* [ptxdist] [PATCH 0/3] code-signing: add provider support
@ 2026-04-22 14:58 Sascha Hauer
2026-04-22 14:58 ` [ptxdist] [PATCH 1/3] host-libp11: use correct path for ossl-modules Sascha Hauer
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Sascha Hauer @ 2026-04-22 14:58 UTC (permalink / raw)
To: ptxdist
openssl engines have been deprecated for a long time. Add provider
support to the ptxdist code signing infrastructure.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Sascha Hauer (3):
host-libp11: use correct path for ossl-modules
Add host-pkcs11-provider
code-signing: enable provider support
platforms/code-signing.in | 1 +
rules/host-libp11.make | 1 +
rules/host-pkcs11-provider.in | 10 ++++++++++
rules/host-pkcs11-provider.make | 33 +++++++++++++++++++++++++++++++++
rules/host-softhsm.in | 1 +
rules/host-softhsm.make | 27 +++++++++++++++++++++++++++
rules/pre/010-code-signing.make | 2 +-
rules/pre/020-code-signing-softhsm.make | 3 ++-
8 files changed, 76 insertions(+), 2 deletions(-)
---
base-commit: 9e28c99dd6a5b30c578b75deb71bd82d41fda429
change-id: 20260422-code-signing-provider-394214622a4c
Best regards,
--
Sascha Hauer <s.hauer@pengutronix.de>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ptxdist] [PATCH 1/3] host-libp11: use correct path for ossl-modules
2026-04-22 14:58 [ptxdist] [PATCH 0/3] code-signing: add provider support Sascha Hauer
@ 2026-04-22 14:58 ` Sascha Hauer
2026-04-22 14:58 ` [ptxdist] [PATCH 2/3] Add host-pkcs11-provider Sascha Hauer
2026-04-22 14:58 ` [ptxdist] [PATCH 3/3] code-signing: enable provider support Sascha Hauer
2 siblings, 0 replies; 5+ messages in thread
From: Sascha Hauer @ 2026-04-22 14:58 UTC (permalink / raw)
To: ptxdist
add --with-modulesdir=/usr/lib/ossl-modules. Without it the ossl-modules
end up in
$(PTXDIST_SYSROOT_HOST)/$(PTXDIST_SYSROOT_HOST)/usr/lib/ossl-modules
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
rules/host-libp11.make | 1 +
1 file changed, 1 insertion(+)
diff --git a/rules/host-libp11.make b/rules/host-libp11.make
index caeefdc01..bc544a114 100644
--- a/rules/host-libp11.make
+++ b/rules/host-libp11.make
@@ -29,6 +29,7 @@ HOST_LIBP11_CONF_OPT := \
--disable-pedantic \
--disable-api-doc \
--with-enginesdir=/usr/lib/engines-3 \
+ --with-modulesdir=/usr/lib/ossl-modules \
--with-pkcs11-module=
HOST_LIBP11_MAKE_PAR := NO
--
2.47.3
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ptxdist] [PATCH 2/3] Add host-pkcs11-provider
2026-04-22 14:58 [ptxdist] [PATCH 0/3] code-signing: add provider support Sascha Hauer
2026-04-22 14:58 ` [ptxdist] [PATCH 1/3] host-libp11: use correct path for ossl-modules Sascha Hauer
@ 2026-04-22 14:58 ` Sascha Hauer
2026-04-23 7:50 ` Sascha Hauer
2026-04-22 14:58 ` [ptxdist] [PATCH 3/3] code-signing: enable provider support Sascha Hauer
2 siblings, 1 reply; 5+ messages in thread
From: Sascha Hauer @ 2026-04-22 14:58 UTC (permalink / raw)
To: ptxdist
Add host-pkcs11-provider in preparation to add provider support to the
ptxdist code signing infrastructure.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
rules/host-pkcs11-provider.in | 10 ++++++++++
rules/host-pkcs11-provider.make | 33 +++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/rules/host-pkcs11-provider.in b/rules/host-pkcs11-provider.in
new file mode 100644
index 000000000..7d37f401c
--- /dev/null
+++ b/rules/host-pkcs11-provider.in
@@ -0,0 +1,10 @@
+## SECTION=hosttools_noprompt
+
+config HOST_PKCS11_PROVIDER
+ tristate
+ default y if ALLYES
+ select HOST_MESON
+ select HOST_OPENSSL
+
+
+# vim: ft=kconfig tw=80
diff --git a/rules/host-pkcs11-provider.make b/rules/host-pkcs11-provider.make
new file mode 100644
index 000000000..658ee177d
--- /dev/null
+++ b/rules/host-pkcs11-provider.make
@@ -0,0 +1,33 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2026 by Sascha Hauer <s.hauer@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+HOST_PACKAGES-$(PTXCONF_HOST_PKCS11_PROVIDER) += host-pkcs11-provider
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+HOST_PKCS11_PROVIDER_CONF_ENV := \
+ $(HOST_ENV)
+
+#
+# meson
+#
+HOST_PKCS11_PROVIDER_CONF_TOOL := meson
+HOST_PKCS11_PROVIDER_CONF_OPT := \
+ $(HOST_MESON_OPT)
+
+$(STATEDIR)/host-pkcs11-provider.prepare:
+ @$(call targetinfo)
+ $(call world/prepare, HOST_PKCS11_PROVIDER)
+ @$(call touch)
+
+# vim: ft=make
--
2.47.3
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ptxdist] [PATCH 3/3] code-signing: enable provider support
2026-04-22 14:58 [ptxdist] [PATCH 0/3] code-signing: add provider support Sascha Hauer
2026-04-22 14:58 ` [ptxdist] [PATCH 1/3] host-libp11: use correct path for ossl-modules Sascha Hauer
2026-04-22 14:58 ` [ptxdist] [PATCH 2/3] Add host-pkcs11-provider Sascha Hauer
@ 2026-04-22 14:58 ` Sascha Hauer
2 siblings, 0 replies; 5+ messages in thread
From: Sascha Hauer @ 2026-04-22 14:58 UTC (permalink / raw)
To: ptxdist
openssl engines have long been deprecated. Add support for provider to
the ptxdist code signing infrastructure.
We add a custom openssl-pkcs11.cnf to specify
pkcs11-module-block-operations = digest. The reason is that softhsm2
itself uses openssl for digesting. Without this option softhsm would end
up calling itself via openssl resulting in a deadlock. Now that we have
a custom config already we also use it to specify the path to the pkcs11
module.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
platforms/code-signing.in | 1 +
rules/host-softhsm.in | 1 +
rules/host-softhsm.make | 27 +++++++++++++++++++++++++++
rules/pre/010-code-signing.make | 2 +-
rules/pre/020-code-signing-softhsm.make | 3 ++-
5 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/platforms/code-signing.in b/platforms/code-signing.in
index 81f9ef6f3..a20982f20 100644
--- a/platforms/code-signing.in
+++ b/platforms/code-signing.in
@@ -4,6 +4,7 @@ menuconfig CODE_SIGNING
bool
select VIRTUAL
select HOST_LIBP11
+ select HOST_PKCS11_PROVIDER
prompt "Code signing "
help
This option enables the ptxdist signing infrastructure.
diff --git a/rules/host-softhsm.in b/rules/host-softhsm.in
index 160f4b598..dfa1e3c8e 100644
--- a/rules/host-softhsm.in
+++ b/rules/host-softhsm.in
@@ -4,6 +4,7 @@ config HOST_SOFTHSM
tristate
select HOST_P11_KIT
select HOST_OPENSSL
+ select HOST_PKCS11_PROVIDER
select HOST_SQLITE
default y if ALLYES
help
diff --git a/rules/host-softhsm.make b/rules/host-softhsm.make
index 67d9c5ab8..613a42b42 100644
--- a/rules/host-softhsm.make
+++ b/rules/host-softhsm.make
@@ -30,4 +30,31 @@ HOST_SOFTHSM_CONF_OPT := \
HOST_SOFTHSM_CPPFLAGS := \
-DDEBUG_LOG_STDERR=1
+# ----------------------------------------------------------------------------
+# Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/host-softhsm.install:
+ @$(call targetinfo)
+ @$(call world/install, HOST_SOFTHSM)
+ @{ \
+ echo 'openssl_conf = openssl_init'; \
+ echo ''; \
+ echo '[openssl_init]'; \
+ echo 'providers = provider_sect'; \
+ echo ''; \
+ echo '[provider_sect]'; \
+ echo 'default = default_sect'; \
+ echo 'pkcs11 = pkcs11_sect'; \
+ echo ''; \
+ echo '[default_sect]'; \
+ echo 'activate = 1'; \
+ echo ''; \
+ echo '[pkcs11_sect]'; \
+ echo "module = $(PTXDIST_SYSROOT_HOST)/usr/lib/ossl-modules/pkcs11.so"; \
+ echo 'activate = 1'; \
+ echo 'pkcs11-module-block-operations = digest'; \
+ } > $(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf
+ @$(call touch)
+
# vim: syntax=make
diff --git a/rules/pre/010-code-signing.make b/rules/pre/010-code-signing.make
index 6141a7b19..238f37934 100644
--- a/rules/pre/010-code-signing.make
+++ b/rules/pre/010-code-signing.make
@@ -8,7 +8,7 @@
CODE_SIGNING_ENV = \
SO_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3/pkcs11.so \
- OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl.cnf" \
+ OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf" \
OPENSSL_ENGINES="$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3"
#
diff --git a/rules/pre/020-code-signing-softhsm.make b/rules/pre/020-code-signing-softhsm.make
index 62e3ab331..3f1307ca9 100644
--- a/rules/pre/020-code-signing-softhsm.make
+++ b/rules/pre/020-code-signing-softhsm.make
@@ -9,7 +9,8 @@
ifdef PTXCONF_HOST_SOFTHSM
SOFTHSM_CODE_SIGNING_ENV = \
SOFTHSM2_CONF="$(PTXDIST_SYSROOT_HOST)/etc/softhsm2.conf" \
- PKCS11_MODULE_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so
+ PKCS11_MODULE_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so \
+ PKCS11_PROVIDER_MODULE=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so
CODE_SIGNING_ENV += \
$(SOFTHSM_CODE_SIGNING_ENV)
--
2.47.3
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] [PATCH 2/3] Add host-pkcs11-provider
2026-04-22 14:58 ` [ptxdist] [PATCH 2/3] Add host-pkcs11-provider Sascha Hauer
@ 2026-04-23 7:50 ` Sascha Hauer
0 siblings, 0 replies; 5+ messages in thread
From: Sascha Hauer @ 2026-04-23 7:50 UTC (permalink / raw)
To: ptxdist
On Wed, Apr 22, 2026 at 04:58:40PM +0200, Sascha Hauer wrote:
> Add host-pkcs11-provider in preparation to add provider support to the
> ptxdist code signing infrastructure.
>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
> rules/host-pkcs11-provider.in | 10 ++++++++++
> rules/host-pkcs11-provider.make | 33 +++++++++++++++++++++++++++++++++
> 2 files changed, 43 insertions(+)
>
> diff --git a/rules/host-pkcs11-provider.in b/rules/host-pkcs11-provider.in
> new file mode 100644
> index 000000000..7d37f401c
> --- /dev/null
> +++ b/rules/host-pkcs11-provider.in
> @@ -0,0 +1,10 @@
> +## SECTION=hosttools_noprompt
> +
> +config HOST_PKCS11_PROVIDER
> + tristate
> + default y if ALLYES
> + select HOST_MESON
> + select HOST_OPENSSL
> +
> +
> +# vim: ft=kconfig tw=80
> diff --git a/rules/host-pkcs11-provider.make b/rules/host-pkcs11-provider.make
> new file mode 100644
> index 000000000..658ee177d
> --- /dev/null
> +++ b/rules/host-pkcs11-provider.make
> @@ -0,0 +1,33 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2026 by Sascha Hauer <s.hauer@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +HOST_PACKAGES-$(PTXCONF_HOST_PKCS11_PROVIDER) += host-pkcs11-provider
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +HOST_PKCS11_PROVIDER_CONF_ENV := \
> + $(HOST_ENV)
> +
> +#
> +# meson
> +#
> +HOST_PKCS11_PROVIDER_CONF_TOOL := meson
> +HOST_PKCS11_PROVIDER_CONF_OPT := \
> + $(HOST_MESON_OPT)
> +
> +$(STATEDIR)/host-pkcs11-provider.prepare:
> + @$(call targetinfo)
> + $(call world/prepare, HOST_PKCS11_PROVIDER)
> + @$(call touch)
These four lines can be removed, only had them for debugging and forgot
to remove.
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-23 7:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-04-22 14:58 [ptxdist] [PATCH 0/3] code-signing: add provider support Sascha Hauer
2026-04-22 14:58 ` [ptxdist] [PATCH 1/3] host-libp11: use correct path for ossl-modules Sascha Hauer
2026-04-22 14:58 ` [ptxdist] [PATCH 2/3] Add host-pkcs11-provider Sascha Hauer
2026-04-23 7:50 ` Sascha Hauer
2026-04-22 14:58 ` [ptxdist] [PATCH 3/3] code-signing: enable provider support Sascha Hauer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox