mkosi icon indicating copy to clipboard operation
mkosi copied to clipboard
verified publisher icon systemd

PKCS#11 support

Open Gigadoc2 opened this issue 3 years ago • 2 comments

I don't know if this is out of scope for mkosi: For strictly creating development/testing images, storing keys in hardware tokens is surely overkill. However, if the Project is also meant to be suitable for creating productive images (e.g. immutable os images for your notebook or shipping-ready sysexts), having the keys stored non-exportable would be very nice from a security perspective.

For sbsign this should(?) be possible by selecting a pkcs11 openssl-engine; to create the verity signature (without requiring an extra python library) it might be necessary to shell out to openssl?

Gigadoc2 avatar May 19 '22 19:05 Gigadoc2

I think that's a good idea and will happily review patches.

Shelling out to openssl is fine (we currently do that to generate secure boot keys), but we've also relaxed the "only stdlib" policy somewhat and are using cryptography for the verity stuff. External packages are fine for limited stuff, where people can ignore the dependency if they are not using said feature (like cryptography for verity related things or portage for building Gentoo images).

behrmann avatar May 20 '22 09:05 behrmann

This is going to needs lots of support in the systemd tooling we use first

DaanDeMeyer avatar Oct 04 '23 20:10 DaanDeMeyer

Implemented in #2373

DaanDeMeyer avatar Mar 04 '24 19:03 DaanDeMeyer