[Rpm-maint] [rpm-software-management/rpm] rpmsign: Adopting PKCS#11 opaque keys support in libfsverity for fsverity signatures (#1779)

wuyuoss notifications at github.com
Tue Sep 21 07:51:07 UTC 2021 

We (Aleksander Adamowski) recently made a change to Kernel fsverity-utils to ["Implement PKCS#11 opaque keys support through OpenSSL pkcs11 engine"](https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/commit/?id=66b1d8a276cb3836ac275cb9f3f6517a07462737) and the change is already committed. The change is meant to allow us to use opaque keys confined in hardware security modules (HSMs) and similar hardware tokens without direct access to the
fsverity signing key material, which will then be used to generate fsverity signatures.

In this change, we basically supply "`--pkcs11_engine"`and "`--pkcs11_module`" and optionally "`--pkcs11_keyid`" in "`libfsverity_signature_params`" struct if we use PKCS#11 token for fsverity private signing key. 

With this change, we will be able to generate RPM fsverity file signatures with private signing key either from direct private key access through "`--fskpath`", or from PKCS#11 token with PKCS#11 engine and module supplied. "`--certpath`" is still required for both ways.

This requires the "`libfsverity.h`" be up-to-date with [this commit](https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/commit/?id=66b1d8a276cb3836ac275cb9f3f6517a07462737).

You can view, comment on, or merge this pull request online at:

  https://github.com/rpm-software-management/rpm/pull/1779

-- Commit Summary --

  * <a href="https://github.com/rpm-software-management/rpm/pull/1779/commits/700c3658a9b255744cca60c8a3755591f6a8f669">rpmsign: Adopting PKCS#11 opaque keys support in libfsverity for fsverity signatures</a>

-- File Changes --

    M docs/man/rpmsign.8.md (17)
    M rpmsign.c (31)
    M sign/rpmgensig.c (57)
    M sign/rpmsignverity.c (24)
    M sign/rpmsignverity.h (9)

-- Patch Links --

https://github.com/rpm-software-management/rpm/pull/1779.patch
https://github.com/rpm-software-management/rpm/pull/1779.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1779
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210921/1b165c45/attachment.html>

More information about the Rpm-maint mailing list