Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

app-crypt/azure-keyvault-pkcs11: Bump to new pre-release for HSM support #2455

Merged
merged 2 commits into from
Nov 18, 2024

Conversation

chewi
Copy link
Contributor

@chewi chewi commented Nov 18, 2024

Bump akv-pkcs11 to new pre-release for HSM support

We want to use HSM in Azure for added security. This pre-release includes all the renaming for Azure Key Vault.

How to use

From the SDK, install azure-cli and:

emerge azure-keyvault-pkcs11
export AZURE_KEYVAULT_URL="https://flatcar-sb-dev-kv.vault.azure.net/"
export PKCS11_MODULE_PATH="/usr/lib64/pkcs11/azure-keyvault-pkcs11.so"
export AZURE_KEYVAULT_PKCS11_DEBUG=1
SBSIGN_KEY="pkcs11:token=flatcar-dev-cert" # May be wrong, I don't have access.
p11-kit export-object --provider "${PKCS11_MODULE_PATH}" "${SBSIGN_KEY};type=cert" > cert.pem
sbsign --key "${SBSIGN_KEY}" --cert cert.pem some-grub-or-kernel-image

Testing done

@sayanchowdhury has manually tested this already. Testing it via CI would be awkward as we'd need to force the official build path and force the job onto Azure.

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update) -- N/A
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

This one includes all the renaming for Azure Key Vault.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
@chewi chewi requested a review from a team November 18, 2024 12:24
@chewi chewi self-assigned this Nov 18, 2024
…eyvault-pkcs11/azure-keyvault-pkcs11-0_p20241115.ebuild

Co-authored-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@chewi chewi merged commit d35954c into main Nov 18, 2024
1 check was waiting
@chewi chewi deleted the chewi/newer-azure-keyvault-pkcs11 branch November 18, 2024 13:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Development

Successfully merging this pull request may close these issues.

3 participants