@@ -230,7 +230,8 @@ doesn't, you should make sure that hash algorithm is either built into the
kernel or can be loaded without requiring itself.
If the private key requires a passphrase or PIN, it can be provided in the
-$KBUILD_SIGN_PIN environment variable.
+$KBUILD_SIGN_PIN environment variable. If you want to specify non-default
+PKCS11 module you can define it via $KBUILD_PKCS11_MODULE variable.
============================
@@ -223,6 +223,11 @@ KBUILD_SIGN_PIN
This variable allows a passphrase or PIN to be passed to the sign-file
utility when signing kernel modules, if the private key requires such.
+KBUILD_PKCS11_MODULE
+---------------
+This variable allows to specify PKCS11 module to be passed to the
+sign-file utility when signing kernel modules with PKCS11 engine.
+
KBUILD_MODPOST_WARN
-------------------
KBUILD_MODPOST_WARN can be set to avoid errors in case of undefined
@@ -112,6 +112,7 @@ static void drain_openssl_errors(void)
} while(0)
static const char *key_pass;
+static const char *pkcs11_module;
static int pem_pw_cb(char *buf, int len, int w, void *v)
{
@@ -150,6 +151,10 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
if (key_pass)
ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
"Set PKCS#11 PIN");
+ if (pkcs11_module)
+ ERR(!ENGINE_ctrl_cmd_string(e, "MODULE_PATH",
+ pkcs11_module, 0),
+ "Set PKCS#11 module");
private_key = ENGINE_load_private_key(e, private_key_name,
NULL, NULL);
ERR(!private_key, "%s", private_key_name);
@@ -234,6 +239,7 @@ int main(int argc, char **argv)
ERR_clear_error();
key_pass = getenv("KBUILD_SIGN_PIN");
+ pkcs11_module = getenv("KBUILD_PKCS11_MODULE");
#ifndef USE_PKCS7
use_signed_attrs = CMS_NOATTR;
In order to use PKCS11 engine user have to specify a PKCS11 module. There is two approaches: - [0] Global openssl config - [1] Programmatic call of ENGINE_ctrl_cmd the option mention in rfc7512 [2] to pass it as part of URI is not implemented in openssl([3]). Changing global openssl config is not always feasible, especially for cases when system may run multiple not fully isolated builds at a time. In order to make it possible to define build-wide PKCS11 module use environment variable `KBUILD_PKCS11_MODULE`. [0] https://bit.ly/3myVWsE [1] https://github.com/OpenSC/libp11/blob/master/README.md#engine-controls [2] https://datatracker.ietf.org/doc/html/rfc7512 [3] https://pastebin.com/SfabcxTN Signed-off-by: Sergei Iudin <tsipa740@gmail.com> --- Documentation/admin-guide/module-signing.rst | 3 ++- Documentation/kbuild/kbuild.rst | 5 +++++ scripts/sign-file.c | 6 ++++++ 3 files changed, 13 insertions(+), 1 deletion(-)