[ptxdist] [PATCH v2 0/3] code-signing: add provider support

[ptxdist] [PATCH v2 0/3] code-signing: add provider support

[Sascha Hauer]

openssl engines have been deprecated for a long time. Add provider
support to the ptxdist code signing infrastructure.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Changes in v2:
- Add patch for pkcs11-provider to install pkcs11.so in correct directory
- remove debug prepare stage in rules/host-pkcs11-provider.in
- Link to v1: https://lore.kernel.org/r/20260422-code-signing-provider-v1-0-ce986114c54d@pengutronix.de

---
Sascha Hauer (3):
      host-libp11: use correct path for ossl-modules
      Add host-pkcs11-provider
      code-signing: enable provider support

 ...x-provider-installation-path-with-DESTDIR.patch | 36 ++++++++++++++++++++++
 patches/pkcs11-provider-0.6/series                 |  1 +
 platforms/code-signing.in                          |  1 +
 rules/host-libp11.make                             |  1 +
 rules/host-pkcs11-provider.in                      | 10 ++++++
 rules/host-pkcs11-provider.make                    | 28 +++++++++++++++++
 rules/host-softhsm.in                              |  1 +
 rules/host-softhsm.make                            | 27 ++++++++++++++++
 rules/pre/010-code-signing.make                    |  2 +-
 rules/pre/020-code-signing-softhsm.make            |  3 +-
 10 files changed, 108 insertions(+), 2 deletions(-)
---
base-commit: 9e28c99dd6a5b30c578b75deb71bd82d41fda429
change-id: 20260422-code-signing-provider-394214622a4c

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>

[ptxdist] [PATCH v2 1/3] host-libp11: use correct path for ossl-modules

[Sascha Hauer]

add --with-modulesdir=/usr/lib/ossl-modules. Without it the ossl-modules
end up in
$(PTXDIST_SYSROOT_HOST)/$(PTXDIST_SYSROOT_HOST)/usr/lib/ossl-modules

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 rules/host-libp11.make | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/host-libp11.make b/rules/host-libp11.make
index caeefdc01..bc544a114 100644
--- a/rules/host-libp11.make
+++ b/rules/host-libp11.make
@@ -29,6 +29,7 @@ HOST_LIBP11_CONF_OPT	:= \
 	--disable-pedantic \
 	--disable-api-doc \
 	--with-enginesdir=/usr/lib/engines-3 \
+	--with-modulesdir=/usr/lib/ossl-modules \
 	--with-pkcs11-module=
 
 HOST_LIBP11_MAKE_PAR	:= NO

-- 
2.47.3

[ptxdist] [PATCH v2 2/3] Add host-pkcs11-provider

[Sascha Hauer]

Add host-pkcs11-provider in preparation to add provider support to the
ptxdist code signing infrastructure.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 ...x-provider-installation-path-with-DESTDIR.patch | 36 ++++++++++++++++++++++
 patches/pkcs11-provider-0.6/series                 |  1 +
 rules/host-pkcs11-provider.in                      | 10 ++++++
 rules/host-pkcs11-provider.make                    | 28 +++++++++++++++++
 4 files changed, 75 insertions(+)

diff --git a/patches/pkcs11-provider-0.6/0001-meson-fix-provider-installation-path-with-DESTDIR.patch b/patches/pkcs11-provider-0.6/0001-meson-fix-provider-installation-path-with-DESTDIR.patch
new file mode 100644
index 000000000..b75132ea3
--- /dev/null
+++ b/patches/pkcs11-provider-0.6/0001-meson-fix-provider-installation-path-with-DESTDIR.patch
@@ -0,0 +1,36 @@
+From fbbb2835505f45cc84c17def5bd0e9d0fc7fb271 Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Thu, 23 Apr 2026 11:08:17 +0200
+Subject: [PATCH] meson: fix provider installation path with DESTDIR
+
+provider_path is set from the modulesdir pkg-config variable, which
+expands to an absolute path with the prefix baked in. When meson
+installs with DESTDIR set, it prepends DESTDIR to this absolute path,
+resulting in a doubled prefix in the install location.
+
+Fix this by passing pkgconfig_define to override ${prefix} during
+variable expansion, so modulesdir is re-evaluated relative to the
+current meson --prefix rather than whatever was recorded in the .pc
+file at the time OpenSSL was installed.
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+---
+ meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index b3912cb..f54b52f 100644
+--- a/meson.build
++++ b/meson.build
+@@ -46,7 +46,7 @@ conf.set('PACKAGE_MAJOR', major_version)
+ conf.set('PACKAGE_MINOR', minor_version)
+ 
+ libcrypto = dependency('libcrypto', version: '>= 3.0.7')
+-provider_path = libcrypto.get_variable(pkgconfig: 'modulesdir')
++provider_path = libcrypto.get_variable(pkgconfig: 'modulesdir', pkgconfig_define: ['prefix', get_option('prefix')])
+ libssl = dependency('libssl', version: '>= 3.0.7')
+ 
+ host_system = host_machine.system()
+-- 
+2.47.3
+
diff --git a/patches/pkcs11-provider-0.6/series b/patches/pkcs11-provider-0.6/series
new file mode 100644
index 000000000..9750a31a6
--- /dev/null
+++ b/patches/pkcs11-provider-0.6/series
@@ -0,0 +1 @@
+0001-meson-fix-provider-installation-path-with-DESTDIR.patch
diff --git a/rules/host-pkcs11-provider.in b/rules/host-pkcs11-provider.in
new file mode 100644
index 000000000..7d37f401c
--- /dev/null
+++ b/rules/host-pkcs11-provider.in
@@ -0,0 +1,10 @@
+## SECTION=hosttools_noprompt
+
+config HOST_PKCS11_PROVIDER
+	tristate
+	default y if ALLYES
+	select HOST_MESON
+	select HOST_OPENSSL
+
+
+# vim: ft=kconfig tw=80
diff --git a/rules/host-pkcs11-provider.make b/rules/host-pkcs11-provider.make
new file mode 100644
index 000000000..f634e662b
--- /dev/null
+++ b/rules/host-pkcs11-provider.make
@@ -0,0 +1,28 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2026 by Sascha Hauer <s.hauer@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+HOST_PACKAGES-$(PTXCONF_HOST_PKCS11_PROVIDER) += host-pkcs11-provider
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+HOST_PKCS11_PROVIDER_CONF_ENV	:= \
+	$(HOST_ENV)
+
+#
+# meson
+#
+HOST_PKCS11_PROVIDER_CONF_TOOL	:= meson
+HOST_PKCS11_PROVIDER_CONF_OPT	:=  \
+	$(HOST_MESON_OPT)
+
+# vim: ft=make

-- 
2.47.3

[ptxdist] [PATCH v2 3/3] code-signing: enable provider support

[Sascha Hauer]

openssl engines have long been deprecated. Add support for provider to
the ptxdist code signing infrastructure.

We add a custom openssl-pkcs11.cnf to specify
pkcs11-module-block-operations = digest. The reason is that softhsm2
itself uses openssl for digesting. Without this option softhsm would end
up calling itself via openssl resulting in a deadlock. Now that we have
a custom config already we also use it to specify the path to the pkcs11
module.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 platforms/code-signing.in               |  1 +
 rules/host-softhsm.in                   |  1 +
 rules/host-softhsm.make                 | 27 +++++++++++++++++++++++++++
 rules/pre/010-code-signing.make         |  2 +-
 rules/pre/020-code-signing-softhsm.make |  3 ++-
 5 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/platforms/code-signing.in b/platforms/code-signing.in
index 81f9ef6f3..a20982f20 100644
--- a/platforms/code-signing.in
+++ b/platforms/code-signing.in
@@ -4,6 +4,7 @@ menuconfig CODE_SIGNING
 	bool
 	select VIRTUAL
 	select HOST_LIBP11
+	select HOST_PKCS11_PROVIDER
 	prompt "Code signing                  "
 	help
 	  This option enables the ptxdist signing infrastructure.
diff --git a/rules/host-softhsm.in b/rules/host-softhsm.in
index 160f4b598..dfa1e3c8e 100644
--- a/rules/host-softhsm.in
+++ b/rules/host-softhsm.in
@@ -4,6 +4,7 @@ config HOST_SOFTHSM
 	tristate
 	select HOST_P11_KIT
 	select HOST_OPENSSL
+	select HOST_PKCS11_PROVIDER
 	select HOST_SQLITE
 	default y if ALLYES
 	help
diff --git a/rules/host-softhsm.make b/rules/host-softhsm.make
index 67d9c5ab8..613a42b42 100644
--- a/rules/host-softhsm.make
+++ b/rules/host-softhsm.make
@@ -30,4 +30,31 @@ HOST_SOFTHSM_CONF_OPT	:= \
 HOST_SOFTHSM_CPPFLAGS := \
 	-DDEBUG_LOG_STDERR=1
 
+# ----------------------------------------------------------------------------
+# Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/host-softhsm.install:
+	@$(call targetinfo)
+	@$(call world/install, HOST_SOFTHSM)
+	@{ \
+	echo 'openssl_conf = openssl_init'; \
+	echo ''; \
+	echo '[openssl_init]'; \
+	echo 'providers = provider_sect'; \
+	echo ''; \
+	echo '[provider_sect]'; \
+	echo 'default = default_sect'; \
+	echo 'pkcs11 = pkcs11_sect'; \
+	echo ''; \
+	echo '[default_sect]'; \
+	echo 'activate = 1'; \
+	echo ''; \
+	echo '[pkcs11_sect]'; \
+	echo "module = $(PTXDIST_SYSROOT_HOST)/usr/lib/ossl-modules/pkcs11.so"; \
+	echo 'activate = 1'; \
+	echo 'pkcs11-module-block-operations = digest'; \
+	} > $(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf
+	@$(call touch)
+
 # vim: syntax=make
diff --git a/rules/pre/010-code-signing.make b/rules/pre/010-code-signing.make
index 6141a7b19..238f37934 100644
--- a/rules/pre/010-code-signing.make
+++ b/rules/pre/010-code-signing.make
@@ -8,7 +8,7 @@
 
 CODE_SIGNING_ENV = \
 	SO_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3/pkcs11.so \
-	OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl.cnf" \
+	OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf" \
 	OPENSSL_ENGINES="$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3"
 
 #
diff --git a/rules/pre/020-code-signing-softhsm.make b/rules/pre/020-code-signing-softhsm.make
index 62e3ab331..3f1307ca9 100644
--- a/rules/pre/020-code-signing-softhsm.make
+++ b/rules/pre/020-code-signing-softhsm.make
@@ -9,7 +9,8 @@
 ifdef PTXCONF_HOST_SOFTHSM
 SOFTHSM_CODE_SIGNING_ENV = \
 	SOFTHSM2_CONF="$(PTXDIST_SYSROOT_HOST)/etc/softhsm2.conf" \
-	PKCS11_MODULE_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so
+	PKCS11_MODULE_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so \
+	PKCS11_PROVIDER_MODULE=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so
 
 CODE_SIGNING_ENV += \
 	$(SOFTHSM_CODE_SIGNING_ENV)

-- 
2.47.3

Re: [ptxdist] [PATCH v2 0/3] code-signing: add provider support

[Thorsten Scherer]

Hello Sascha,

On Thu, Apr 23, 2026 at 11:25:45AM +0200, Sascha Hauer wrote:
> openssl engines have been deprecated for a long time. Add provider
> support to the ptxdist code signing infrastructure.
> 
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
> Changes in v2:
> - Add patch for pkcs11-provider to install pkcs11.so in correct directory
> - remove debug prepare stage in rules/host-pkcs11-provider.in
> - Link to v1: https://lore.kernel.org/r/20260422-code-signing-provider-v1-0-ce986114c54d@pengutronix.de

Nit:                         ^ lore.ptxdist.org

> 
> ---
> Sascha Hauer (3):
>       host-libp11: use correct path for ossl-modules
>       Add host-pkcs11-provider
>       code-signing: enable provider support
> 
>  ...x-provider-installation-path-with-DESTDIR.patch | 36 ++++++++++++++++++++++
>  patches/pkcs11-provider-0.6/series                 |  1 +
>  platforms/code-signing.in                          |  1 +
>  rules/host-libp11.make                             |  1 +
>  rules/host-pkcs11-provider.in                      | 10 ++++++
>  rules/host-pkcs11-provider.make                    | 28 +++++++++++++++++
>  rules/host-softhsm.in                              |  1 +
>  rules/host-softhsm.make                            | 27 ++++++++++++++++
>  rules/pre/010-code-signing.make                    |  2 +-
>  rules/pre/020-code-signing-softhsm.make            |  3 +-
>  10 files changed, 108 insertions(+), 2 deletions(-)
> ---
> base-commit: 9e28c99dd6a5b30c578b75deb71bd82d41fda429
> change-id: 20260422-code-signing-provider-394214622a4c
> 
> Best regards,
> -- 
> Sascha Hauer <s.hauer@pengutronix.de>
> 
> 

Best regards
Thorsten

Re: [ptxdist] [PATCH v2 3/3] code-signing: enable provider support

[Michael Olbrich]

On Thu, Apr 23, 2026 at 11:25:48AM +0200, Sascha Hauer wrote:
> openssl engines have long been deprecated. Add support for provider to
> the ptxdist code signing infrastructure.
> 
> We add a custom openssl-pkcs11.cnf to specify
> pkcs11-module-block-operations = digest. The reason is that softhsm2
> itself uses openssl for digesting. Without this option softhsm would end
> up calling itself via openssl resulting in a deadlock. Now that we have
> a custom config already we also use it to specify the path to the pkcs11
> module.
> 
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
>  platforms/code-signing.in               |  1 +
>  rules/host-softhsm.in                   |  1 +
>  rules/host-softhsm.make                 | 27 +++++++++++++++++++++++++++
>  rules/pre/010-code-signing.make         |  2 +-
>  rules/pre/020-code-signing-softhsm.make |  3 ++-
>  5 files changed, 32 insertions(+), 2 deletions(-)
> 
> diff --git a/platforms/code-signing.in b/platforms/code-signing.in
> index 81f9ef6f3..a20982f20 100644
> --- a/platforms/code-signing.in
> +++ b/platforms/code-signing.in
> @@ -4,6 +4,7 @@ menuconfig CODE_SIGNING
>  	bool
>  	select VIRTUAL
>  	select HOST_LIBP11
> +	select HOST_PKCS11_PROVIDER
>  	prompt "Code signing                  "
>  	help
>  	  This option enables the ptxdist signing infrastructure.
> diff --git a/rules/host-softhsm.in b/rules/host-softhsm.in
> index 160f4b598..dfa1e3c8e 100644
> --- a/rules/host-softhsm.in
> +++ b/rules/host-softhsm.in
> @@ -4,6 +4,7 @@ config HOST_SOFTHSM
>  	tristate
>  	select HOST_P11_KIT
>  	select HOST_OPENSSL
> +	select HOST_PKCS11_PROVIDER
>  	select HOST_SQLITE
>  	default y if ALLYES
>  	help
> diff --git a/rules/host-softhsm.make b/rules/host-softhsm.make
> index 67d9c5ab8..613a42b42 100644
> --- a/rules/host-softhsm.make
> +++ b/rules/host-softhsm.make
> @@ -30,4 +30,31 @@ HOST_SOFTHSM_CONF_OPT	:= \
>  HOST_SOFTHSM_CPPFLAGS := \
>  	-DDEBUG_LOG_STDERR=1
>  
> +# ----------------------------------------------------------------------------
> +# Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/host-softhsm.install:
> +	@$(call targetinfo)
> +	@$(call world/install, HOST_SOFTHSM)
> +	@{ \
> +	echo 'openssl_conf = openssl_init'; \
> +	echo ''; \
> +	echo '[openssl_init]'; \
> +	echo 'providers = provider_sect'; \
> +	echo ''; \
> +	echo '[provider_sect]'; \
> +	echo 'default = default_sect'; \
> +	echo 'pkcs11 = pkcs11_sect'; \
> +	echo ''; \
> +	echo '[default_sect]'; \
> +	echo 'activate = 1'; \
> +	echo ''; \
> +	echo '[pkcs11_sect]'; \
> +	echo "module = $(PTXDIST_SYSROOT_HOST)/usr/lib/ossl-modules/pkcs11.so"; \

This breaks devpkgs, but I can do a followup patch to fix that.

> +	echo 'activate = 1'; \
> +	echo 'pkcs11-module-block-operations = digest'; \
> +	} > $(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf
> +	@$(call touch)
> +
>  # vim: syntax=make
> diff --git a/rules/pre/010-code-signing.make b/rules/pre/010-code-signing.make
> index 6141a7b19..238f37934 100644
> --- a/rules/pre/010-code-signing.make
> +++ b/rules/pre/010-code-signing.make
> @@ -8,7 +8,7 @@
>  
>  CODE_SIGNING_ENV = \
>  	SO_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3/pkcs11.so \
> -	OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl.cnf" \
> +	OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf" \
>  	OPENSSL_ENGINES="$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3"

So with that, we have support for openssl engines and providers in the
common parts, right?
A BSP specific ptxdist code-signing-provider can still use engines, if it
sets 'PKCS11_MODULE_PATH' to e.g. 'opensc-pkcs11.so', or does the openssl
config prevent that?

Michael

>  
>  #
> diff --git a/rules/pre/020-code-signing-softhsm.make b/rules/pre/020-code-signing-softhsm.make
> index 62e3ab331..3f1307ca9 100644
> --- a/rules/pre/020-code-signing-softhsm.make
> +++ b/rules/pre/020-code-signing-softhsm.make
> @@ -9,7 +9,8 @@
>  ifdef PTXCONF_HOST_SOFTHSM
>  SOFTHSM_CODE_SIGNING_ENV = \
>  	SOFTHSM2_CONF="$(PTXDIST_SYSROOT_HOST)/etc/softhsm2.conf" \
> -	PKCS11_MODULE_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so
> +	PKCS11_MODULE_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so \
> +	PKCS11_PROVIDER_MODULE=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so
>  
>  CODE_SIGNING_ENV += \
>  	$(SOFTHSM_CODE_SIGNING_ENV)
> 
> -- 
> 2.47.3
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Re: [ptxdist] [PATCH v2 3/3] code-signing: enable provider support

[Sascha Hauer]

On Fri, Apr 24, 2026 at 09:12:35AM +0200, Michael Olbrich wrote:
> > diff --git a/rules/pre/010-code-signing.make b/rules/pre/010-code-signing.make
> > index 6141a7b19..238f37934 100644
> > --- a/rules/pre/010-code-signing.make
> > +++ b/rules/pre/010-code-signing.make
> > @@ -8,7 +8,7 @@
> >  
> >  CODE_SIGNING_ENV = \
> >  	SO_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3/pkcs11.so \
> > -	OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl.cnf" \
> > +	OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf" \
> >  	OPENSSL_ENGINES="$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3"
> 
> So with that, we have support for openssl engines and providers in the
> common parts, right?

Right, both works.

> A BSP specific ptxdist code-signing-provider can still use engines, if it
> sets 'PKCS11_MODULE_PATH' to e.g. 'opensc-pkcs11.so', or does the openssl
> config prevent that?

Yes, should work. I haven't tested explicitly, but softhsm still sets
PKCS11_MODULE_PATH to libsofthsm2.so and that works.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |