Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-9.6
Affects Version/s: rhel-9.4
Component/s: pcsc-lite
Labels:
- Accepted
- CY24Q4
- Committed
- rn-yml

Fixed in Build:
pcsc-lite-1.9.4-2.el9
Regression:
None
Severity:
Critical
Epic Link:
CRYPTO-15050
Keywords:

Rebase
sprint_count:
1

AssignedTeam:
rhel-security-crypto
Sub-System Group:

ssg_security

Dev Target Milestone:
13
Internal Target Milestone:
20
Story Points:
1
ACKs Check:

QE ack, Dev ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux
Sprint:
Crypto24Q4

Acceptance Criteria:

Hide

AC1) pcscd has --disable-polkit option and it is executed with it

AC2) pcscd does not dump any error when using --disable-polkit option

AC3 (stretch goal)) Verify pcscd is indeed not using the Policy Kit when using --disable-polkit, and PKCS#11 device can be accessed correctly even though Policy Kit is not available.

Show
AC1) pcscd has --disable-polkit option and it is executed with it AC2) pcscd does not dump any error when using --disable-polkit option AC3 (stretch goal)) Verify pcscd is indeed not using the Policy Kit when using --disable-polkit, and PKCS#11 device can be accessed correctly even though Policy Kit is not available.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/140385
Gating Tests:

Not Needed
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
.`pcsd` now provides the `--disable-polkit` option

With this update, you can turn off loading the PolicyKit authorization framework by starting the `pcsd` service with the `--disable-polkit` option. Running `pcsd` without `polkit` enables accessing PKCS #11 devices in limited environments such as the initial RAM disk. As a result, the Clevis decryption client can use a PKCS #11 device for automated unlocking LUKS-encrypted volumes at boot time.

Show
.`pcsd` now provides the `--disable-polkit` option With this update, you can turn off loading the PolicyKit authorization framework by starting the `pcsd` service with the `--disable-polkit` option. Running `pcsd` without `polkit` enables accessing PKCS #11 devices in limited environments such as the initial RAM disk. As a result, the Clevis decryption client can use a PKCS #11 device for automated unlocking LUKS-encrypted volumes at boot time.
Release Note Status:
Done

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

In order to provide a new feature for PKCS#11 unlocking in Clevis, we need to start pcscd without policy-kit at boot time. At this moment, RHEL9 version of pcsc-lite does not include this option.
We need `--disable-polkit` option to have access to PKCS#11 device at boot time.

The following needs to be verified in order for this epic to be considered complete:

1 - Execute pcscd with --disable-polkit option
2 - pcscd does not dump any error when using --disable-polkit option
3 - Verify pcscd is indeed not using the Policy Kit when using --disable-polkit, and PKCS#11 device can be accessed correctly even though Policy Kit is not available.

links to

RHBA-2024:140385 pcsc-lite bug fix and enhancement update

Assignee:: Jakub Jelen

Reporter:: Sergio Arroutbi

Developer:: Jakub Jelen

QA Contact:: George Pantelakis

Doc Contact:: Mirek Jahoda

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2024/04/30 5:12 PM

Updated:: 2025/05/13 8:52 AM

Resolved:: 2025/05/13 8:52 AM

Dev Target end:: 2024/11/18

Target end:: 2025/01/06

Next Planned Release Date:: 2025/05/13

Release Date:: 2025/05/13

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide