pkcs11 module search paths
Stef Walter
stefw at collabora.co.uk
Mon Oct 24 01:46:36 PDT 2011
On 2011-10-21 19:22, Andreas Metzler wrote:
> Debian (and Ubuntu) are in the process of converting to multi-arch.
> This aims at making it easily possible to install and run e.g. amd64
> binary packages on an i386 system. (or arm ones, using qemu to run
> them). A major step of the process is changing installation parts,
> libraries go to /usr/lib/<triplet>[1] and /lib/<triplet> instead of
> /usr/lib or /lib respectively.
>
> This also changes the location of PKCS#11 modules, they previously
> lived in /usr/lib/pkcs11 but will move to /usr/lib/<triplet>/pkcs11.
> We will have a transition phase where part of the modules have moved.
> Could libp11-kit0 be changed to support searching modules in both
> locations?
Hmmm, I see the problem. However...
p11-kit only loads modules that have a module specific configuration
file installed (usually in /etc/pkcs11/modules).
So far I know of only one applications does this: gnome-keyring
I'm working with developers of other pkcs#11 modules (such as opensc
[1]) to try and get them to also support p11-kit out of the box by
installing such module config files. But until they do, there should be
only one pkcs#11 module in question.
So my suggestion would be to coordinate between p11-kit and
gnome-keyring. When the latter is modified to multi-arch and intsalls
its pkcs#11 module in /usr/lib/<triplet> then at the same time the
former should be configured using --with-module-path to the same directory.
This way we don't have to make a permanent change to p11-kit for this
temporary situation.
How does that sound?
Cheers,
Stef
More information about the p11-glue
mailing list