From: Tom Rini <trini@konsulko.com>
To: Simon Glass <sjg@chromium.org>
Cc: Quentin Schulz <quentin.schulz@cherry.de>,
Quentin Schulz <foss+uboot@0leil.net>,
u-boot@lists.denx.de, Aristo Chen <jj251510319013@gmail.com>,
Rasmus Villemoes <ravi@prevas.dk>,
Marek Vasut <marek.vasut+renesas@mailbox.org>,
Paul HENRYS <paul.henrys_ext@softathome.com>,
Heinrich Schuchardt <xypron.glpk@gmx.de>,
Shiji Yang <yangshiji66@outlook.com>,
Anton Moryakov <ant.v.moryakov@gmail.com>,
Alper Nebi Yasak <alpernebiyasak@gmail.com>,
Alice Guo <alice.guo@nxp.com>, Bryan Brattlof <bb@ti.com>,
Wolfgang Wallner <wolfgang.wallner@br-automation.com>,
Peter Robinson <pbrobinson@gmail.com>,
Eddie Kovsky <ekovsky@redhat.com>,
Kever Yang <kever.yang@rock-chips.com>,
Yannic Moog <y.moog@phytec.de>
Subject: Re: [PATCH v3 4/4] tools: binman: fit: add tests for signing with an OpenSSL engine
Date: Tue, 2 Dec 2025 14:14:51 -0600 [thread overview]
Message-ID: <20251202201451.GL303283@bill-the-cat> (raw)
In-Reply-To: <CAFLszTh1Tt1=9SOHf1WdnENB3q1E7vdq4mK4XjPC7Bob5gQoEw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4442 bytes --]
On Tue, Dec 02, 2025 at 08:06:02PM +0000, Simon Glass wrote:
> Hi Quentin,
>
> On Wed, 26 Nov 2025 at 04:44, Quentin Schulz <quentin.schulz@cherry.de> wrote:
> >
> > Hi Simon,
> >
> > On 11/25/25 11:15 PM, Simon Glass wrote:
> > > Hi Quentin,
> > >
> > > On Fri, 21 Nov 2025 at 10:15, Quentin Schulz <foss+uboot@0leil.net> wrote:
> > >>
> > >> From: Quentin Schulz <quentin.schulz@cherry.de>
> > >>
> > >> This adds a test that signs a FIT and verifies the signature with
> > >> fit_check_sign.
> > >>
> > >> OpenSSL engines are typically for signing with external HW so it's not
> > >> that straight-forward to simulate.
> > >>
> > >> For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA
> > >> 4096 private key is made available. It can be selected by setting the
> > >> OpenSSL engine argument to dummy-rsa-engine. This can only be done if
> > >> the engine is detected by OpenSSL, which works by setting the
> > >> OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine
> > >> is properly implementing what is expected from an RSA engine, but it
> > >> seems to be enough for testing.
> > >>
> > >> For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11
> > >> without specific hardware. The keypairs and tokens are generated on the
> > >> fly. The "prod" token is generated with a different PIN (1234 instead of
> > >> 1111) to also test MKIMAGE_SIGN_PIN env variable while we're at it.
> > >>
> > >> Binman will not mess with the local SoftHSMv2 setup as it will only use
> > >> tokens from a per-test temporary directory enforced via the temporary
> > >> configuration file set via SOFTHSM2_CONF env variable in the tests. The
> > >> files created in the input dir should NOT be named the same as it is
> > >> shared between all tests in the same process (which is all tests when
> > >> running binman with -P 1 or with -T).
> > >>
> > >> Once signed, it's checked with fit_check_sign with the associated
> > >> certificate.
> > >>
> > >> Finally, a new softhsm2_util bintool is added so that we can initialize
> > >> the token and import keypairs. On Debian, the package also brings
> > >> libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It
> > >> is not the only package required though, as it also needs p11-kit and
> > >> libengine-pkcs11-openssl (the latter bringing the former). We can detect
> > >> if it's properly installed by running openssl engine dynamic -c pkcs11.
> > >> If that fails, we simply skip the test.
> > >> The package is installed in the CI container by default.
> > >>
> > >> Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
> > >> ---
> > >> tools/binman/btool/softhsm2_util.py | 21 ++
> > >> tools/binman/ftest.py | 223 +++++++++++++++++++++
> > >> tools/binman/test/340_dummy-rsa4096.crt | 31 +++
> > >> tools/binman/test/340_fit_signature_engine.dts | 99 +++++++++
> > >> .../test/340_fit_signature_engine_encrypt.dts | 100 +++++++++
> > >> .../test/340_fit_signature_engine_pkcs11.dts | 99 +++++++++
> > >> .../340_fit_signature_engine_pkcs11_object.dts | 100 +++++++++
> > >> tools/binman/test/340_openssl.conf | 10 +
> > >> tools/binman/test/340_softhsm2.conf | 16 ++
> > >> tools/binman/test/Makefile | 6 +-
> > >> tools/binman/test/dummy-rsa-engine.c | 149 ++++++++++++++
> > >> 11 files changed, 853 insertions(+), 1 deletion(-)
> > >
> > > Not sure of the changes from last time, but I assume the test coverage
> > > is finished.
> > >
> >
> > They are listed in the cover letter in the Changes section.
> >
> > $ b4 diff -v 2 3 --
> > https://lore.kernel.org/u-boot/20251121-binman-engine-v3-0-b80180aaa783@cherry.de/T/\#t
> >
> > will show you the git-range-diff between both versions for a given commit.
>
> I normally review just in email (often on a Chromebook) so I don't
> have that. It is also an extra step and I don't know where your log
> argument comes from. It would be better to put the change log in the
> patch as well.
The cover letter is just an email. Perhaps a handy tips bit of
documentation (and external ref to the general b4 docs) would be
helpful, especially since b4 is a common and widely used tool these
days.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next prev parent reply other threads:[~2025-12-02 20:15 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-21 17:14 [PATCH v3 0/4] fit: allow signing with an OpenSSL engine Quentin Schulz
2025-11-21 17:14 ` [PATCH v3 1/4] fit: support signing with only an engine_id Quentin Schulz
2025-11-21 17:14 ` [PATCH v3 2/4] tools: binman: mkimage: add support for passing the engine Quentin Schulz
2025-11-21 17:14 ` [PATCH v3 3/4] tools: binman: fit: add support for OpenSSL engines Quentin Schulz
2025-11-25 22:15 ` Simon Glass
2025-11-26 11:28 ` Quentin Schulz
2025-11-21 17:15 ` [PATCH v3 4/4] tools: binman: fit: add tests for signing with an OpenSSL engine Quentin Schulz
2025-11-25 22:15 ` Simon Glass
2025-11-26 11:44 ` Quentin Schulz
2025-12-02 20:06 ` Simon Glass
2025-12-02 20:14 ` Tom Rini [this message]
2025-12-04 11:52 ` Quentin Schulz
2025-12-04 14:25 ` Tom Rini
2025-12-10 12:32 ` Simon Glass
2025-12-04 11:50 ` Quentin Schulz
2025-12-10 12:32 ` Simon Glass
2025-12-10 14:29 ` Tom Rini
2025-12-07 14:04 ` [PATCH v3 0/4] fit: allow " Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251202201451.GL303283@bill-the-cat \
--to=trini@konsulko.com \
--cc=alice.guo@nxp.com \
--cc=alpernebiyasak@gmail.com \
--cc=ant.v.moryakov@gmail.com \
--cc=bb@ti.com \
--cc=ekovsky@redhat.com \
--cc=foss+uboot@0leil.net \
--cc=jj251510319013@gmail.com \
--cc=kever.yang@rock-chips.com \
--cc=marek.vasut+renesas@mailbox.org \
--cc=paul.henrys_ext@softathome.com \
--cc=pbrobinson@gmail.com \
--cc=quentin.schulz@cherry.de \
--cc=ravi@prevas.dk \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
--cc=wolfgang.wallner@br-automation.com \
--cc=xypron.glpk@gmx.de \
--cc=y.moog@phytec.de \
--cc=yangshiji66@outlook.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox