Can YubiHSM2 device supports multiple containers outside Device?

[hamda-almenhali]

Setting: We have two or more ubuntu docker containers running on a single host Ubuntu/MacOS computer. We have attached YubiHSM to the host machine via USB.

Requirement: We need to perform independent cryptographic operations via processes running on each of these docker containers. These cryptographic operations shall use YubiHSM.

Question: Is it possible for more than one docker container to use the single YubiHSM concurrently? Is it possible for more than one docker container to use the single YubiHSM non-concurrently? To do any of the above, do we need any synchronization mechanism? Is there a minimum reproducible example that YubiCo can share with us, to demonstrate the above requirements?

[qpernil]

The simplest would be to run the yubihsm-connector on the host machine, which would be talking to the USB device. The clients would then use the http backend to talk to the connector over http. You would have to enable the docker containers to connect to the host IP and port that the connector is listening to. Concurrency is then managed by yubihsm-connector, which contains a mutex around all USB access. This means all access is serialized, as the yubihsm can only process one request at a time.