tree-wide: Introduce --certificate-source= option

This allows loading the X.509 certificate from an OpenSSL provider instead of a file system path. This allows loading certficates directly from hardware tokens instead of having to export them to a file on disk first.
author: Daan De Meyer <daan.j.demeyer@gmail.com> 2024-11-06 18:08:26 +0100
committer: Daan De Meyer <daan.j.demeyer@gmail.com> 2024-11-07 20:30:47 +0100
commit: a1d46e3078a67b128a2eb93da7ae51d253b326f7 (patch)
tree: 7b1a4994fae1b5367e84e3766f27cd4b034c0a3d /man
parent: openssl-util: Set expected object type to private keys (diff)
download: systemd-a1d46e3078a67b128a2eb93da7ae51d253b326f7.tar.xz
systemd-a1d46e3078a67b128a2eb93da7ae51d253b326f7.zip
4 files changed, 41 insertions, 15 deletions
diff --git a/man/bootctl.xml b/man/bootctl.xml
index eab18f7575..3159f42347 100644
--- a/man/bootctl.xml
+++ b/man/bootctl.xml
@@ -529,8 +529,9 @@
       <varlistentry>
         <term><option>--secure-boot-auto-enroll=yes|no</option></term>
         <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
-        <term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term>
+        <term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
         <term><option>--certificate=<replaceable>PATH</replaceable></option></term>
+        <term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
 
         <listitem><para>Configure the ESP for secure boot auto-enrollment when invoking the
         <command>install</command> command. Takes a boolean argument. Disabled by default. Enabling this
@@ -542,9 +543,12 @@
 
         <para>When specifying this option, a certificate and private key have to be provided as well using
         the <option>--certificate=</option> and <option>--private-key=</option> options. The
-        <option>--certificate=</option> option takes a path to a PEM encoded X.509 certificate. The
-        <option>--private-key=</option> option can take a path or a URI that will be passed to the OpenSSL
-        engine or provider, as specified by <option>--private-key-source=</option> as a
+        <option>--certificate=</option> option takes a path to a PEM encoded X.509 certificate or a URI
+        that's passed to the OpenSSL provider configured with <option>--certificate-source</option> which
+        takes one of <literal>file</literal> or <literal>provider</literal>, with the latter being followed
+        by a specific provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>.
+        The <option>--private-key=</option> option can take a path or a URI that will be passed to the
+        OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a
         <literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL
         signing engine or provider will be used to sign the EFI signature lists.</para>
 
diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
index b82aabac04..c7e5a5e9e2 100644
--- a/man/systemd-measure.xml
+++ b/man/systemd-measure.xml
@@ -188,8 +188,9 @@
 
       <varlistentry>
         <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
-        <term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term>
-        <term><option>--certificate=<replaceable>PATH</replaceable></option></term>
+        <term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
+        <term><option>--certificate=<replaceable>PATH/URI</replaceable></option></term>
+        <term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
 
         <listitem><para>As an alternative to <option>--public-key=</option> for the
         <command>sign</command> command, these switches can be used to sign with an hardware token. The
@@ -197,6 +198,11 @@
         provider, as specified by <option>--private-key-source=</option> as a type:name tuple, such as
         engine:pkcs11. The specified OpenSSL signing engine or provider will be used to sign.</para>
 
+        <para>The <option>--certificate=</option> option also takes a path or a URI that will be passed to
+        the OpenSSL provider, as specified by <option>--certificate-source=</option> as a
+        <literal>type:name</literal> tuple, such as <literal>provider:pkcs11</literal>. Note that unlike
+        <option>--private-key-source=</option> this option only supports providers and not engines.</para>
+
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
       </varlistentry>
 
diff --git a/man/systemd-repart.xml b/man/systemd-repart.xml
index 1e6ffaa70f..575be14912 100644
--- a/man/systemd-repart.xml
+++ b/man/systemd-repart.xml
@@ -348,9 +348,9 @@
       <varlistentry>
         <term><option>--private-key=</option></term>
 
-        <listitem><para>Takes a file system path. Configures the signing key to use when creating verity
-        signature partitions with the <varname>Verity=signature</varname> setting in partition files.
-        </para>
+        <listitem><para>Takes a file system path or an engine or provider specific designation. Configures
+        the signing key to use when creating verity signature partitions with the
+        <varname>Verity=signature</varname> setting in partition files.</para>
 
         <xi:include href="version-info.xml" xpointer="v252"/></listitem>
       </varlistentry>
@@ -361,7 +361,7 @@
         <listitem><para>Takes one of <literal>file</literal>, <literal>engine</literal> or
         <literal>provider</literal>. In the latter two cases, it is followed by the name of a provider or
         engine, separated by colon, that will be passed to OpenSSL's "engine" or "provider" logic.
-        Configures the signing mechanism to use when creating verity signature partitions with the
+        Configures how to load the private key to use when creating verity signature partitions with the
         <varname>Verity=signature</varname> setting in partition files.</para>
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
@@ -370,14 +370,25 @@
       <varlistentry>
         <term><option>--certificate=</option></term>
 
-        <listitem><para>Takes a file system path. Configures the PEM encoded X.509 certificate to use when
-        creating verity signature partitions with the <varname>Verity=signature</varname> setting in
-        partition files.</para>
+        <listitem><para>Takes a file system path or a provider specific designation. Configures the PEM
+        encoded X.509 certificate to use when creating verity signature partitions with the
+        <varname>Verity=signature</varname> setting in partition files.</para>
 
         <xi:include href="version-info.xml" xpointer="v252"/></listitem>
       </varlistentry>
 
       <varlistentry>
+        <term><option>--certificate-source=</option></term>
+
+        <listitem><para>Takes one of <literal>file</literal>, or <literal>provider</literal>. In the latter
+        case, it is followed by the name of a provider, separated by colon, that will be passed to OpenSSL's
+        "provider" logic. Configures how to load the X.509 certificate to use when creating verity signature
+        partitions with the <varname>Verity=signature</varname> setting in partition files.</para>
+
+        <xi:include href="version-info.xml" xpointer="v257"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><option>--tpm2-device=</option></term>
         <term><option>--tpm2-pcrs=</option></term>
 
diff --git a/man/systemd-sbsign.xml b/man/systemd-sbsign.xml
index 1e42d601d6..1248377845 100644
--- a/man/systemd-sbsign.xml
+++ b/man/systemd-sbsign.xml
@@ -85,11 +85,16 @@
         <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
         <term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
         <term><option>--certificate=<replaceable>PATH</replaceable></option></term>
+        <term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
 
         <listitem><para>Set the Secure Boot private key and certificate for use with the
         <command>sign</command>. The <option>--certificate=</option> option takes a path to a PEM encoded
-        X.509 certificate. The <option>--private-key=</option> option can take a path or a URI that will be
-        passed to the OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a
+        X.509 certificate or a URI that's passed to the OpenSSL provider configured with
+        <option>--certificate-source</option>. The <option>--certificate-source</option> takes one of
+        <literal>file</literal> or <literal>provider</literal>, with the latter being followed by a specific
+        provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>. The
+        <option>--private-key=</option> option can take a path or a URI that will be passed to the OpenSSL
+        engine or provider, as specified by <option>--private-key-source=</option> as a
         <literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL
         signing engine or provider will be used to sign the PE binary.</para>
author	Daan De Meyer <daan.j.demeyer@gmail.com>	2024-11-06 18:08:26 +0100
committer	Daan De Meyer <daan.j.demeyer@gmail.com>	2024-11-07 20:30:47 +0100
commit	a1d46e3078a67b128a2eb93da7ae51d253b326f7 (patch)
tree	7b1a4994fae1b5367e84e3766f27cd4b034c0a3d /man
parent	openssl-util: Set expected object type to private keys (diff)
download	systemd-a1d46e3078a67b128a2eb93da7ae51d253b326f7.tar.xz systemd-a1d46e3078a67b128a2eb93da7ae51d253b326f7.zip