Is there a specification of the minimal functionality that a HSM must implement and expose via its PKCS#11 interface e.g. its provider library for Unseal/Unwrap of Vault (plus other operations that Vault is able to use with an HSM, eventually)?
The only information I was able to find so far is this:
PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
Also, I looked at Vault’s repo, but did not yet find further details on this, nor source code, which is likely reserved for the Enterprise version only.