From: Eric Biggers <ebiggers@kernel.org>
To: Aleksander Adamowski <olo@fb.com>
Cc: linux-fscrypt@vger.kernel.org
Subject: Re: [fsverity-utils PATCH v5] Implement PKCS#11 opaque keys support through OpenSSL pkcs11 engine
Date: Mon, 13 Sep 2021 10:59:46 -0700 [thread overview]
Message-ID: <YT+RktgS+WUXvq2t@sol.localdomain> (raw)
In-Reply-To: <20210909212731.1151190-1-olo@fb.com>
On Thu, Sep 09, 2021 at 02:27:31PM -0700, Aleksander Adamowski wrote:
> PKCS#11 API allows us to use opaque keys confined in hardware security
> modules (HSMs) and similar hardware tokens without direct access to the
> key material, providing logical separation of the keys from the
> cryptographic operations performed using them.
>
> This commit allows using the popular libp11 pkcs11 module for the
> OpenSSL library with `fsverity` so that direct access to a private key
> file isn't necessary to sign files.
>
> The user needs to supply the path to the engine shared library
> (typically the libp11 shared object file) and the PKCS#11 module library
> (a shared object file specific to the given hardware token). The user
> may also supply a token-specific key identifier.
>
> Test evidence with a hardware PKCS#11 token:
>
> $ echo test > dummy
> $ ./fsverity sign dummy dummy.sig \
> --pkcs11-engine=/usr/lib64/engines-1.1/libpkcs11.so \
> --pkcs11-module=/usr/local/lib64/pkcs11_module.so \
> --cert=test-pkcs11-cert.pem && echo OK;
> Signed file 'dummy'
> (sha256:c497326752e21b3992b57f7eff159102d474a97d972dc2c2d99d23e0f5fbdb65)
> OK
>
> Test evidence for regression check (checking that regular file-based key
> signing still works):
>
> $ ./fsverity sign dummy dummy.sig --key=key.pem --cert=cert.pem && \
> echo OK;
> Signed file 'dummy'
> (sha256:c497326752e21b3992b57f7eff159102d474a97d972dc2c2d99d23e0f5fbdb65)
> OK
>
> Signed-off-by: Aleksander Adamowski <olo@fb.com>
> [EB: Avoided overloading the --key option and keyfile field, clarified
> the documentation, removed logic from cmd_sign.c that libfsverity
> already handles, and many other improvements.]
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
Applied, thanks.
- Eric
prev parent reply other threads:[~2021-09-13 17:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-09 21:27 [fsverity-utils PATCH v5] Implement PKCS#11 opaque keys support through OpenSSL pkcs11 engine Aleksander Adamowski
2021-09-13 17:59 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YT+RktgS+WUXvq2t@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=olo@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).