Installation Locations for P11 kit
Roberts, William C
william.c.roberts at intel.com
Tue Oct 9 18:24:09 UTC 2018
> -----Original Message-----
> From: David Woodhouse [mailto:dwmw2 at infradead.org]
> Sent: Tuesday, October 9, 2018 1:45 PM
> To: Roberts, William C <william.c.roberts at intel.com>; p11-
> glue at lists.freedesktop.org
> Subject: Re: Installation Locations for P11 kit
>
> On Tue, 2018-10-09 at 17:28 +0000, Roberts, William C wrote:
> > Hello,
> >
> > I started a PKCS11 project for TPM 2.0 and we have this bug report:
> > https://github.com/tpm2-software/tpm2-pkcs11/issues/28
> >
> > I'm looking for guidance on how best to configure our settings to be
> > compatible with
> > P11 and best practices surrounding install locations.
> >
> > Any help/comments would be appreciated.
>
> Really, do what it says in the ticket :)
I actually didn't notice it was you that filed the ticket, now that I
know the source it adds to the trust validity of the ticket.
>
> The ideal location for installing your provider library is obtained
> thus:
>
> $ pkg-config --variable=p11_module_path p11-kit-1
> /usr/lib64/pkcs11
>
> The location for your module file is given by this command:
>
> $ pkg-config --variable=p11_module_configs p11-kit-1
> /usr/share/p11-kit/modules
>
>
> The idea is that you just install it, then it works everywhere. Any
> well-behaved application can now take a PKCS#11 URI according to
> RFC7512 instead of a filename for a key, and it'll find your token.
>
> See http://www.infradead.org/openconnect/pkcs11.html for an example of
> how this works. I see you're at Intel, so you use OpenConnect for your
> VPN. You should be able to import your key from ~/.certs into the TPM
> PKCS#11 token, then OpenConnect should be able to use it from there.
>
More information about the p11-glue
mailing list