From: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
To: Simon Glass <sjg@chromium.org>
Cc: u-boot@lists.denx.de, ilias.apalodimas@linaro.org,
trini@konsulko.com, simon.glass@canonical.com,
quentin.schulz@cherry.de
Subject: Re: EXTERNAL - [PATCH v6 0/6] UEFI Capsule - PKCS11 Support
Date: Fri, 20 Feb 2026 10:13:20 +0100 [thread overview]
Message-ID: <aZglsLcTv87S07By@mt.com> (raw)
In-Reply-To: <CAFLszTjNx8_eew0p1uQK_k4tR81SDtBPpNmDSVVBmZcc2mG3cA@mail.gmail.com>
On Thu, Feb 19, 2026 at 07:39:04PM -0700, Simon Glass wrote:
Hi Simon,
> Hi Wojciech,
>
> On Thu, 19 Feb 2026 at 06:12, Simon Glass <sjg@chromium.org> wrote:
> >
> > Hi Wojciech,
> >
> > On Tue, 17 Feb 2026 at 04:53, Wojciech Dubowik <Wojciech.Dubowik@mt.com> wrote:
> > >
> > > Add support for pkcs11 URI's when generating UEFI capsules and
> > > accept URI's for certificate in dts capsule nodes.
> > > Example:
> > > export PKCS11_MODULE_PATH=<pkcs11 provider path>/libsofthsm2.so
> > > tools/mkeficapsule --monotonic-count 1 \
> > > --private-key "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \
> > > --certificate "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \
> > > --index 1 \
> > > --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \
> > > "capsule-payload" \
> > > "capsule.cap
> > > Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
> > > ---
> > > Changes in v6:
> > > * mkeficapsule: use strlen instead of hardcoded values
> > > Changes in v5:
> > > * add bin wrappers in test for all external tools
> > > * improve error handling in python test
> > > * fix data types in python
> > > * standardize option name in mkeficapsule
> > > * fix typos
> > > Changes in v4:
> > > * adapt mkeficapsule python support to dump detached signature
> > > for authenticated capsules
> > > * verify detached capsule signature with openssl after generation
> > > * use p11-kit to figure out location of softhsm2 library
> > > * fix missing long option for dumping signatures in mkeficapsule
> > > Changes in v3:
> > > * fix write file encoding, env setting and extra line in binman test
> > > after review
> > > Changes in v2:
> > > * allow mixed file/pkcs11 URI as key specification in mkeficapsule
> > > * fix logic for accepting pkcs11 URI in binman device tree sections
> > > * add binman test for UEFI capsule signature where private key comes
> > > from softHSM
> > > ---
> > > Wojciech Dubowik (6):
> > > tools: mkeficapsule: Add support for pkcs11
> > > binman: Accept pkcs11 URI tokens for capsule updates
> > > tools: mkeficapsule: Fix dump signature long option
> > > binman: Add dump signature option to mkeficapsule
> > > binman: DTS: Add dump-signature option for capsules
> > > test: binman: Add test for pkcs11 signed capsule
> > >
> > > doc/mkeficapsule.1 | 4 +-
> > > tools/binman/btool/mkeficapsule.py | 8 +-
> > > tools/binman/btool/p11_kit.py | 21 ++++
> > > tools/binman/entries.rst | 4 +
> > > tools/binman/etype/efi_capsule.py | 17 ++-
> > > tools/binman/ftest.py | 66 ++++++++++
> > > .../binman/test/351_capsule_signed_pkcs11.dts | 22 ++++
> > > tools/mkeficapsule.c | 113 +++++++++++++-----
> > > 8 files changed, 221 insertions(+), 34 deletions(-)
> > > create mode 100644 tools/binman/btool/p11_kit.py
> > > create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts
> > >
> > > --
> > > 2.47.3
> > >
> >
> > Please make sure that you have 100% test coverage now. CI will fail
> > without it. If you need help on covering some code, please let me
> > know.
>
> Please note though that the only goal is to cover the code. Binman is
> full of fakes and other techniques to do that with the minimum of
> effort.
I have added pkcs11 tool support and now on my setup I get 100% test
coverage. I will send it in v7.
Regards,
Wojtek
>
> Regards,
> Simon
prev parent reply other threads:[~2026-02-20 9:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 11:53 [PATCH v6 0/6] UEFI Capsule - PKCS11 Support Wojciech Dubowik
2026-02-17 11:53 ` [PATCH v6 1/6] tools: mkeficapsule: Add support for pkcs11 Wojciech Dubowik
2026-02-17 11:53 ` [PATCH v6 2/6] binman: Accept pkcs11 URI tokens for capsule updates Wojciech Dubowik
2026-02-17 11:53 ` [PATCH v6 3/6] tools: mkeficapsule: Fix dump signature long option Wojciech Dubowik
2026-02-17 11:53 ` [PATCH v6 4/6] binman: Add dump signature option to mkeficapsule Wojciech Dubowik
2026-02-19 14:31 ` Simon Glass
2026-02-19 15:23 ` EXTERNAL - " Wojciech Dubowik
2026-02-23 17:51 ` Simon Glass
2026-02-17 11:53 ` [PATCH v6 5/6] binman: DTS: Add dump-signature option for capsules Wojciech Dubowik
2026-02-17 11:53 ` [PATCH v6 6/6] test: binman: Add test for pkcs11 signed capsule Wojciech Dubowik
2026-02-19 13:12 ` [PATCH v6 0/6] UEFI Capsule - PKCS11 Support Simon Glass
2026-02-19 13:23 ` EXTERNAL - " Wojciech Dubowik
2026-02-20 2:39 ` Simon Glass
2026-02-20 9:13 ` Wojciech Dubowik [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZglsLcTv87S07By@mt.com \
--to=wojciech.dubowik@mt.com \
--cc=ilias.apalodimas@linaro.org \
--cc=quentin.schulz@cherry.de \
--cc=simon.glass@canonical.com \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.