Re: [PATCHv2] sign-file,extract-cert: use KBUILD_SIGN_PIN in provider mode

[Anton Lundin]

On 18 March, 2026 - James Bottomley wrote:

> On Wed, 2026-03-18 at 10:44 -0400, James Bottomley wrote:
> > On Wed, 2026-03-18 at 10:02 +0100, Anton Lundin wrote:
> > > This adds support for the documented KBUILD_SIGN_PIN functionality
> > > to
> > > sign-file and extract-cert when built with USE_PKCS11_PROVIDER.
> > 
> > Why would you do this?  It's going to pop up a prompt for a password
> > for every module you have ... that can be hundreds to thousands in a
> > distribution kernel, so it's unscalable.  The usual way we do this is
> > to put the password into an environment variable (insecure but
> > scalable) but I suppose if you have a more secure solution there
> > might
> > be interest.
> 
> Sorry, ignore me.  I didn't read enough to see this is only plumbing
> our current environment variable method into the new store open API we
> use for providers which didn't pick up a password method.  However, the
> thought does occur: if the pkcs11 engine does this by an engine
> parameter, wouldn't the provider have an equivalent provider parameter?

There are OSSL_PROVIDER_add_conf_parameter, which are from OpenSSL 3.5,
which can set pkcs11-module-token-pin.

This code path has been activated from OpenSSL 3.0 and even when testing
with my local OpenSSL 3.5.5 I haven't gotten that to work.


Until recently I've had a patch in our local trees which just disables
the openssl provider parts and uses the engine api instead. In debian
bookworm the pkcs11-provider was too old to get anything working anyway,
and because of reasons that patch stuck around until now.


//Anton