[RFE] Add systemd-cryptenroll PKCS11 support to unlock LUKS encrypted volumes using HSMs

[ader1990]

Current situation

Systemd does not support PKCS11 URIs.

$: sudo systemd-cryptenroll --pkcs11-token-uri=list
PKCS#11 tokens not supported on this build.

Implementation options

Add the pkcs11 flag to systemd build. Optional: Add dev-libs/opencryptoki for Software Token support. Optional: Add softhsm2 integration testing in Mantle.

[jepio]

Can you provide more about information on how you expect this to be used? What is the use case compared to a TPM?

[ader1990]

Can you provide more about information on how you expect this to be used? What is the use case compared to a TPM? Best example I could find is the systemd test implementation: https://github.com/systemd/systemd/blob/main/test/units/testsuite-24.sh#L235

[jepio]

That shows unlocking against a softhsm process running on the same system. How would that be used with an actual HSM?

I'd like us to understand the use case and then decide together whether it is worth implementing or not.

[ader1990]

The PKCS11 URI can be changed to a soft token implementation or other opencryptoki implementation (see https://github.com/opencryptoki/opencryptoki?tab=readme-ov-file#requirements SWToken ). Once opencryptoki gets built with the SWToken enabled, the .so library obtained will replace the softhsm .so one and the URI format gets changed accordingly). The SWToken library implements SSL over TCP to access the HSM (HSM needs to be compatible with the opencryptoki SWToken implementation, of course).

Then it's a matter of systemd-cryptenroll to be configured to use the proper .so library file. This has to be confirmed on a real HSM (once I get access to such device).

I have created this issue in case there are potential users of this feature, there are quite alot of black boxes to be sorted out HSM hardware wise.

[ader1990]

Similar PR might be needed for HSM too: https://github.com/flatcar/bootengine/pull/93