Using docker hsm image

[avanide]

Hi,
I've noticed there are two docker images: standard one and an HSM one: https://hub.docker.com/r/smallstep/step-ca
We would like to use the HSM one and use a Yubikey plugged on the host machine. Each of our containers must follow the least privilege principle and we are not able to find out whether some capabilities are required to use this HSM image.

I've noticed on the helm chart, in the default values (https://artifacthub.io/packages/helm/smallstep/step-certificates?modal=values), that the security contexts are restricted:

• allowPrivilegeEscalation: false
• readOnlyRootFilesystem: true
• runAsUser: 1000
• All capabilities are dropped except NET_BIND_SERVICE
  Is it accurate only for the standard docker image or is it true for the HSM one too?

May you confirm which privileges are required to run the HSM docker image? How do we grant access to the yubikey plugged on the host?

Thanks,
Alex

[tashian]

I haven't tested this, but I think you'll have to figure out what USB device the YubiKey is using, and then grant that device to the container—eg, using docker run ... --device=/dev/ttyUSB0.

[avanide]

Hi Tashian,
Thanks for the answer. I understand it should work this way but I would expect to have clear confirmation. At least, my guess is that if there's such a docker image dedicated to HSM, somebody tried it (at least in the dev team).
Would be great to have official guidance from the product/dev team.

[tashian]

The difficulty of testing this is that it's vendor-specific.

• For example, with a Yubikey you may need to pass the USB device through.

• With a TPM, you'll need to run tpm2-abrmd(https://github.com/tpm2-software/tpm2-abrmd) on the host system and pass /dev/tpmrm0 through to the container.

• With a PKCS#11 HSM, you'd want to run the HSM PKCS11 broker service on the host and then make sure that port on localhost is accessible from within the container, and the HSM PKCS11 library is available in the container.

We're a small team and we can't test every scenario.
So, you'll have to try it out and see.
And if you learn something, please add your advice to the thread!

[danthonywalker]

I am also having trouble running the HSM image. When I run lsusb I can clearly see the YubiKey.

Bus 001 Device 001: ID 1d6b:0002 Linux 6.6.49-0-rpi xhci-hcd xHCI Host Controller
Bus 001 Device 002: ID 2109:3431  USB2.0 Hub
Bus 001 Device 003: ID 1050:0407 Yubico YubiKey OTP+FIDO+CCID
Bus 002 Device 001: ID 1d6b:0003 Linux 6.6.49-0-rpi xhci-hcd xHCI Host Controller

However, with the following docker-compose, I am getting the "error detecting yubikey: try removing and reconnecting the device" error.

services:
  stepca:
    image: smallstep/step-ca@hsm
    container_name: stepca
    restart: always
    stop_grace_period: 1m
    devices:
      - /dev/bus/usb:/dev/bus/usb
    ports:
      - 9000:9000
    volumes:
      - ./data:/home/step

networks:
  default:
    name: stepca

In the Discord, I see a few other posts with the same issue. One person was able to get it working by running the container as root. I tried with user: root and user: "0" but I still have this issue (maybe because I am running Docker in rootless mode?).

I was really hoping this would be simple to setup, but I am out of options on getting this to run.

Here are links to those Discord posts, in case it is helpful:
https://discord.com/channels/837031272227930163/841249977699401759/1186921025892515940
https://discord.com/channels/837031272227930163/841249977699401759/1132938661470675044

[tashian]

Hmm. I'd suggest trying to get ykman to run inside a container first, because that will simplify your testing. If ykman works, then try step-ca.

See also: https://developers.yubico.com/yubikey-manager/Device_Permissions.html