PKCS11/HSM Support for authentication/authorization and signature verification

We have put significant resource into narrowing the attack surface of our device fleets, including the implementation of HSM type security/crypto modules to manage device secrets and PKI duties.
The mender client is the sole component of our stack unable to leverage these security resources, where, as the highest risk vector for attacking our fleet, the OTA updating service should actually provide features supporting the highest level risk mitigation.
Is there any intention to include HSM support in the client roadmap?

Hi @SuicidalLabRat, we do not have short-term plans to add HSM support on the client.

With that said, it is a feature we are aware and it is a matter of priorities and demand. One can always take a look at speeding up features based on our profession services offerings or if something like this would come as a community contribution that would also (obviously :)) speed it up.

I am curious what type of HMS are you using? Is it something like this,

https://www.microchip.com/wwwproducts/en/ATECC608A

Indeed. That is the exact chip we use. It enables all our mutual authentication, signing and secure boot functionality.
Can you point me at the code currently handling menders auth and signature validation? Assuming its contained/modular enough to be reviewed with relative ease.

A good place to start is probably here,