From 20826c30847f84c891f0bb59e93df22ed7b38f56 Mon Sep 17 00:00:00 2001
From: =?utf8?q?David=20Va=C5=A1ek?= <david.vasek@nic.cz>
Date: Thu, 16 Oct 2025 15:24:35 +0200
Subject: [PATCH] WIP doc/reference: in keystore section, note that OS
 privileges may need to be set

---
 doc/reference.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/doc/reference.rst b/doc/reference.rst
index 441c32116e..06ce2765bb 100644
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -1446,6 +1446,11 @@ The PKCS #11 URI Scheme is defined in :rfc:`7512`.
 
      "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
 
+   If access to a PKCS #11 device (HSM) is controlled by the OS, such as by
+   ``polkit`` utility, and :doc:`knotd<man_knotd>` and related utilites
+   (:doc:`keymgr<man_keymgr>`, :doc:`kzonesign<man_kzonesign>`) are run
+   as a non-root user, the privilege control must be configured accordingly in the OS.
+
 *Default:* :ref:`kasp-db<database_kasp-db>`\ ``/keys``
 
 .. _keystore_ksk-only:
-- 
2.47.3