Currently if you install securesystemslib and run the tests as instructed (tox or tox -e py), you get:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3.10/os.py", line 680, in __getitem__
    raise KeyError(key) from None
KeyError: 'PYKCS11LIB'

This is wrong and likely really hard to figure out for a new developer

• CI should keep running with HSM tests enabled
• By default developer testing must not include HSM tests if the testing setup can't be made fool proof (AFAICT it can't)