Re: [PATCH] sign-file: add openssl engine support

From: James Bottomley
Date: Wed Feb 10 2021 - 10:01:12 EST


On Wed, 2021-02-10 at 08:01 +0000, David Woodhouse wrote:
>
> On 10 February 2021 07:45:54 GMT, Yang Song <
> songyang@xxxxxxxxxxxxxxxxx> wrote:
> > Use a customized signature service supported by openssl engine
> > to sign the kernel module.
> > Add command line parameters that support engine for sign-file
> > to use the customized openssl engine service to sign kernel
> > modules.
> >
> > Signed-off-by: Yang Song <songyang@xxxxxxxxxxxxxxxxx>
>
> Aren't engines already obsolete in the latest versions of OpenSSL, as
> well as being an implementation detail of one particular crypto
> library?

Um, no, they're getting renamed providers with some annoying API
changes that require a bit of a rewrite but the concept of a crypto
"engine" plug in to the code base isn't going away.

> They aren't really a concept we should be exposing in *our* user
> interface.

We already do ... grep ENGINE in scripts/sign-file.c

Just by the way in case anyone is interested in history:

https://lore.kernel.org/keyrings/1518452963.3114.6.camel@xxxxxxxxxxxxxxxxxxxxx/

> Better to make sign-file automatically recognise RFC7512 PKCS#11 URIs
> and handle them by automatically loading the PKCS#11 engine.

PKCS11 can't cover everyting engines can. Engines are mostly used for
accelerators, which are not in the PKCS11 API and even for external
keys, PKCS11 can't cope if the key isn't inside what PKCS11 thinks of
as a token.

James