From 491bb8d7d7e6cf287077e96f5fb6e7a9d95cddeb Mon Sep 17 00:00:00 2001
From: Shreerang Kale <shreerangkale@gmail.com>
Date: Thu, 12 Jun 2025 15:16:53 +0530
Subject: [PATCH 1/3]  Update script to use yubihsm

---
 stack-orchestrator/config/tmkms/run.sh        | 107 ++++++++++++------
 .../container-build/cerc-tmkms/build.sh       |   2 +-
 2 files changed, 73 insertions(+), 36 deletions(-)

diff --git a/stack-orchestrator/config/tmkms/run.sh b/stack-orchestrator/config/tmkms/run.sh
index 15a1b29..a8c67f5 100755
--- a/stack-orchestrator/config/tmkms/run.sh
+++ b/stack-orchestrator/config/tmkms/run.sh
@@ -11,50 +11,87 @@ INPUT_PRIV_KEY_FILE=$TMKMS_HOME/tmp/priv_validator_key.json
 TMKMS_SECRETS_DIR=$TMKMS_HOME/secrets
 TMKMS_STATE_DIR=$TMKMS_HOME/state
 
-# Check if priv_validator_key in SECRETS_DIR exists
+# Initialize tmkms config if priv_validator_key does not exist
 if [[ ! -f "$TMKMS_SECRETS_DIR/priv_validator_key" ]]; then
-  # Initialize tmkms config
   echo "Initializing tmkms configuration..."
+
+  # TODO: run tmkms yubihsm setup
   tmkms init $TMKMS_HOME
-
-  # Import the private validator key into tmkms
-  echo "Importing private validator key into tmkms..."
-  tmkms softsign import $INPUT_PRIV_KEY_FILE $TMKMS_SECRETS_DIR/priv_validator_key
-
-  # Remove the original private validator key
-  rm -rf $INPUT_PRIV_KEY_FILE
-
-else
-  echo "tmkms configuration already exists. Skipping initialization and cleaning up any existing input private validator key files..."
-  # Remove the original private validator key as it is not needed
-  if [[ -f "$INPUT_PRIV_KEY_FILE" ]]; then
-    rm -rf $INPUT_PRIV_KEY_FILE
-  fi
 fi
 
-# Update tmkms.toml
-echo "Updating tmkms.toml with chain_id, node IP, and key prefixes..."
+# Configure tmkms.toml and handle key import/copy based on TMKMS_MODE
+case "$TMKMS_MODE" in
+  "yubihsm")
+    # Add chain configuration for yubihsm
+    # TODO: Take password from env var
+    cat <<EOF > $TMKMS_HOME/tmkms.toml
 
-# Add chain configuration
-cat <<EOF > $TMKMS_HOME/tmkms.toml
+    [[chain]]
+    id = "$CHAIN_ID"
+    key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
+    state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
 
-  [[chain]]
-  id = "$CHAIN_ID"
-  key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
-  state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
+    [[validator]]
+    chain_id = "$CHAIN_ID"
+    addr = "tcp://$NODE_IP:$NODE_PORT"
+    secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
+    protocol_version = "v0.34"
+    reconnect = true
 
-  [[validator]]
-  chain_id = "$CHAIN_ID"
-  addr = "tcp://$NODE_IP:$NODE_PORT"
-  secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
-  protocol_version = "v0.34"
-  reconnect = true
-
-  [[providers.softsign]]
-  key_type = "consensus"
-  path = "$TMKMS_SECRETS_DIR/priv_validator_key"
-  chain_ids = ["$CHAIN_ID"]
+    [[providers.yubihsm]]
+    adapter = { type = "usb" }
+    auth = { key = 1, password = "password" }
 EOF
 
+    # Import the private validator key into tmkms for yubihsm (only if not already present)
+
+    # TODO: Check yubihsm keys list
+    if [[ ! -f "$TMKMS_SECRETS_DIR/priv_validator_key" ]]; then
+      echo "Importing private validator key into tmkms for yubihsm..."
+      tmkms yubihsm keys import -i 1 $INPUT_PRIV_KEY_FILE -c $TMKMS_HOME/tmkms.toml
+    fi
+    ;;
+
+  "softsign")
+    # Add chain configuration for softsign
+    cat <<EOF > $TMKMS_HOME/tmkms.toml
+
+    [[chain]]
+    id = "$CHAIN_ID"
+    key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
+    state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
+
+    [[validator]]
+    chain_id = "$CHAIN_ID"
+    addr = "tcp://$NODE_IP:$NODE_PORT"
+    secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
+    protocol_version = "v0.34"
+    reconnect = true
+
+    [[providers.softsign]]
+    key_type = "consensus"
+    path = "$TMKMS_SECRETS_DIR/priv_validator_key"
+    chain_ids = ["$CHAIN_ID"]
+EOF
+
+    # Import the private validator key into tmkms for softsign (only if not already present)
+    if [[ ! -f "$TMKMS_SECRETS_DIR/priv_validator_key" ]]; then
+      echo "Importing private validator key into tmkms for softsign..."
+      tmkms softsign import $INPUT_PRIV_KEY_FILE $TMKMS_SECRETS_DIR/priv_validator_key
+    fi
+    ;;
+
+  *)
+    echo "Error: TMKMS_MODE environment variable not set or invalid. Please set it to 'yubihsm' or 'softsign'."
+    exit 1
+    ;;
+esac
+
+# Remove the original input private validator key file after processing
+if [[ -f "$INPUT_PRIV_KEY_FILE" ]]; then
+  rm -rf $INPUT_PRIV_KEY_FILE
+fi
+
+# Start tmkms
 echo "Starting tmkms..."
 tmkms start --config $TMKMS_HOME/tmkms.toml
diff --git a/stack-orchestrator/container-build/cerc-tmkms/build.sh b/stack-orchestrator/container-build/cerc-tmkms/build.sh
index 918cceb..8a8da61 100755
--- a/stack-orchestrator/container-build/cerc-tmkms/build.sh
+++ b/stack-orchestrator/container-build/cerc-tmkms/build.sh
@@ -7,4 +7,4 @@ source ${CERC_CONTAINER_BASE_DIR}/build-base.sh
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 
 # TODO: Use BACKEND=yubihsm build command arg
-docker build -t cerc/tmkms:local ${build_command_args} -f ${SCRIPT_DIR}/Dockerfile ${SCRIPT_DIR}
+docker build -t cerc/tmkms:local --build-arg BACKEND=yubihsm ${build_command_args} -f ${SCRIPT_DIR}/Dockerfile ${SCRIPT_DIR}
-- 
2.45.2


From 03e7d236919f5ea8a32162147da2b09a813e7b6b Mon Sep 17 00:00:00 2001
From: Shreerang Kale <shreerangkale@gmail.com>
Date: Thu, 12 Jun 2025 18:02:43 +0530
Subject: [PATCH 2/3] Add env variable to set tmkms mode

---
 .../compose/docker-compose-tmkms.yml             |  1 +
 stack-orchestrator/config/tmkms/run.sh           | 16 +++++++++++-----
 .../container-build/cerc-tmkms/build.sh          |  2 +-
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/stack-orchestrator/compose/docker-compose-tmkms.yml b/stack-orchestrator/compose/docker-compose-tmkms.yml
index 8bc5a62..42de778 100644
--- a/stack-orchestrator/compose/docker-compose-tmkms.yml
+++ b/stack-orchestrator/compose/docker-compose-tmkms.yml
@@ -8,6 +8,7 @@ services:
       NODE_IP: ${NODE_IP}
       NODE_PORT: ${NODE_PORT:-26659}
       KEY_PREFIX: ${KEY_PREFIX}
+      TMKMS_MODE: ${TMKMS_MODE:-softsign}
     volumes:
       - tmkms-data:/root/tmkms
       - ../config/tmkms/run.sh:/opt/run.sh
diff --git a/stack-orchestrator/config/tmkms/run.sh b/stack-orchestrator/config/tmkms/run.sh
index a8c67f5..107270f 100755
--- a/stack-orchestrator/config/tmkms/run.sh
+++ b/stack-orchestrator/config/tmkms/run.sh
@@ -12,11 +12,12 @@ TMKMS_SECRETS_DIR=$TMKMS_HOME/secrets
 TMKMS_STATE_DIR=$TMKMS_HOME/state
 
 # Initialize tmkms config if priv_validator_key does not exist
-if [[ ! -f "$TMKMS_SECRETS_DIR/priv_validator_key" ]]; then
+if [[ ! -f "$TMKMS_HOME/tmkms.toml" ]]; then
   echo "Initializing tmkms configuration..."
 
-  # TODO: run tmkms yubihsm setup
   tmkms init $TMKMS_HOME
+else
+  echo "tmkms configuration already exists. Skipping initialization."
 fi
 
 # Configure tmkms.toml and handle key import/copy based on TMKMS_MODE
@@ -43,12 +44,15 @@ case "$TMKMS_MODE" in
     auth = { key = 1, password = "password" }
 EOF
 
-    # Import the private validator key into tmkms for yubihsm (only if not already present)
+    # Setup YubiHSM
+    tmkms yubihsm setup -c $TMKMS_HOME/tmkms.toml
 
-    # TODO: Check yubihsm keys list
-    if [[ ! -f "$TMKMS_SECRETS_DIR/priv_validator_key" ]]; then
+    # Import the private validator key into tmkms for yubihsm (only if not already present)
+    if ! tmkms yubihsm keys list | grep -q "0x0001:"; then
       echo "Importing private validator key into tmkms for yubihsm..."
       tmkms yubihsm keys import -i 1 $INPUT_PRIV_KEY_FILE -c $TMKMS_HOME/tmkms.toml
+    else
+      echo "Key 0x0001 already present in YubiHSM. Skipping import."
     fi
     ;;
 
@@ -78,6 +82,8 @@ EOF
     if [[ ! -f "$TMKMS_SECRETS_DIR/priv_validator_key" ]]; then
       echo "Importing private validator key into tmkms for softsign..."
       tmkms softsign import $INPUT_PRIV_KEY_FILE $TMKMS_SECRETS_DIR/priv_validator_key
+    else
+      echo "Softsign key already present. Skipping import."
     fi
     ;;
 
diff --git a/stack-orchestrator/container-build/cerc-tmkms/build.sh b/stack-orchestrator/container-build/cerc-tmkms/build.sh
index 8a8da61..918cceb 100755
--- a/stack-orchestrator/container-build/cerc-tmkms/build.sh
+++ b/stack-orchestrator/container-build/cerc-tmkms/build.sh
@@ -7,4 +7,4 @@ source ${CERC_CONTAINER_BASE_DIR}/build-base.sh
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 
 # TODO: Use BACKEND=yubihsm build command arg
-docker build -t cerc/tmkms:local --build-arg BACKEND=yubihsm ${build_command_args} -f ${SCRIPT_DIR}/Dockerfile ${SCRIPT_DIR}
+docker build -t cerc/tmkms:local ${build_command_args} -f ${SCRIPT_DIR}/Dockerfile ${SCRIPT_DIR}
-- 
2.45.2


From b31b023509da11cc92919c39e014e19df896aead Mon Sep 17 00:00:00 2001
From: Shreerang Kale <shreerangkale@gmail.com>
Date: Thu, 12 Jun 2025 18:34:33 +0530
Subject: [PATCH 3/3] Add script to setup yubihsm

---
 stack-orchestrator/config/tmkms/run.sh        | 23 +------------
 .../config/tmkms/setup-yubihsm.sh             | 33 +++++++++++++++++++
 2 files changed, 34 insertions(+), 22 deletions(-)
 create mode 100755 stack-orchestrator/config/tmkms/setup-yubihsm.sh

diff --git a/stack-orchestrator/config/tmkms/run.sh b/stack-orchestrator/config/tmkms/run.sh
index 107270f..16faf7a 100755
--- a/stack-orchestrator/config/tmkms/run.sh
+++ b/stack-orchestrator/config/tmkms/run.sh
@@ -24,28 +24,7 @@ fi
 case "$TMKMS_MODE" in
   "yubihsm")
     # Add chain configuration for yubihsm
-    # TODO: Take password from env var
-    cat <<EOF > $TMKMS_HOME/tmkms.toml
-
-    [[chain]]
-    id = "$CHAIN_ID"
-    key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
-    state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
-
-    [[validator]]
-    chain_id = "$CHAIN_ID"
-    addr = "tcp://$NODE_IP:$NODE_PORT"
-    secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
-    protocol_version = "v0.34"
-    reconnect = true
-
-    [[providers.yubihsm]]
-    adapter = { type = "usb" }
-    auth = { key = 1, password = "password" }
-EOF
-
-    # Setup YubiHSM
-    tmkms yubihsm setup -c $TMKMS_HOME/tmkms.toml
+    # TODO: Allow users to edit config toml
 
     # Import the private validator key into tmkms for yubihsm (only if not already present)
     if ! tmkms yubihsm keys list | grep -q "0x0001:"; then
diff --git a/stack-orchestrator/config/tmkms/setup-yubihsm.sh b/stack-orchestrator/config/tmkms/setup-yubihsm.sh
new file mode 100755
index 0000000..e600c0f
--- /dev/null
+++ b/stack-orchestrator/config/tmkms/setup-yubihsm.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+if [[ -n "$CERC_SCRIPT_DEBUG" ]]; then
+  set -x
+fi
+
+set -e
+
+TMKMS_HOME=/home/tmkmsuser/tmkms
+TMKMS_SECRETS_DIR=$TMKMS_HOME/secrets
+TMKMS_STATE_DIR=$TMKMS_HOME/state
+
+tmkms init $TMKMS_HOME
+
+cat <<EOF > $TMKMS_HOME/tmkms.toml
+  [[chain]]
+  id = "$CHAIN_ID"
+  key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
+  state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
+
+  [[validator]]
+  chain_id = "$CHAIN_ID"
+  addr = "tcp://$NODE_IP:$NODE_PORT"
+  secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
+  protocol_version = "v0.34"
+  reconnect = true
+
+  [[providers.yubihsm]]
+  adapter = { type = "usb" }
+  auth = { key = 1, password = "$PASSWORD" }
+EOF
+
+tmkms yubihsm setup -c $TMKMS_HOME/tmkms.toml
-- 
2.45.2