pkcs11 module search paths
Ludovic Rousseau
ludovic.rousseau at gmail.com
Mon Oct 24 02:41:50 PDT 2011
2011/10/24 Stef Walter <stefw at collabora.co.uk>:
> On 2011-10-21 19:22, Andreas Metzler wrote:
>> Debian (and Ubuntu) are in the process of converting to multi-arch.
>> This aims at making it easily possible to install and run e.g. amd64
>> binary packages on an i386 system. (or arm ones, using qemu to run
>> them). A major step of the process is changing installation parts,
>> libraries go to /usr/lib/<triplet>[1] and /lib/<triplet> instead of
>> /usr/lib or /lib respectively.
>>
>> This also changes the location of PKCS#11 modules, they previously
>> lived in /usr/lib/pkcs11 but will move to /usr/lib/<triplet>/pkcs11.
>> We will have a transition phase where part of the modules have moved.
>> Could libp11-kit0 be changed to support searching modules in both
>> locations?
>
> Hmmm, I see the problem. However...
>
> p11-kit only loads modules that have a module specific configuration
> file installed (usually in /etc/pkcs11/modules).
>
> So far I know of only one applications does this: gnome-keyring
>
> I'm working with developers of other pkcs#11 modules (such as opensc
> [1]) to try and get them to also support p11-kit out of the box by
> installing such module config files. But until they do, there should be
> only one pkcs#11 module in question.
>
> So my suggestion would be to coordinate between p11-kit and
> gnome-keyring. When the latter is modified to multi-arch and intsalls
> its pkcs#11 module in /usr/lib/<triplet> then at the same time the
> former should be configured using --with-module-path to the same directory.
>
> This way we don't have to make a permanent change to p11-kit for this
> temporary situation.
>
> How does that sound?
I am not sure it will work. Or I missed something :-)
You can't set the search path at build as a configuration option.
Because the search path depends on the CPU target you are building
for. The search path has to be automatically detected at build time,
not using a (fixed) command line option.
You may have on the same filesystem p11-kit compiled for 32-bits Intel
and another p11-kit compiled for 64-bits Intel.
The first one will look in /usr/lib/i386-linux-gnu/pkcs11/ and the
second will look in /usr/lib/x86-64-linux-gnu/pkcs11/
Or maybe you want to use something like:
--with-module-path=/usr/lib/$(dpkg-architecture -qDEB_HOST_GNU_TYPE)/pkcs11
Bye
--
Dr. Ludovic Rousseau
More information about the p11-glue
mailing list