commit 17d106ca7c233a3ad709b3e599557560a8a929bd
parent a9b9132117bd5ea14901812c8faa195201e0e1a8
Author: Yannis Juglaret <yjuglaret@mozilla.com>
Date: Wed, 17 Dec 2025 15:21:20 +0000
Bug 1957156 - Start the PKCS#11 module utility process behind a pref in Nightly. r=ipc-reviewers,keeler,nika
This patch adds code that starts the dedicated utility process for
PKCS#11 module loading in Nightly builds. We add a new pref to control
this behavior: security.utility_pkcs11_module_process.enabled
This is preliminary work intended as a helpful basis for future work by
Security Engineering. We don't actually load the modules within the
utility process for the moment.
Differential Revision: https://phabricator.services.mozilla.com/D270692
Diffstat:
2 files changed, 38 insertions(+), 0 deletions(-)
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
@@ -17500,6 +17500,16 @@
value: true
mirror: always
+#if defined(NIGHTLY_BUILD) && !defined(MOZ_NO_SMART_CARDS)
+# If true, load PKCS#11 third-party modules in a dedicated utility process
+# rather than the main process. (Well, that's the long-term goal for the code
+# paths behind this pref, but right now this is still work in progress!)
+- name: security.utility_pkcs11_module_process.enabled
+ type: bool
+ value: false
+ mirror: once
+#endif // NIGHTLY_BUILD && !MOZ_NO_SMART_CARDS
+
- name: security.pki.cert_short_lifetime_in_days
type: RelaxedAtomicUint32
value: 10
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
@@ -79,6 +79,10 @@
# include <sys/vfs.h>
#endif
+#ifndef MOZ_NO_SMART_CARDS
+# include "mozilla/ipc/UtilityProcessManager.h"
+#endif // !MOZ_NO_SMART_CARDS
+
using namespace mozilla;
using namespace mozilla::psm;
@@ -1520,6 +1524,30 @@ nsresult nsNSSComponent::InitializeNSS() {
}
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("inSafeMode: %u\n", inSafeMode));
+#if defined(NIGHTLY_BUILD) && !defined(MOZ_NO_SMART_CARDS)
+ if (!inSafeMode &&
+ StaticPrefs::security_utility_pkcs11_module_process_enabled_AtStartup()) {
+ auto manager = ipc::UtilityProcessManager::GetSingleton();
+ MOZ_ASSERT(manager);
+ if (manager) {
+ // You may need to store the launchPromise in the nsNSSComponent,
+ // depending on how you design its API.
+ auto launchPromise = manager->StartPKCS11Module();
+ launchPromise->Then(
+ GetCurrentSerialEventTarget(), __func__,
+ [](RefPtr<PKCS11ModuleParent>&& parent) {
+ MOZ_RELEASE_ASSERT(parent);
+ },
+ [](base::LaunchError&& aError) {
+ // We ran into a launch error.
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("Failed to start the PKCS#11 process: %s, %ld",
+ aError.FunctionName().get(), aError.ErrorCode()));
+ });
+ }
+ }
+#endif // NIGHTLY_BUILD && !MOZ_NO_SMART_CARDS
+
rv = InitializeNSSWithFallbacks(profileStr, nocertdb, inSafeMode);
MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
if (NS_FAILED(rv)) {
