[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

Frank Hunleth fhunleth at troodon-software.com
Sat Dec 29 05:36:02 UTC 2018


Hi Trent,

I was about to submit libp11 and then saw your patch, so thanks for submitting.

The commit title should be "libp11: new package".

On Fri, Dec 7, 2018 at 12:28 PM Trent Piepho <tpiepho at impinj.com> wrote:
>
> Library for using PKCS#11, which includes an engine for OpenSSL that
> lets it use PKCS#11 modules.  Which is really what this package is
> about, not that libp11 library itself, which has no users outside the of
> OpenSSL engine.
>
> If p11-kit is enabled, configure the engine to use that as the default
> PKCS#11 module.  That module is a sort of multiplexer that allows
> multiple modules to be used at once, so it makes sense to use it even if
> there are other modules present, e.g. softhsm2, nssckbi, pkcs11-proxy,
> ykcs11, etc.
>
> A host package is created too, with a host configuration option.  Since
> this a dynamically loaded module, there is no build time reason to
> select it from a host package.  It could be used by host openssl, to
> allow host rauc to sign a software update bundle using a key from a HSM
> with a PKCS#11 interface.
>
> Signed-off-by: Trent Piepho <tpiepho at impinj.com>
> ---
>  package/Config.in             |  1 +
>  package/Config.in.host        |  1 +
>  package/libp11/Config.in      |  7 +++++++
>  package/libp11/Config.in.host |  6 ++++++
>  package/libp11/libp11.hash    |  3 +++
>  package/libp11/libp11.mk      | 21 +++++++++++++++++++++
>  6 files changed, 39 insertions(+)
>  create mode 100644 package/libp11/Config.in
>  create mode 100644 package/libp11/Config.in.host
>  create mode 100644 package/libp11/libp11.hash
>  create mode 100644 package/libp11/libp11.mk
>
> diff --git a/package/Config.in b/package/Config.in
> index f6252f2abb..940e7d2d2c 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1177,6 +1177,7 @@ menu "Crypto"
>         source "package/libmcrypt/Config.in"
>         source "package/libmhash/Config.in"
>         source "package/libnss/Config.in"
> +       source "package/libp11/Config.in"
>         source "package/libscrypt/Config.in"
>         source "package/libsecret/Config.in"
>         source "package/libsha1/Config.in"
> diff --git a/package/Config.in.host b/package/Config.in.host
> index 06fb2e1996..89b39b0007 100644
> --- a/package/Config.in.host
> +++ b/package/Config.in.host
> @@ -31,6 +31,7 @@ menu "Host utilities"
>         source "package/imx-usb-loader/Config.in.host"
>         source "package/jq/Config.in.host"
>         source "package/jsmin/Config.in.host"
> +       source "package/libp11/Config.in.host"
>         source "package/lpc3250loader/Config.in.host"
>         source "package/lttng-babeltrace/Config.in.host"
>         source "package/mfgtools/Config.in.host"
> diff --git a/package/libp11/Config.in b/package/libp11/Config.in
> new file mode 100644
> index 0000000000..0b9a739db3
> --- /dev/null
> +++ b/package/libp11/Config.in
> @@ -0,0 +1,7 @@
> +config BR2_PACKAGE_LIBP11
> +       bool "libp11"
> +       select BR2_PACKAGE_OPENSSL
> +       help
> +         OpenSSL engine for PKCS#11 modules.  Part of the OpenSC project.
> +
> +         https://github.com/OpenSC/OpenSC/wiki
> diff --git a/package/libp11/Config.in.host b/package/libp11/Config.in.host
> new file mode 100644
> index 0000000000..ccc171025a
> --- /dev/null
> +++ b/package/libp11/Config.in.host
> @@ -0,0 +1,6 @@
> +config BR2_PACKAGE_HOST_LIBP11
> +       bool "host libp11"
> +       help
> +         OpenSSL engine for PKCS#11 modules.  Part of the OpenSC project.
> +
> +         https://github.com/OpenSC/OpenSC/wiki
> diff --git a/package/libp11/libp11.hash b/package/libp11/libp11.hash
> new file mode 100644
> index 0000000000..01cea6466b
> --- /dev/null
> +++ b/package/libp11/libp11.hash
> @@ -0,0 +1,3 @@
> +# Locally computed:
> +sha256 9d1c76d74c21ca224f96204982097ebc6b956f645b2b0b5f9c502a20e9ffcfd8  libp11-0.4.9.tar.gz
> +sha256 d80c9d084ebfb50ea1ed91bfbc2410d6ce542097a32c43b00781b83adcb8c77f  COPYING
> diff --git a/package/libp11/libp11.mk b/package/libp11/libp11.mk
> new file mode 100644
> index 0000000000..9dc098870e
> --- /dev/null
> +++ b/package/libp11/libp11.mk
> @@ -0,0 +1,21 @@
> +################################################################################
> +#
> +# libp11
> +#
> +################################################################################
> +
> +LIBP11_VERSION = 0.4.9
> +LIBP11_SITE = https://github.com/OpenSC/libp11/releases/download/libp11-$(LIBP11_VERSION)

I'm not sure what official BR policy is, but it seems that most
github-hosted packages use the github helper:

LIBP11_VERSION = libp11-0.4.9
LIBP11_SITE = $(call github,OpenSC,libp11,$(LIBP11_VERSION))

and then you'll need

LIBP11_AUTORECONF = YES

> +LIBP11_DEPENDENCIES = openssl
> +LIBP11_INSTALL_STAGING = YES
> +LIBP11_LICENSE = LGPLv2.1

It looks like the license is "LGPL-2.1+"

> +LIBP11_LICENSE_FILES = COPYING
> +
> +ifeq ($(BR2_PACKAGE_P11_KIT),y)
> +LIBP11_CONF_OPTS += --with-pkcs11-module=/usr/lib/p11-kit-proxy.so
> +endif
> +
> +HOST_LIBP11_DEPENDENCIES = host-openssl

I've tested this on device and with OpenSSL 1.1.0 (not OpenSSL 1.0.2
which is currently in BR master). That combination works well. I'm
hopeful that the OpenSSL 1.1.0 patches can be integrated. When that
happens,

Tested-by: Frank Hunleth <fhunleth at troodon-software.com>

> +
> +$(eval $(autotools-package))
> +$(eval $(host-autotools-package))
> --
> 2.14.4
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot


More information about the buildroot mailing list