Limiting loading of PKCS#11 by architecture
Stef Walter
stefw at collabora.co.uk
Wed Sep 14 04:48:08 PDT 2011
On 09/14/2011 07:07 AM, Kalev Lember wrote:
>> When packaging on Fedora, Kalev Lember brought up the issue that there's
>> not really a way to limit p11-kit to only load modules for a given
>> architecture.
>
> Actually, this wasn't my original issue. My issue was that the
> gnome-keyring package drops a configuration file in /etc/pkcs11/modules/
> and that file was causing conflicts for multilib installations.
Right, that's what we're trying to solve.
>> When both 64-bit and 32-bit versions of a PKCS#11 library are installed
>> then 64-bit processes should only load 64-bit modules, and vice versa.
>>
>> I've put together a solution here:
>>
>> https://bugs.freedesktop.org/show_bug.cgi?id=40775
>
> As I understand it, this solution would rename the configuration files
> so that they are different for 32 bit and 64 bit, and also introduce a
> new config file parameter 'arch'.
>
> Having a way to limit the loadable modules would probably be a nice to
> have. However, doing it like that would introduce quite a bit of
> complexity to the PKCS11 module (gnome-keyring) build systems, and/or to
> the downstream distro packaging scripts. I'd rather avoid that.
True, it is more complex.
> I am not saying to scrap the arch-limiting idea; it would probably be a
> nice option that the system administrator can set. But it should not be
> something that each and every PKCS11 module installation script has to
> deal with.
Let's leave it out if we're not going to use it.
>> I'm hoping to get this into p11-kit shortly, and have a new release. A
>> bunch of distro's are releasing soon, so this would help make things work.
>>
>> Let me know if you see any issues.
>
> I'd like to propose another solution to the multilib problem.
>
> Instead of requiring full paths in the config file, we could define a
> standard directory for dropping pkcs11 modules (or symlinks) in, and
> make it possible to specify relative paths to that directory.
This makes more sense. It's sort of like a PATH variable where we lookup
relative module paths. I've tweaked the patches and added documentation
to make that clear and hopefully understandable.
> I'm sending a patch that implements the relative path support. If it
> looks like something you think you could use, I'd be happy to also fix
> up gnome-keyring's build.
Can you look at this branch, and see if my tweaks are okay and it still
works for you?
http://cgit.collabora.com/git/user/stefw/p11-kit.git/log/?h=relative-paths
Cheers,
Stef
More information about the p11-glue
mailing list