Re: [ptxdist] [PATCH v2 3/3] code-signing: enable provider support

mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed

From: Michael Olbrich <m.olbrich@pengutronix.de>
To: Sascha Hauer <s.hauer@pengutronix.de>
Cc: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCH v2 3/3] code-signing: enable provider support
Date: Fri, 24 Apr 2026 09:12:35 +0200	[thread overview]
Message-ID: <aesX48aikpHN3VRX@pengutronix.de> (raw)
In-Reply-To: <20260423-code-signing-provider-v2-3-be62a422e84a@pengutronix.de>

On Thu, Apr 23, 2026 at 11:25:48AM +0200, Sascha Hauer wrote:
> openssl engines have long been deprecated. Add support for provider to
> the ptxdist code signing infrastructure.
> 
> We add a custom openssl-pkcs11.cnf to specify
> pkcs11-module-block-operations = digest. The reason is that softhsm2
> itself uses openssl for digesting. Without this option softhsm would end
> up calling itself via openssl resulting in a deadlock. Now that we have
> a custom config already we also use it to specify the path to the pkcs11
> module.
> 
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
>  platforms/code-signing.in               |  1 +
>  rules/host-softhsm.in                   |  1 +
>  rules/host-softhsm.make                 | 27 +++++++++++++++++++++++++++
>  rules/pre/010-code-signing.make         |  2 +-
>  rules/pre/020-code-signing-softhsm.make |  3 ++-
>  5 files changed, 32 insertions(+), 2 deletions(-)
> 
> diff --git a/platforms/code-signing.in b/platforms/code-signing.in
> index 81f9ef6f3..a20982f20 100644
> --- a/platforms/code-signing.in
> +++ b/platforms/code-signing.in
> @@ -4,6 +4,7 @@ menuconfig CODE_SIGNING
>  	bool
>  	select VIRTUAL
>  	select HOST_LIBP11
> +	select HOST_PKCS11_PROVIDER
>  	prompt "Code signing                  "
>  	help
>  	  This option enables the ptxdist signing infrastructure.
> diff --git a/rules/host-softhsm.in b/rules/host-softhsm.in
> index 160f4b598..dfa1e3c8e 100644
> --- a/rules/host-softhsm.in
> +++ b/rules/host-softhsm.in
> @@ -4,6 +4,7 @@ config HOST_SOFTHSM
>  	tristate
>  	select HOST_P11_KIT
>  	select HOST_OPENSSL
> +	select HOST_PKCS11_PROVIDER
>  	select HOST_SQLITE
>  	default y if ALLYES
>  	help
> diff --git a/rules/host-softhsm.make b/rules/host-softhsm.make
> index 67d9c5ab8..613a42b42 100644
> --- a/rules/host-softhsm.make
> +++ b/rules/host-softhsm.make
> @@ -30,4 +30,31 @@ HOST_SOFTHSM_CONF_OPT	:= \
>  HOST_SOFTHSM_CPPFLAGS := \
>  	-DDEBUG_LOG_STDERR=1
>  
> +# ----------------------------------------------------------------------------
> +# Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/host-softhsm.install:
> +	@$(call targetinfo)
> +	@$(call world/install, HOST_SOFTHSM)
> +	@{ \
> +	echo 'openssl_conf = openssl_init'; \
> +	echo ''; \
> +	echo '[openssl_init]'; \
> +	echo 'providers = provider_sect'; \
> +	echo ''; \
> +	echo '[provider_sect]'; \
> +	echo 'default = default_sect'; \
> +	echo 'pkcs11 = pkcs11_sect'; \
> +	echo ''; \
> +	echo '[default_sect]'; \
> +	echo 'activate = 1'; \
> +	echo ''; \
> +	echo '[pkcs11_sect]'; \
> +	echo "module = $(PTXDIST_SYSROOT_HOST)/usr/lib/ossl-modules/pkcs11.so"; \

This breaks devpkgs, but I can do a followup patch to fix that.

> +	echo 'activate = 1'; \
> +	echo 'pkcs11-module-block-operations = digest'; \
> +	} > $(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf
> +	@$(call touch)
> +
>  # vim: syntax=make
> diff --git a/rules/pre/010-code-signing.make b/rules/pre/010-code-signing.make
> index 6141a7b19..238f37934 100644
> --- a/rules/pre/010-code-signing.make
> +++ b/rules/pre/010-code-signing.make
> @@ -8,7 +8,7 @@
>  
>  CODE_SIGNING_ENV = \
>  	SO_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3/pkcs11.so \
> -	OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl.cnf" \
> +	OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf" \
>  	OPENSSL_ENGINES="$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3"

So with that, we have support for openssl engines and providers in the
common parts, right?
A BSP specific ptxdist code-signing-provider can still use engines, if it
sets 'PKCS11_MODULE_PATH' to e.g. 'opensc-pkcs11.so', or does the openssl
config prevent that?

Michael

>  
>  #
> diff --git a/rules/pre/020-code-signing-softhsm.make b/rules/pre/020-code-signing-softhsm.make
> index 62e3ab331..3f1307ca9 100644
> --- a/rules/pre/020-code-signing-softhsm.make
> +++ b/rules/pre/020-code-signing-softhsm.make
> @@ -9,7 +9,8 @@
>  ifdef PTXCONF_HOST_SOFTHSM
>  SOFTHSM_CODE_SIGNING_ENV = \
>  	SOFTHSM2_CONF="$(PTXDIST_SYSROOT_HOST)/etc/softhsm2.conf" \
> -	PKCS11_MODULE_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so
> +	PKCS11_MODULE_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so \
> +	PKCS11_PROVIDER_MODULE=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so
>  
>  CODE_SIGNING_ENV += \
>  	$(SOFTHSM_CODE_SIGNING_ENV)
> 
> -- 
> 2.47.3
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

next prev parent reply	other threads:[~2026-04-24  7:12 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-23  9:25 [ptxdist] [PATCH v2 0/3] code-signing: add " Sascha Hauer
2026-04-23  9:25 ` [ptxdist] [PATCH v2 1/3] host-libp11: use correct path for ossl-modules Sascha Hauer
2026-04-23  9:25 ` [ptxdist] [PATCH v2 2/3] Add host-pkcs11-provider Sascha Hauer
2026-04-23  9:25 ` [ptxdist] [PATCH v2 3/3] code-signing: enable provider support Sascha Hauer
2026-04-24  7:12   ` Michael Olbrich [this message]
2026-04-27 12:29     ` Sascha Hauer
2026-04-23 10:51 ` [ptxdist] [PATCH v2 0/3] code-signing: add " Thorsten Scherer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aesX48aikpHN3VRX@pengutronix.de \
    --to=m.olbrich@pengutronix.de \
    --cc=ptxdist@pengutronix.de \
    --cc=s.hauer@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox