NetworkManager & PKCS#11 remoting

David Woodhouse dwmw2 at
Wed Jun 22 19:53:11 UTC 2016

On Wed, 2016-06-22 at 18:25 +0200, Nikos Mavrogiannopoulos wrote:
> On Wed, 2016-06-22 at 13:16 +0000, David Woodhouse wrote:
> > > 
> > > Correct, we need module-path explicit support to load any additional
> > > modules not already loaded.
> > > But still we would require some kind of registration of these modules
> > > via p11-kit, or pkcs11 URLs will not be usable from from privileged
> > > processes if they are acquired from an unprivileged one.
> > Hm, I think you're conflating the "what module does wpa_supplicant itself
> > load?" question (A:, with the "what modules are visible
> > to/through the stub running in the user session?" question (A: the
> > standard configured set).
> I'm not sure I follow.

Let me try that again, deliberately retaining the citations above.

We were talking about the use of module-path purely to specify the
p11-kit-remote module which would be loaded in (e.g. wpa_supplicant).

Not any of the "real" modules that actually talk to hardware, which run
in the 'stub' process in the user session.

You say that "we'd require some kind of registration of these
modules"... why? And in fact why are you using the plural in the first
place? (Sure, the stub in the user session would load the *normal* set
of p11-kit-configured modules but surely you're not just stating the
obvious status quo?)

Hm, or was your point just that we would need to *add* the module-path
field to the URI, when we use it in the privileged process? That's OK.
We also have to set up the RPC to the user's session, and provide the
information about which fd it's on. Adding a module-path to the URI at
the same time is the least of our worries there.

> That's not what I said. What I said is that I don't like a solution
> which requires to change 3 other libs in order for it to work reliably
> and I prefer one which is contained to the module in question. Whether
> the module in question will be loaded by root by default or no is a
> separate question which I didn't touch.

The two are kind of linked... :)

You're right, you didn't say that. But that's because you didn't really
fill in the complete picture of how this would work. So I was just
filling in the gaps for myself.

Can you elucidate instead, with a complete picture of how it would

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list