From: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
To: Simon Glass <sjg@chromium.org>
Cc: u-boot@lists.denx.de, trini@konsulko.com,
simon.glass@canonical.com, quentin.schulz@cherry.de
Subject: Re: EXTERNAL - [PATCH v5 6/6] test: binman: Add test for pkcs11 signed capsule
Date: Mon, 16 Feb 2026 09:49:42 +0100 [thread overview]
Message-ID: <aZLaJj0C5QKc5E2I@mt.com> (raw)
In-Reply-To: <CAFLszThiCuO23=m6zcVw4EHt2HdYX2Dei-91eLdieo9sQA08RQ@mail.gmail.com>
On Fri, Feb 13, 2026 at 10:52:44AM -0700, Simon Glass wrote:
Hi Simon,
> Hi Wojciech,
>
> On Wed, 28 Jan 2026 at 01:06, Wojciech Dubowik <Wojciech.Dubowik@mt.com> wrote:
> >
> > Test pkcs11 URI support for UEFI capsule generation. For
> > simplicity only private key is defined in binman section
> > as softhsm tool doesn't support certificate import (yet).
> >
> > Add bintool support for p11-kit as it's needed in the test
> > to find library path for softhsm2 module.
> >
> > Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
> > Reviewed-by: Simon Glass <simon.glass@canonical.com>
> > ---
> > tools/binman/btool/p11_kit.py | 21 ++++++
> > tools/binman/ftest.py | 66 +++++++++++++++++++
> > .../binman/test/351_capsule_signed_pkcs11.dts | 22 +++++++
> > 3 files changed, 109 insertions(+)
> > create mode 100644 tools/binman/btool/p11_kit.py
> > create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts
> >
> > diff --git a/tools/binman/btool/p11_kit.py b/tools/binman/btool/p11_kit.py
> > new file mode 100644
> > index 000000000000..9d8d5d848b44
> > --- /dev/null
> > +++ b/tools/binman/btool/p11_kit.py
> > @@ -0,0 +1,21 @@
> > +# SPDX-License-Identifier: GPL-2.0-or-later
> > +# Copyright 2026 Mettler Toledo Technologies GmbH
> > +#
> > +"""Bintool implementation for p11-kit"""
> > +
> > +from binman import bintool
> > +
> > +
> > +class Bintoolp11_kit(bintool.Bintool):
> > + """p11-kit -- support tool for pkcs#11 libraries"""
> > + def __init__(self, name):
> > + super().__init__('p11-kit',
> > + 'Pkcs11 library modules tool',
> > + version_args='list modules')
> > +
> > + def fetch(self, method):
> > + """Install p11-kit via APT """
> > + if method != bintool.FETCH_BIN:
> > + return None
> > +
> > + return self.apt_install('p11-kit')
> > diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
> > index 21ec48d86fd1..a66030c7a56f 100644
> > --- a/tools/binman/ftest.py
> > +++ b/tools/binman/ftest.py
> > @@ -7,6 +7,7 @@
> > # python -m unittest func_test.TestFunctional.testHelp
> >
> > import collections
> > +import configparser
> > import glob
> > import gzip
> > import hashlib
> > @@ -7532,6 +7533,71 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
> >
> > self._CheckCapsule(data, signed_capsule=True)
> >
> > + def testPkcs11SignedCapsuleGen(self):
> > + """Test generation of EFI capsule (with PKCS11)"""
> > + data = tools.read_file(self.TestFile("key.key"))
> > + private_key = self._MakeInputFile("key.key", data)
> > + data = tools.read_file(self.TestFile("key.pem"))
> > + cert_file = self._MakeInputFile("key.crt", data)
> > +
> > + softhsm2_util = bintool.Bintool.create('softhsm2_util')
> > + self._CheckBintool(softhsm2_util)
> > +
> > + prefix = "testPkcs11SignedCapsuleGen."
> > + # Configure SoftHSMv2
> > + data = tools.read_file(self.TestFile('340_softhsm2.conf'))
> > + softhsm2_conf = self._MakeInputFile(f'{prefix}softhsm2.conf', data)
> > + softhsm2_tokens_dir = self._MakeInputDir(f'{prefix}softhsm2.tokens')
> > +
> > + with open(softhsm2_conf, 'a') as f:
> > + f.write(f'directories.tokendir = {softhsm2_tokens_dir}\n')
> > +
> > + # Find the path to softhsm2 library
> > + p11_kit = bintool.Bintool.create('p11-kit')
> > + self._CheckBintool(p11_kit)
> > +
> > + p11_kit_config = configparser.ConfigParser()
> > + out = tools.run('p11-kit', 'print-config')
> > + p11_kit_config.read_string(out)
> > + softhsm2_lib = p11_kit_config.get('softhsm2', 'module',
> > + fallback=None)
> > + self.assertIsNotNone(softhsm2_lib)
> > +
> > + with unittest.mock.patch.dict('os.environ',
> > + {'SOFTHSM2_CONF': softhsm2_conf,
> > + 'PKCS11_MODULE_PATH': softhsm2_lib}):
> > + tools.run('softhsm2-util', '--init-token', '--free', '--label',
> > + 'U-Boot token', '--pin', '1111', '--so-pin',
> > + '222222')
> > + tools.run('softhsm2-util', '--import', private_key, '--token',
> > + 'U-Boot token', '--label', 'test_key', '--id', '999999',
> > + '--pin', '1111')
> > + data = self._DoReadFile('351_capsule_signed_pkcs11.dts')
> > +
> > + self._CheckCapsule(data, signed_capsule=True)
> > +
> > + hdr = self._GetCapsuleHeaders(data)
> > + monotonic_count = hdr['EFI_FIRMWARE_IMAGE_AUTH.MONOTONIC_COUNT']
> > +
> > + # UEFI standard requires that signature is checked over payload followed
> > + # by a monotonic count as little endian 64-bit integer.
> > + sig_input = self._MakeInputFile("sig_input", EFI_CAPSULE_DATA)
> > + with open(sig_input, 'ab') as f:
> > + f.write(struct.pack('<Q', int(monotonic_count, 16)))
> > +
> > + # Verify dumped capsule signature dumped by meficapsule during
> > + # generation
> > + openssl = bintool.Bintool.create('openssl')
> > + self._CheckBintool(openssl)
> > + openssl_args = ['smime', '-verify', '-inform', 'DER',
> > + '-in', tools.get_output_filename('capsule.efi-capsule.p7'),
> > + '-content', sig_input, '-CAfile', cert_file,
> > + '-no_check_time',
> > + '-out', tools.get_output_filename('decoded-capsule.bin')]
> > + result = openssl.run_cmd_result(*openssl_args)
> > + self.assertIsNotNone(result.stdout)
> > + self.assertIn('Verification successful', result.stderr)
> > +
> > def testCapsuleGenVersionSupport(self):
> > """Test generation of EFI capsule with version support"""
> > data = self._DoReadFile('313_capsule_version.dts')
> > diff --git a/tools/binman/test/351_capsule_signed_pkcs11.dts b/tools/binman/test/351_capsule_signed_pkcs11.dts
> > new file mode 100644
> > index 000000000000..ae93bf83936f
> > --- /dev/null
> > +++ b/tools/binman/test/351_capsule_signed_pkcs11.dts
> > @@ -0,0 +1,22 @@
> > +// SPDX-License-Identifier: GPL-2.0+
> > +
> > +/dts-v1/;
> > +
> > +/ {
> > + binman {
> > + efi-capsule {
> > + image-index = <0x1>;
> > + /* Image GUID for testing capsule update */
> > + image-guid = "binman-test";
> > + hardware-instance = <0x0>;
> > + monotonic-count = <0x1>;
> > + dump-signature;
> > + private-key = "pkcs11:token=U-Boot%20token;object=test_key;type=private;pin-value=1111";
> > + public-key-cert = "key.crt";
> > +
> > + blob {
> > + filename = "capsule_input.bin";
> > + };
> > + };
> > + };
> > +};
> > --
> > 2.47.3
> >
>
> I tried this out but I got a test-coverage failure (binman test -T):
>
> tools/binman/etype/efi_capsule.py 65 1 98%
It's because I test only private-key, public-key-cert is still using local file
and not pkcs11 token. For the latter one needs to import public key certificate
and it's supported only from softhsm2 version 2.7.0.
I didn't want to introduce yet another tool to do the job so this variable is
not yet covered by the test. I just wanted to start with something simple.
So we can leave it and I will adapt it once new softhsm tool is widespread or
I could rewrite it with pkcs11 tool.
Regards,
Wojtek
>
> Regards,
> Simon
next prev parent reply other threads:[~2026-02-16 8:49 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-28 8:05 [PATCH v5 0/6] UEFI Capsule - PKCS11 Support Wojciech Dubowik
2026-01-28 8:05 ` [PATCH v5 1/6] tools: mkeficapsule: Add support for pkcs11 Wojciech Dubowik
2026-02-13 12:56 ` Ilias Apalodimas
2026-02-16 9:01 ` EXTERNAL - " Wojciech Dubowik
2026-02-16 9:52 ` Ilias Apalodimas
2026-01-28 8:05 ` [PATCH v5 2/6] binman: Accept pkcs11 URI tokens for capsule updates Wojciech Dubowik
2026-01-28 8:05 ` [PATCH v5 3/6] tools: mkeficapsule: Fix dump signature long option Wojciech Dubowik
2026-02-13 12:41 ` Ilias Apalodimas
2026-01-28 8:05 ` [PATCH v5 4/6] binman: Add dump signature option to mkeficapsule Wojciech Dubowik
2026-01-28 8:05 ` [PATCH v5 5/6] binman: DTS: Add dump-signature option for capsules Wojciech Dubowik
2026-01-28 8:05 ` [PATCH v5 6/6] test: binman: Add test for pkcs11 signed capsule Wojciech Dubowik
2026-02-13 17:52 ` Simon Glass
2026-02-16 8:49 ` Wojciech Dubowik [this message]
2026-02-13 12:40 ` [PATCH v5 0/6] UEFI Capsule - PKCS11 Support Ilias Apalodimas
2026-02-13 20:20 ` Simon Glass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZLaJj0C5QKc5E2I@mt.com \
--to=wojciech.dubowik@mt.com \
--cc=quentin.schulz@cherry.de \
--cc=simon.glass@canonical.com \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.