From: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
To: Quentin Schulz <quentin.schulz@cherry.de>
Cc: u-boot@lists.denx.de, trini@konsulko.com, simon.glass@canonical.com
Subject: Re: EXTERNAL - [PATCH v3 3/3] test: binman: Add test for pkcs11 signed capsule
Date: Thu, 15 Jan 2026 08:48:47 +0100 [thread overview]
Message-ID: <aWib34Okz188cYDq@mt.com> (raw)
In-Reply-To: <72dbeec9-448c-4828-a887-61a596e4451d@cherry.de>
On Wed, Jan 14, 2026 at 05:36:40PM +0100, Quentin Schulz wrote:
Hello Quentin,
> Hi Wojciech,
>
> I didn't see you had sent a v3 (going through my inbox from older to newer
> :) ). Please ignore review on v2, i'll repeat it here.
>
> On 1/8/26 3:13 PM, Wojciech Dubowik wrote:
> > Test pkcs11 URI support for UEFI capsule generation. For
> > simplicity only private key is defined in binman section
> > as softhsm tool doesn't support certificate import (yet).
> >
> > Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
> > Reviewed-by: Simon Glass <simon.glass@canonical.com>
> > ---
> > tools/binman/ftest.py | 42 +++++++++++++++++++
> > .../binman/test/351_capsule_signed_pkcs11.dts | 20 +++++++++
> > 2 files changed, 62 insertions(+)
> > create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts
> >
> > diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
> > index 21ec48d86fd1..ad5c2d63900a 100644
> > --- a/tools/binman/ftest.py
> > +++ b/tools/binman/ftest.py
> > @@ -7532,6 +7532,48 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
> > self._CheckCapsule(data, signed_capsule=True)
> > + def testPkcs11SignedCapsuleGen(self):
> > + """Test generation of EFI capsule (with PKCS11)"""
> > + data = tools.read_file(self.TestFile("key.key"))
> > + private_key = self._MakeInputFile("key.key", data)
> > + data = tools.read_file(self.TestFile("key.pem"))
> > + self._MakeInputFile("key.crt", data)
> > +
> > + softhsm2_util = bintool.Bintool.create('softhsm2_util')
> > + self._CheckBintool(softhsm2_util)
> > +
> > + prefix = "testPkcs11SignedCapsuleGen."
> > + # Configure SoftHSMv2
> > + data = tools.read_file(self.TestFile('340_softhsm2.conf'))
> > + softhsm2_conf = self._MakeInputFile(f'{prefix}softhsm2.conf', data)
> > + softhsm2_tokens_dir = self._MakeInputDir(f'{prefix}softhsm2.tokens')
> > + tools.write_file(softhsm2_conf, data +
> > + f'\ndirectories.tokendir = \
> > + {softhsm2_tokens_dir}\n'.encode("utf-8"))
> > +
> > + softhsm_paths="/usr/local/lib/softhsm/libsofthsm2.so \
> > + /usr/lib/softhsm/libsofthsm2.so \
> > + /usr/lib64/pkcs11/libsofthsm2.so \
> > + /usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so \
> > + /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"
> > +
> > + for softhsm2_lib_loc in softhsm_paths.split():
> > + if os.path.exists(softhsm2_lib_loc):
> > + softhsm2_lib = softhsm2_lib_loc
> > +
>
> This seems brittle, isn't there a better mechanism than this that can be
> offered by distros? For openssl, installing libengine-pkcs11-openssl
> (and setting the provider in the OPENSSL_CONF env variable) was enough.
> Is there something similar to that for gnutls?
I have based my code on gnutls test where the lib has been hardcoded as well.
There could be a better way i.e. with pkg-config but I havn't analyzed it yet.
Also p11 kit might give more info. Need to dig furher.
Wojtek
>
> I don't think this will work on arm64 hosts, c.f.
> https://debian.pkgs.org/13/debian-main-arm64/libsofthsm2_2.6.1-3_arm64.deb.html
>
> > + os.environ['SOFTHSM2_CONF'] = softhsm2_conf
> > + tools.run('softhsm2-util', '--init-token', '--free', '--label',
> > + 'U-Boot token', '--pin', '1111', '--so-pin',
> > + '222222')
> > + tools.run('softhsm2-util', '--import', private_key, '--token',
> > + 'U-Boot token', '--label', 'test_key', '--id', '999999',
> > + '--pin', '1111')
> > +
> > + os.environ['PKCS11_MODULE_PATH'] = softhsm2_lib
> > + data = self._DoReadFile('351_capsule_signed_pkcs11.dts')
> > +
> > + self._CheckCapsule(data, signed_capsule=True)
> > +
>
> Don't you want to validate it's properly signed?
>
> Cheers,
> Quentin
prev parent reply other threads:[~2026-01-15 7:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-08 14:13 [PATCH v3 0/3] UEFI Capsule - PKCS11 Support Wojciech Dubowik
2026-01-08 14:13 ` [PATCH v3 1/3] tools: mkeficapsule: Add support for pkcs11 Wojciech Dubowik
2026-01-08 14:13 ` [PATCH v3 2/3] binman: Accept pkcs11 URI tokens for capsule updates Wojciech Dubowik
2026-01-08 14:13 ` [PATCH v3 3/3] test: binman: Add test for pkcs11 signed capsule Wojciech Dubowik
2026-01-14 16:36 ` Quentin Schulz
2026-01-15 7:48 ` Wojciech Dubowik [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aWib34Okz188cYDq@mt.com \
--to=wojciech.dubowik@mt.com \
--cc=quentin.schulz@cherry.de \
--cc=simon.glass@canonical.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.