priority to be implemented.

Peacekeeper · May 14, 2019, 10:32am

Yes, label it upfront is of course a possibility. Especially my server e.g. is under the ceiling - so anyway difficult to see the LED that is glowing up ( and not to the front )

BTW: I am not sure your udev rules are implemented : In FreeBSD I use the following rules:

nomatch 32 {
match “bus” “uhub[0-9]+”;
match “mode” “host”;
match “vendor” “0x20a0”;
match “product” “0x4230”;
action “logger NK HSM is attached and recognized”;
};

notify 100 {
match “system” “USB”;
match “subsystem” “DEVICE”;
match “type” “ATTACH”;
match “vendor” “0x20a0”;
match “product” “0x4230”;
action “/usr/local/etc/rc.d/pcscd onestart”;
};

notify 100 {
match “system” “USB”;
match “subsystem” “DEVICE”;
match “type” “DETACH”;
match “vendor” “0x20a0”;
match “product” “0x4230”;
action “/usr/local/etc/rc.d/pcscd onestop”;
};

attach 100 {
match “system” “USB”;
match “subsystem” “DEVICE”;
match “type” “ATTACH”;
match “vendor” “0x20a0”;
match “product” “0x4230”;
action “/usr/local/etc/rc.d/pcscd onestart”;
};

detach 100 {
match “system” “USB”;
match “subsystem” “DEVICE”;
match “type” “DETACH”;
match “vendor” “0x20a0”;
match “product” “0x4230”;
action “/usr/local/etc/rc.d/pcscd onestop”;
};

And there is another problem hidden: When I pull out one NK HSM, the pcscd is stopped. I need to change the rc-script to check the numbers of keys - but that might be not an GNU/Linux problem.

szszszsz · May 14, 2019, 12:24pm

There is one difference between models, which could help you. All Nitrokey HSM’s have serial number 010000000000000000000000, while Nitrokey HSM2 gets its iSerial from the smart card.

szszszsz · May 14, 2019, 12:30pm

This bash line works for me:

[ $(lsusb -d 20a0:4230  | wc -l ) -gt 0 ] || echo stop

Edit: I meant to replace the action “/usr/local/etc/rc.d/pcscd onestop”; line with the bash script containing the mentioned source.

Peacekeeper · May 14, 2019, 12:57pm

Thanks ! hat’s a good one to include in the start and the stop scripts for the daemon. Will try it ! Thanks

Peacekeeper · May 14, 2019, 1:33pm

With pkcs11-tool --list-token you will get both : serial num and also the serial number concatenated in the token label string:

pkcs11-tool --list-slots G ‘DENK|Slot’
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENKxxxxxxx0000 ) 00 00
serial num : DENKxxxxxxx
Slot 1 (0x4): Nitrokey Nitrokey HSM (DENKyyyyyyy0000 ) 01 00
serial num : DENKyyyyyyy
Slot 2 (0x8): Nitrokey Nitrokey HSM (010000000000000000000000) 02 00
serial num : DENKzzzzzzz
Slot 3 (0xc): Nitrokey Nitrokey HSM (010000000000000000000000) 03 00
serial num : DENKwwwwwww

Update: Oh, I see: you mean iSerial from lsusb --verbose. And yes, there the serial number is not composed into the line of the reader

But still you will need to understand the slot no aligned with USB.
BTW: I wonder when I see the following things:

Slot 0 (0x0): Nitrokey Nitrokey HSM (DENKxxxxxxx0000 ) 00 00
manufacturer: Nitrokey
hardware ver: 0.0
firmware ver: 0.0
flags: token present, removable device, hardware slot
token label : UserPIN (SmartCard-HSM)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 3.1
serial num : DENKxxxxxxx
pin min/max : 6/15

HW and FW Version is not used, manufacturer should be Nitrokey and not the Smartcard Card producer, nor ? And the token label always has the prefix of “UserPIN ( )” ???
Strange !

szszszsz · May 29, 2019, 8:09am

Sorry for delay.
This is the expected output. The smart card is identified with the ATR, and commands are suited for this one particular. I guess hardware and firmware version getters implementation could be added. Smart card firmware and hardware are present though.
I suspect UserPIN seems to be a prefix for tokens, which require user PIN to execute operation over it (from my OpenPGP past experience), but I have not confirmed that.