PKCS11 Key Support Issues

[kenanjasim]

Hello team,

While trying to provision a CM4 with with PKCS11 keys, I encountered two issues:

Issue 1: Hardcoded PEM References

Between the integration of PKCS11 code and the merging of the keywriter/provisioner scripts, the derivePublicKey and update_eeprom functions still contain hardcoded references to customer PEM files rather than properly switching between PKCS11 and PEM options.

I've submitted a pull request with a partial fix for this issue. #152

Issue 2: CM5 Bootcode Signing

CM5s require signed bootcode images, which are currently processed by the rpi-sign-bootcode tool. This tool only accepts PEM files by default.

Question: Is PKCS11 support continuing to be supported for this tool? If not, would you be open to contributions implementing this functionality?

Thank you for your attention to these issues.

[tdewey-rpi]

Yes, PKCS11 key sources are something we're intending to support.

As you correctly point out in (2), however, we needed to make some changes to how we handled bootcode signing before we could bring PKCS11 support to sb-provisioner for CM5 - and that also meant that further changes to how we handled PKCS11 support would be premature - there were a range of options for fixing up the bootcode signing.

Thankfully, that's now been done - but it does require a larger change for sb-provisioner. Expect this for 2.1.