For future reference - because it took me a while to figure this all out. I’m using Yocto Kirkstone 4.0.19 which has openssl 3.0.13. On top of that I’m using mender 4.0.2, the tpm2-pkcs11 0.19 recipe from Wind-River meta-secure-core and the pkcs11-provider 0.5 recipe back ported from Scarthgap.
I’ve configured OpenSSL similar to your example above
/etc/ssl/openssl.cnf
[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect
[default_sect]
# Must be active or could break everything
activate = 1
[pkcs11_sect]
module = /usr/lib/ossl-modules/pkcs11.so
pkcs11-module-path = /usr/lib/pkcs11/libtpm2_pkcs11.so
activate = 1
Using pkcs11-tool I’m creating an EC key. I run a script on startup that checks for the key and creates one if it doesn’t exist.
# First initialize the token
pkcs11-tool --module /usr/lib/pkcs11/libtpm2_pkcs11.so --init-token --label my_token --slot 1 --so-pin 0000
# And then login to the slot
pkcs11-tool --module /usr/lib/pkcs11/libtpm2_pkcs11.so --slot 1 --login --login-type so --init-pin --so-pin 0000 --pin 0000
# Then generate the key
pkcs11-tool --module /usr/lib/pkcs11/libtpm2_pkcs11.so --login --slot 1 --keypairgen --key-type EC:prime256v1 --label my_key --usage-sign --id 01 --pin 0000 --so-pin 0000
# And check OpenSSL can access it
openssl pkey -provider pkcs11 -noout -text -in pkcs11:object=my_key;type=private;pin-value=0000
And then configuring Mender to use it
{
"Security": {
"AuthPrivateKey": "pkcs11:object=my_key;type=private;pin-value=0000"
}
}
I actually don’t seem to need to set the OPENSSL_CONF environment variable.
So altogether pretty straightforward once you get the right pieces in place.