Re: [PATCHv2] sign-file,extract-cert: use KBUILD_SIGN_PIN in provider mode

Next message: Leon Romanovsky: "Re: [EXTERNAL] Re: [PATCH rdma-next 0/8] RDMA/mana_ib: Handle service reset for RDMA resources"
Previous message: Rob Herring (Arm): "Re: [PATCH 1/2] dt-bindings: Add Lightning Mountain MSI interrupt controller bindings"
In reply to: James Bottomley: "Re: [PATCHv2] sign-file,extract-cert: use KBUILD_SIGN_PIN in provider mode"
Next in thread: Anton Lundin: "Re: [PATCHv2] sign-file,extract-cert: use KBUILD_SIGN_PIN in provider mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: James Bottomley

Date: Wed Mar 18 2026 - 10:55:06 EST

On Wed, 2026-03-18 at 10:44 -0400, James Bottomley wrote:
> On Wed, 2026-03-18 at 10:02 +0100, Anton Lundin wrote:
> > This adds support for the documented KBUILD_SIGN_PIN functionality
> > to
> > sign-file and extract-cert when built with USE_PKCS11_PROVIDER.
>
> Why would you do this? It's going to pop up a prompt for a password
> for every module you have ... that can be hundreds to thousands in a
> distribution kernel, so it's unscalable. The usual way we do this is
> to put the password into an environment variable (insecure but
> scalable) but I suppose if you have a more secure solution there
> might
> be interest.

Sorry, ignore me. I didn't read enough to see this is only plumbing
our current environment variable method into the new store open API we
use for providers which didn't pick up a password method. However, the
thought does occur: if the pkcs11 engine does this by an engine
parameter, wouldn't the provider have an equivalent provider parameter?

Regards,

James