49922dff5a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Risk Bundle CI / risk-bundle-build (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Risk Bundle CI / risk-bundle-offline-kit (push) Has been cancelled
Risk Bundle CI / publish-checksums (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
2.5 KiB
2.5 KiB
SM Hardware Simulation & Bring-Up · 2025-12-11
Use this runbook to simulate or attach SM2/SM3 hardware (PKCS#11) for the CN profile. When hardware is unavailable, use the unified simulator (ops/crypto/sim-crypto-service) to keep CI green.
Goals
- Provide a repeatable PKCS#11 path (SoftHSM2 or vendor token).
- Document slots/PIN wiring for StellaOps hosts.
- Capture validation evidence (sign/verify/hash) to retire the “software-only” caveat once certified hardware is ready.
Simulation path (SoftHSM2)
sudo apt-get install softhsm2
softhsm2-util --init-token --slot 0 --label "SM2SIM" --so-pin 1234 --pin 1234
softhsm2-util --import sm2-private-key.pem --token "SM2SIM" --label "sm2key" --id 1 --pin 1234
Configure StellaOps hosts (example):
StellaOps:
Crypto:
Registry:
ActiveProfile: sm
Pkcs11:
LibraryPath: /usr/lib/softhsm/libsofthsm2.so
Keys:
- KeyId: sm2-hw
SlotId: 0
PinEnvVar: SM_PKCS11_PIN # export SM_PKCS11_PIN=1234
Algorithm: sm2
Vendor hardware bring-up
- Install vendor PKCS#11 library (e.g., Feitian/Jacarta SM modules).
- Export
SM_PKCS11_LIBRARYwith the library path; setSM_SOFT_ALLOWED=0to force hardware. - Import the SM2 private key/cert per vendor tooling; record SlotId/TokenLabel.
- Run the SM unit/integration suite with env:
SM_SOFT_ALLOWED=0 \ STELLAOPS_CRYPTO_ENABLE_SM_PKCS11=1 \ SM_PKCS11_LIBRARY=/path/to/libpkcs11.so \ SM_PKCS11_PIN=1234 \ dotnet test src/__Libraries/StellaOps.Cryptography.Plugin.SmSoft.Tests
Simulator fallback
- Unified simulator:
ops/crypto/sim-crypto-servicewith providersim.crypto.remote. - Enable via
STELLAOPS_CRYPTO_ENABLE_SIM=1andSTELLAOPS_CRYPTO_SIM_URL=http://localhost:8080. - Use when hardware or licenses are unavailable; keep the “non-certified” label in RootPack_CN.
Validation evidence to capture
pkcs11-tool --module <lib> --list-slotsand--list-objects.- Signing/verification logs for
stellaops-sm2-demowith signature hash. - JWKS export snapshot from Authority/Signer when the
smprofile is active.
Determinism
- Hashes are deterministic (SM3). Signatures are nonce-driven; record signature hash and public key.
- Keep test seeds fixed; prefer the existing SM2 unit tests with the env overrides above.
Publishing
- Attach command outputs and configs to the sprint evidence bundle.
- Once a certified token passes this harness, flip
SM_SOFT_ALLOWEDdefault to0for production CN profile and update RootPack_CN notes.