The following issues are known to affect the current release.
VM USB redirection may function inconsistently, particularly in Windows environments.
The yubihsm-shell utility is limited to reading 4096 bytes in a single command.
Yubihsm-shell when invoked in Command-Line mode (CLI) does not implement the following commands (actions):
put-option
put-hmac
put-otp-aead-key
sign-hmac
benchmark
otp-aead-create
otp-decrypt
version
decrypt-oaep
sign-eddsa
encrypt-aesccm
decrypt-aesccm
Restore for non-shared Wrap Keys is currently not supported in yubihsm-setup.
Attestation currently does not support ed25519 keys.
Currently yubihsm-wrap correctly wraps the following Object Types:
Authentication Key
Wrap Key
Asymmetric Key
HMAC Key
The tool uses a catch-all for the rest which may not be correct.
The PKCS#11 module only supports symmetric encryption with CKM_YUBICO_AES_CCM_WRAP. Support for CKK_AES or CKM_AES_CBC was added in firmware version 2.3 and yubihsm-shell 2.4.0
CKA_ID can only be two bytes long on the device and is therefore truncated to that length. Support for longer values is introduced in version 2.4.0 via the use of Meta Objects (See PKCS#11 wiht JAVA in PKCS#11 with YubiHSM 2)
CKA_LABEL is maximum 40 bytes. Support for longer values is introduced in version 2.4.0 via the use of Meta Objects (See PKCS#11 wiht JAVA in PKCS#11 with YubiHSM 2)
C_InitPIN(), C_SetPIN() and C_InitToken() are not supported. Equivalent operations have to be done through other interfaces (e.g., yubihsm-shell).
C_CopyObject() is not supported. Objects are never modifiable after creation
C_SetAttributeValue() can only be used to set CKA_ID or CKA_LABEL on an object via the use of Meta Objects with version 2.4.0 or later (See PKCS#11 wiht JAVA in PKCS#11 with YubiHSM 2). Prior to 2.4.0, C_SetAttributeValue could only be used to set the same CKA_ID or CKA_LABEL on an object, not to change it.
EdDSA signing, including Ed22519, is limited to the size of one message to the YubiHSM: 2019 bytes.