Bug 100994 - Implement a "trust print-config" command
Summary: Implement a "trust print-config" command
Status: NEW
Alias: None
Product: p11-glue
Classification: Unclassified
Component: p11-kit (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Stef Walter
QA Contact:
Depends on:
Reported: 2017-05-10 20:28 UTC by Kai Engert
Modified: 2017-06-23 18:18 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:


Description Kai Engert 2017-05-10 20:28:01 UTC
The dracut project needs to copy the p11-kit-trust.so, plus all trust input to an initramfs for a mimimal environment, such as installers and for kernel boot. At least installers need web access, and the tool to download from the web might be configured to use p11-kit-trust.so

Because dracut is a cross distribution tool, and because distributions may individually choose the directories they use for input to p11-kit-trust.so, it would be helpful to have a dynamic mechanism provided by p11-kit, that prints the directory names that will be dynamically accessed by p11-kit-trust.so

For example, on Fedora, it could work like this, with the following output:

$ trust print-config
Comment 1 Kai Engert 2017-06-23 14:42:08 UTC
Adam, please let us know if you have thoughts about the priority of this.
Comment 2 Adam Williamson 2017-06-23 18:18:44 UTC
Well, it just depends on how likely it is that the bodge we put in dracut will break:

        for _dir in $libdirs; do
            [[ -e $_dir/libnssckbi.so ]] || continue
            # this looks for directory-ish strings in the file
            for _p11roots in $(grep -o --binary-files=text "/[[:alpha:]][[:print:]]*" $_dir/libnssckbi.so) ; do
                # the string can be a :-separated list of dirs
                for _p11root in $(echo "$_p11roots" | tr ':' '\n') ; do
                    # check if it's actually a directory (there are
                    # several false positives in the results)
                    [[ -d "$_p11root" ]] || continue
                    # check if it has some specific subdirs that all
                    # p11-kit trust dirs have
                    [[ -d "${_p11root}/anchors" ]] || continue
                    [[ -d "${_p11root}/blacklist" ]] || continue
                    # so now we know it's really a p11-kit trust dir;
                    # install everything in it

If anything changes to break that grep command or the expectation that all trust dirs will have /anchors and /blacklist subdirectories, we're in trouble. So long as those things hold true, it's not *urgent*.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.