mirror of
https://github.com/morgan9e/systemd
synced 2026-04-15 08:56:15 +09:00
eac5336c27
In mkosi, we want to support signing via a hardware token. We already support this in systemd-repart and systemd-measure. However, if the hardware token is protected by a pin, the pin is asked as many as 20 times when building an image as the pin is not cached and thus requested again for every operation. Let's introduce a custom openssl ui when we use engines and providers and plug systemd-ask-password into the process. With systemd-ask-password, the pin can be cached in the kernel keyring, allowing us to reuse it without querying the user again every time to enter the pin. We use the private key URI as the keyring identifier so that the cached pin can be shared across multiple tools. Note that if the private key is pin protected, openssl will prompt both when loading the private key using the pkcs11 engine and when actually signing the roothash. To make sure our custom UI is used when signing the roothash, we have to also configure it with ENGINE_ctrl() which takes a non-owning pointer to the UI_METHOD object and its userdata object which we have to keep alive so we introduce a new AskPasswordUserInterface struct which we use to keep both objects alive together with the EVP_PKEY object. Because the AskPasswordRequest struct stores non-owning pointers to its fields, we change repart to store the private key URI as a global variable again instead of the EVP_PKEY object so that we can use the private key argument as the keyring field of the AskPasswordRequest instance without running into lifetime issues.