Running these tests requires a YubiHSM. The user running the tests also needs to have permission to use the device. On Ubuntu this can be achieved by adding the user to the dialout group.

Setup the device

Initialize the YubiHSM by holding down the button on it while it is inserted into a USB port. The YubiHSM should blink slowly to indicate configuration mode. Connect to the serial interface of the device and enter the following commands:

HSM (keys not decrypted)> zap <enter>
Confirm current config being erased (type yes) yes <enter> - wait - done
NO_CFG> hsm ffffffff <enter>
Enter cfg password (g to generate) <enter>
Enter admin Yubikey public id 001/008 (enter when done) <enter>
Enter master key (g to generate)  <enter>
Confirm current config being erased (type yes) yes <enter> - wait - done
HSM (keys changed)> keycommit <enter> - Done
HSM> exit <enter>

You should now be ready to run the tests.

Running the tests

To run the tests, have a device configured as described above, then run:

YHSM_ZAP=1 python setup.py test

Note that subsequent testruns can omit YHSM_ZAP=1 to skip the initial HSM device configuration, however each testrun that doesn’t reset the device configuration will take longer and longer to complete, until the next configuration reset. This is due to the admin YubiKey OTP counters being incremented on each run, and not stored anywhere, requiring looping to find the correct value. It is also possible to just reset the configuration, without running the tests:

python -m test.configure_hsm