Re: [PATCH] support other engines for module signing

[James Bottomley <James.Bottomley@HansenPartnership.com>]

[-- Attachment #1: Type: text/plain, Size: 1783 bytes --]

On Wed, 2018-10-17 at 08:48 -0700, David Woodhouse wrote:
> On Wed, 2018-10-17 at 08:28 -0700, James Bottomley wrote:
> > On Wed, 2018-10-17 at 08:18 -0700, David Woodhouse wrote:
> > > It looks just like yours. It uses the UI callbacks, but you can
> > > bypass those by providing the password in advance with an
> > > ENGINE_ctrl
> > > if you want.
> > 
> > Are we talking about the same thing?  This is the current RH code:
> 
> Why are you calling this "RH code"? What does Red Hat have to do with
> it? This is code in the upstream kernel, that I added (IIRC).

At the time it was added, RH was the only company doing pkcs11 based
module signing, so I assumed it was a RH token.

> > 		ENGINE *e;
> > 
> > 		e = ENGINE_by_id("pkcs11");
> > 		ERR(!e, "Load PKCS#11 ENGINE");
> > 		if (ENGINE_init(e))
> > 			ERR_clear_error();
> > 		else
> > 			ERR(1, "ENGINE_init");
> > 		if (key_pass)
> > 			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass,
> > 0),
> > 			    "Set PKCS#11 PIN");
> > 		private_key = ENGINE_load_private_key(e,
> > private_key_name,
> > 						      NULL, NULL);
> > 		ERR(!private_key, "%s", private_key_name);
> > 
> > It uses an engine control command to load the key password not a
> > UI. 
> 
> James, that "PIN" ENGINE_ctrl is basically identical to what we need
> to do with your TPM2 engine to provide a parent key password (which
> your engine currently can't use a UI for ☹). It's hardly a strange
> and unusual concept.

OK, but this isn't the parent it's the key password, so what I think
you're saying is that all pkcs11 tokens can take either engine ctrl PIN
or a UI method to provide the password, so I can proceed with folding
the pkcs11 case into the UI engine path.  That's what I'll do.

James

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 228 bytes --]