The pkcs11 interface

degville · September 12, 2024, 11:54am

The pkcs11 interface enables the PKCS#11 Cryptographic Token Interface Standard to be used with access to exposed tokens.

The slot is usually declared in a gadget snap and provides access to a specific daemon socket. It is declared in the following manner:

slots:
    pkcs11-optee-slot-0:
    interface: pkcs11
    pkcs11-socket: /run/p11-kit/pkcs11-optee-slot-0

While the plug is declared in the usual way:

plugs:
    pkcs11-access:
       interface: pkcs11

This interface is restricted because it gives privileged access to potentially sensitive cryptographic token operations.

Interface documentation:

See Interface management and Supported interfaces for further details on how interfaces are used.

Developer details

Auto-connect: no
Super-privileged: yes

Attributes:

pkcs11-socket (slot): defines the path to p11-kit server socket exposed by the slot. The path must start with /run/p11-kit/.

Code examples

The test code can be found in the snapd repository:
snapd/interfaces/builtin/pkcs11_test.go at master · canonical/snapd · GitHub

The source code for the interface is in the snapd repository:
snapd/interfaces/builtin/pkcs11.go at master · canonical/snapd · GitHub

wverhelst · July 31, 2025, 12:09pm

I’m trying to figure out how this is supposed to work.

I am one of the people who maintain the official Belgian eID middleware, which (amongst other things) ships a PKCS#11 module.

Enabling the pkcs11 interface for firefox does not work. On plucky, using the “latest/edge” snap, I get:

wouter@ubuntu-test:~$ snap connect firefox:pkcs11
error: snap "firefox" has no plugin named "pkcs11"

I assume this means that PKCS#11 support for the firefox snap is not enabled. Is this correct? If not, what do I need to do?

Additionally, once I manage to connect the PKCS#11 interface to Firefox, I assume I need to go through some special steps to make my PKCS#11 module available for use in snaps? I have it registered with p11-kit, is that sufficient? If not, what other steps would I need to do?

The documentation here is very limited and not at all clear for someone in my position who wants to make things work

Thanks.

degville · September 4, 2025, 10:37am

Sorry for the delay getting back to you. I’m going to put this question to the team, and I totally agree what we need to provide much more information for these interface pages with only the bare minimum.

wverhelst · October 23, 2025, 11:16am

ping. Any updates here?