[PATCH] tools: mkeficapsule: Add disable pkcs11 menu option

[PATCH] tools: mkeficapsule: Add disable pkcs11 menu option

[Wojciech Dubowik]

Some distros are using gnutls library without pkcs11 support
and linking of mkeficapsule will fail. Add disable pkcs11
option with default set to no so distros can control this
feature with config option.

Suggested-by: Tom Rini <trini@konsulko.com>
Cc: Franz Schnyder <fra.schnyder@gmail.com>
Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
---
 tools/Kconfig        |  8 ++++++++
 tools/Makefile       |  3 +++
 tools/mkeficapsule.c | 14 ++++++++++++++
 3 files changed, 25 insertions(+)

diff --git a/tools/Kconfig b/tools/Kconfig
index ef33295b8ecd..ccc878595d3b 100644
--- a/tools/Kconfig
+++ b/tools/Kconfig
@@ -114,6 +114,14 @@ config TOOLS_MKEFICAPSULE
 	  optionally sign that file. If you want to enable UEFI capsule
 	  update feature on your target, you certainly need this.
 
+config MKEFICAPSULE_DISABLE_PKCS11
+	bool "Disable pkcs11 support"
+	depends on TOOLS_MKEFICAPSULE
+	default n
+	help
+	  Disable pkcs11 support. Can be used in cases when host GnuTLS
+	  library doesn't support it.
+
 menuconfig FSPI_CONF_HEADER
 	bool "FlexSPI Header Configuration"
 	help
diff --git a/tools/Makefile b/tools/Makefile
index 1a5f425ecdaa..60e84bfbf20d 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -271,6 +271,9 @@ mkeficapsule-objs := generated/lib/uuid.o \
 	$(LIBFDT_OBJS) \
 	mkeficapsule.o
 hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
+ifeq ($(CONFIG_MKEFICAPSULE_DISABLE_PKCS11),y)
+HOSTCFLAGS_mkeficapsule.o += -DCONFIG_MKEFICAPSULE_DISABLE_PKCS11
+endif
 
 include tools/fwumdata_src/fwumdata.mk
 
diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
index ec640c57e8a5..ad1c46f0e909 100644
--- a/tools/mkeficapsule.c
+++ b/tools/mkeficapsule.c
@@ -229,9 +229,11 @@ static int create_auth_data(struct auth_context *ctx)
 	gnutls_pkcs7_t pkcs7;
 	gnutls_datum_t data;
 	gnutls_datum_t signature;
+#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
 	gnutls_pkcs11_obj_t *obj_list;
 	unsigned int obj_list_size = 0;
 	const char *lib;
+#endif
 	int ret;
 	bool pkcs11_cert = false;
 	bool pkcs11_key = false;
@@ -242,6 +244,7 @@ static int create_auth_data(struct auth_context *ctx)
 	if (!strncmp(ctx->key_file, "pkcs11:", strlen("pkcs11:")))
 		pkcs11_key = true;
 
+#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
 	if (pkcs11_cert || pkcs11_key) {
 		lib = getenv("PKCS11_MODULE_PATH");
 		if (!lib) {
@@ -259,6 +262,7 @@ static int create_auth_data(struct auth_context *ctx)
 			return -1;
 		}
 	}
+#endif
 
 	if (!pkcs11_cert) {
 		ret = read_bin_file(ctx->cert_file, &cert.data, &file_size);
@@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)
 
 	/* load x509 certificate */
 	if (pkcs11_cert) {
+#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
 		ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,
 							 ctx->cert_file, 0);
 		if (ret < 0 || obj_list_size == 0) {
@@ -309,6 +314,10 @@ static int create_auth_data(struct auth_context *ctx)
 		}
 
 		gnutls_x509_crt_import_pkcs11(x509, obj_list[0]);
+#else
+		fprintf(stdout, "Pkcs11 support is disabled\n");
+		return -1;
+#endif
 	} else {
 		ret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM);
 		if (ret < 0) {
@@ -320,12 +329,17 @@ static int create_auth_data(struct auth_context *ctx)
 
 	/* load a private key */
 	if (pkcs11_key) {
+#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
 		ret = gnutls_privkey_import_pkcs11_url(pkey, ctx->key_file);
 		if (ret < 0) {
 			fprintf(stderr, "error in %d: %s\n", __LINE__,
 				gnutls_strerror(ret));
 			return -1;
 		}
+#else
+		fprintf(stdout, "Pkcs11 support is disabled\n");
+		return -1;
+#endif
 	} else {
 		ret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM,
 						     0, 0);
-- 
2.47.3

Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option

[Franz Schnyder]

On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:
> Some distros are using gnutls library without pkcs11 support
> and linking of mkeficapsule will fail. Add disable pkcs11
> option with default set to no so distros can control this
> feature with config option.
> 
> Suggested-by: Tom Rini <trini@konsulko.com>
> Cc: Franz Schnyder <fra.schnyder@gmail.com>
> Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
> ---
>  tools/Kconfig        |  8 ++++++++
>  tools/Makefile       |  3 +++
>  tools/mkeficapsule.c | 14 ++++++++++++++
>  3 files changed, 25 insertions(+)
> 
> diff --git a/tools/Kconfig b/tools/Kconfig
> index ef33295b8ecd..ccc878595d3b 100644
> --- a/tools/Kconfig
> +++ b/tools/Kconfig
> @@ -114,6 +114,14 @@ config TOOLS_MKEFICAPSULE
>  	  optionally sign that file. If you want to enable UEFI capsule
>  	  update feature on your target, you certainly need this.
>  
> +config MKEFICAPSULE_DISABLE_PKCS11
> +	bool "Disable pkcs11 support"
> +	depends on TOOLS_MKEFICAPSULE
> +	default n
> +	help
> +	  Disable pkcs11 support. Can be used in cases when host GnuTLS
> +	  library doesn't support it.
> +
>  menuconfig FSPI_CONF_HEADER
>  	bool "FlexSPI Header Configuration"
>  	help
> diff --git a/tools/Makefile b/tools/Makefile
> index 1a5f425ecdaa..60e84bfbf20d 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -271,6 +271,9 @@ mkeficapsule-objs := generated/lib/uuid.o \
>  	$(LIBFDT_OBJS) \
>  	mkeficapsule.o
>  hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
> +ifeq ($(CONFIG_MKEFICAPSULE_DISABLE_PKCS11),y)
> +HOSTCFLAGS_mkeficapsule.o += -DCONFIG_MKEFICAPSULE_DISABLE_PKCS11
> +endif
>  
>  include tools/fwumdata_src/fwumdata.mk
>  
> diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> index ec640c57e8a5..ad1c46f0e909 100644
> --- a/tools/mkeficapsule.c
> +++ b/tools/mkeficapsule.c
> @@ -229,9 +229,11 @@ static int create_auth_data(struct auth_context *ctx)
>  	gnutls_pkcs7_t pkcs7;
>  	gnutls_datum_t data;
>  	gnutls_datum_t signature;
> +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
>  	gnutls_pkcs11_obj_t *obj_list;
>  	unsigned int obj_list_size = 0;
>  	const char *lib;
> +#endif
>  	int ret;
>  	bool pkcs11_cert = false;
>  	bool pkcs11_key = false;
> @@ -242,6 +244,7 @@ static int create_auth_data(struct auth_context *ctx)
>  	if (!strncmp(ctx->key_file, "pkcs11:", strlen("pkcs11:")))
>  		pkcs11_key = true;
>  
> +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
>  	if (pkcs11_cert || pkcs11_key) {
>  		lib = getenv("PKCS11_MODULE_PATH");
>  		if (!lib) {
> @@ -259,6 +262,7 @@ static int create_auth_data(struct auth_context *ctx)
>  			return -1;
>  		}
>  	}
> +#endif
>  
>  	if (!pkcs11_cert) {
>  		ret = read_bin_file(ctx->cert_file, &cert.data, &file_size);
> @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)
>  
>  	/* load x509 certificate */
>  	if (pkcs11_cert) {
> +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
>  		ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,
>  							 ctx->cert_file, 0);
>  		if (ret < 0 || obj_list_size == 0) {
> @@ -309,6 +314,10 @@ static int create_auth_data(struct auth_context *ctx)
>  		}
>  
>  		gnutls_x509_crt_import_pkcs11(x509, obj_list[0]);
> +#else
> +		fprintf(stdout, "Pkcs11 support is disabled\n");
> +		return -1;
> +#endif
>  	} else {
>  		ret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM);
>  		if (ret < 0) {
> @@ -320,12 +329,17 @@ static int create_auth_data(struct auth_context *ctx)
>  
>  	/* load a private key */
>  	if (pkcs11_key) {
> +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
>  		ret = gnutls_privkey_import_pkcs11_url(pkey, ctx->key_file);
>  		if (ret < 0) {
>  			fprintf(stderr, "error in %d: %s\n", __LINE__,
>  				gnutls_strerror(ret));
>  			return -1;
>  		}
> +#else
> +		fprintf(stdout, "Pkcs11 support is disabled\n");
> +		return -1;
> +#endif
>  	} else {
>  		ret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM,
>  						     0, 0);
> -- 
> 2.47.3
> 

Hi Wojciech,

Shouldn't it be the other way around? Use of pkcs11 should be disabled 
by default and enabled if required. As it is now, it would still depend
on the the gnutls library having pkcs11 support and therefore still 
would break our OE builds with mainline u-boot if we don't change our
modules defconfig.

kind regards

Franz

Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option

[Wojciech Dubowik]

On Thu, Apr 16, 2026 at 05:51:13PM +0200, Franz Schnyder wrote:
Hello Franz,
> On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:
> > Some distros are using gnutls library without pkcs11 support
> > and linking of mkeficapsule will fail. Add disable pkcs11
> > option with default set to no so distros can control this
> > feature with config option.
> > 
> > Suggested-by: Tom Rini <trini@konsulko.com>
> > Cc: Franz Schnyder <fra.schnyder@gmail.com>
> > Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
> > ---
> >  tools/Kconfig        |  8 ++++++++
> >  tools/Makefile       |  3 +++
> >  tools/mkeficapsule.c | 14 ++++++++++++++
> >  3 files changed, 25 insertions(+)
> > 
> > diff --git a/tools/Kconfig b/tools/Kconfig
> > index ef33295b8ecd..ccc878595d3b 100644
> > --- a/tools/Kconfig
> > +++ b/tools/Kconfig
> > @@ -114,6 +114,14 @@ config TOOLS_MKEFICAPSULE
> >  	  optionally sign that file. If you want to enable UEFI capsule
> >  	  update feature on your target, you certainly need this.
> >  
> > +config MKEFICAPSULE_DISABLE_PKCS11
> > +	bool "Disable pkcs11 support"
> > +	depends on TOOLS_MKEFICAPSULE
> > +	default n
> > +	help
> > +	  Disable pkcs11 support. Can be used in cases when host GnuTLS
> > +	  library doesn't support it.
> > +
> >  menuconfig FSPI_CONF_HEADER
> >  	bool "FlexSPI Header Configuration"
> >  	help
> > diff --git a/tools/Makefile b/tools/Makefile
> > index 1a5f425ecdaa..60e84bfbf20d 100644
> > --- a/tools/Makefile
> > +++ b/tools/Makefile
> > @@ -271,6 +271,9 @@ mkeficapsule-objs := generated/lib/uuid.o \
> >  	$(LIBFDT_OBJS) \
> >  	mkeficapsule.o
> >  hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
> > +ifeq ($(CONFIG_MKEFICAPSULE_DISABLE_PKCS11),y)
> > +HOSTCFLAGS_mkeficapsule.o += -DCONFIG_MKEFICAPSULE_DISABLE_PKCS11
> > +endif
> >  
> >  include tools/fwumdata_src/fwumdata.mk
> >  
> > diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> > index ec640c57e8a5..ad1c46f0e909 100644
> > --- a/tools/mkeficapsule.c
> > +++ b/tools/mkeficapsule.c
> > @@ -229,9 +229,11 @@ static int create_auth_data(struct auth_context *ctx)
> >  	gnutls_pkcs7_t pkcs7;
> >  	gnutls_datum_t data;
> >  	gnutls_datum_t signature;
> > +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
> >  	gnutls_pkcs11_obj_t *obj_list;
> >  	unsigned int obj_list_size = 0;
> >  	const char *lib;
> > +#endif
> >  	int ret;
> >  	bool pkcs11_cert = false;
> >  	bool pkcs11_key = false;
> > @@ -242,6 +244,7 @@ static int create_auth_data(struct auth_context *ctx)
> >  	if (!strncmp(ctx->key_file, "pkcs11:", strlen("pkcs11:")))
> >  		pkcs11_key = true;
> >  
> > +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
> >  	if (pkcs11_cert || pkcs11_key) {
> >  		lib = getenv("PKCS11_MODULE_PATH");
> >  		if (!lib) {
> > @@ -259,6 +262,7 @@ static int create_auth_data(struct auth_context *ctx)
> >  			return -1;
> >  		}
> >  	}
> > +#endif
> >  
> >  	if (!pkcs11_cert) {
> >  		ret = read_bin_file(ctx->cert_file, &cert.data, &file_size);
> > @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)
> >  
> >  	/* load x509 certificate */
> >  	if (pkcs11_cert) {
> > +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
> >  		ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,
> >  							 ctx->cert_file, 0);
> >  		if (ret < 0 || obj_list_size == 0) {
> > @@ -309,6 +314,10 @@ static int create_auth_data(struct auth_context *ctx)
> >  		}
> >  
> >  		gnutls_x509_crt_import_pkcs11(x509, obj_list[0]);
> > +#else
> > +		fprintf(stdout, "Pkcs11 support is disabled\n");
> > +		return -1;
> > +#endif
> >  	} else {
> >  		ret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM);
> >  		if (ret < 0) {
> > @@ -320,12 +329,17 @@ static int create_auth_data(struct auth_context *ctx)
> >  
> >  	/* load a private key */
> >  	if (pkcs11_key) {
> > +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
> >  		ret = gnutls_privkey_import_pkcs11_url(pkey, ctx->key_file);
> >  		if (ret < 0) {
> >  			fprintf(stderr, "error in %d: %s\n", __LINE__,
> >  				gnutls_strerror(ret));
> >  			return -1;
> >  		}
> > +#else
> > +		fprintf(stdout, "Pkcs11 support is disabled\n");
> > +		return -1;
> > +#endif
> >  	} else {
> >  		ret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM,
> >  						     0, 0);
> > -- 
> > 2.47.3
> > 
> 
> Hi Wojciech,
> 
> Shouldn't it be the other way around? Use of pkcs11 should be disabled 
> by default and enabled if required. As it is now, it would still depend
> on the the gnutls library having pkcs11 support and therefore still 
> would break our OE builds with mainline u-boot if we don't change our
> modules defconfig.

As far as I understand, gnutls is built by default with pkcs11 support. So for
most of the distribution it should be ok. Security by default.
I don't have yn strong opinion for this but default enabled has been suggested
by the maintainer.

Regards,
Wojtek

> 
> kind regards
> 
> Franz

Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option

[Francesco Dolcini]

+ Paul Barker

Hello all,

On Mon, Apr 20, 2026 at 10:14:46AM +0200, Wojciech Dubowik wrote:
> On Thu, Apr 16, 2026 at 05:51:13PM +0200, Franz Schnyder wrote:
> > On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:
> > > Some distros are using gnutls library without pkcs11 support
> > > and linking of mkeficapsule will fail. Add disable pkcs11
> > > option with default set to no so distros can control this
> > > feature with config option.
> > Shouldn't it be the other way around? Use of pkcs11 should be disabled 
> > by default and enabled if required. As it is now, it would still depend
> > on the the gnutls library having pkcs11 support and therefore still 
> > would break our OE builds with mainline u-boot if we don't change our
> > modules defconfig.
> 
> As far as I understand, gnutls is built by default with pkcs11 support. So for
> most of the distribution it should be ok. Security by default.
> I don't have yn strong opinion for this but default enabled has been suggested
> by the maintainer.

We are in the very unfortunate situation in which we are not able to run
any test at the moment in our CI and automated test infrastructure (not
in U-Boot, not in OE), and the reason is that we have pcks11 enabled in
U-Boot, and OE core is not picking up the patch to enable it [1].

Any advise to have a way forward?

Francesco

[1] https://lore.kernel.org/all/20260408130553.819420-1-fra.schnyder@gmail.com/

Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 1724 bytes --]

On Mon, 2026-04-20 at 10:50 +0200, Francesco Dolcini wrote:
> + Paul Barker
> 
> Hello all,
> 
> On Mon, Apr 20, 2026 at 10:14:46AM +0200, Wojciech Dubowik wrote:
> > On Thu, Apr 16, 2026 at 05:51:13PM +0200, Franz Schnyder wrote:
> > > On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:
> > > > Some distros are using gnutls library without pkcs11 support
> > > > and linking of mkeficapsule will fail. Add disable pkcs11
> > > > option with default set to no so distros can control this
> > > > feature with config option.
> > > Shouldn't it be the other way around? Use of pkcs11 should be disabled 
> > > by default and enabled if required. As it is now, it would still depend
> > > on the the gnutls library having pkcs11 support and therefore still 
> > > would break our OE builds with mainline u-boot if we don't change our
> > > modules defconfig.
> > 
> > As far as I understand, gnutls is built by default with pkcs11 support. So for
> > most of the distribution it should be ok. Security by default.
> > I don't have yn strong opinion for this but default enabled has been suggested
> > by the maintainer.
> 
> We are in the very unfortunate situation in which we are not able to run
> any test at the moment in our CI and automated test infrastructure (not
> in U-Boot, not in OE), and the reason is that we have pcks11 enabled in
> U-Boot, and OE core is not picking up the patch to enable it [1].
> 
> Any advise to have a way forward?
> 
> Francesco
> 
> [1] https://lore.kernel.org/all/20260408130553.819420-1-fra.schnyder@gmail.com/

Hi Francesco,

Which versions of U-Boot and openembedded-core are you trying to build?

Thanks,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option

[Francesco Dolcini]

On Tue, Apr 21, 2026 at 11:07:21AM +0100, Paul Barker wrote:
> On Mon, 2026-04-20 at 10:50 +0200, Francesco Dolcini wrote:
> > + Paul Barker
> > 
> > Hello all,
> > 
> > On Mon, Apr 20, 2026 at 10:14:46AM +0200, Wojciech Dubowik wrote:
> > > On Thu, Apr 16, 2026 at 05:51:13PM +0200, Franz Schnyder wrote:
> > > > On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:
> > > > > Some distros are using gnutls library without pkcs11 support
> > > > > and linking of mkeficapsule will fail. Add disable pkcs11
> > > > > option with default set to no so distros can control this
> > > > > feature with config option.
> > > > Shouldn't it be the other way around? Use of pkcs11 should be disabled 
> > > > by default and enabled if required. As it is now, it would still depend
> > > > on the the gnutls library having pkcs11 support and therefore still 
> > > > would break our OE builds with mainline u-boot if we don't change our
> > > > modules defconfig.
> > > 
> > > As far as I understand, gnutls is built by default with pkcs11 support. So for
> > > most of the distribution it should be ok. Security by default.
> > > I don't have yn strong opinion for this but default enabled has been suggested
> > > by the maintainer.
> > 
> > We are in the very unfortunate situation in which we are not able to run
> > any test at the moment in our CI and automated test infrastructure (not
> > in U-Boot, not in OE), and the reason is that we have pcks11 enabled in
> > U-Boot, and OE core is not picking up the patch to enable it [1].
> > 
> > Any advise to have a way forward?
> > 
> > Francesco
> > 
> > [1] https://lore.kernel.org/all/20260408130553.819420-1-fra.schnyder@gmail.com/
> 
> Which versions of U-Boot and openembedded-core are you trying to build?

U-Boot master + openembedded-core master.

Francesco

Re: [OE-core] [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option

[Quentin Schulz]

On 4/21/26 12:16 PM, Francesco Dolcini via lists.openembedded.org wrote:
> [You don't often get email from francesco=dolcini.it@lists.openembedded.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
> 
> On Tue, Apr 21, 2026 at 11:07:21AM +0100, Paul Barker wrote:
>> On Mon, 2026-04-20 at 10:50 +0200, Francesco Dolcini wrote:
>>> + Paul Barker
>>>
>>> Hello all,
>>>
>>> On Mon, Apr 20, 2026 at 10:14:46AM +0200, Wojciech Dubowik wrote:
>>>> On Thu, Apr 16, 2026 at 05:51:13PM +0200, Franz Schnyder wrote:
>>>>> On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:
>>>>>> Some distros are using gnutls library without pkcs11 support
>>>>>> and linking of mkeficapsule will fail. Add disable pkcs11
>>>>>> option with default set to no so distros can control this
>>>>>> feature with config option.
>>>>> Shouldn't it be the other way around? Use of pkcs11 should be disabled
>>>>> by default and enabled if required. As it is now, it would still depend
>>>>> on the the gnutls library having pkcs11 support and therefore still
>>>>> would break our OE builds with mainline u-boot if we don't change our
>>>>> modules defconfig.
>>>>
>>>> As far as I understand, gnutls is built by default with pkcs11 support. So for
>>>> most of the distribution it should be ok. Security by default.
>>>> I don't have yn strong opinion for this but default enabled has been suggested
>>>> by the maintainer.
>>>
>>> We are in the very unfortunate situation in which we are not able to run
>>> any test at the moment in our CI and automated test infrastructure (not
>>> in U-Boot, not in OE), and the reason is that we have pcks11 enabled in
>>> U-Boot, and OE core is not picking up the patch to enable it [1].
>>>
>>> Any advise to have a way forward?
>>>
>>> Francesco
>>>
>>> [1] https://lore.kernel.org/all/20260408130553.819420-1-fra.schnyder@gmail.com/
>>
>> Which versions of U-Boot and openembedded-core are you trying to build?
> 
> U-Boot master + openembedded-core master.
> 

I'm assuming something along the lines of:

your-layer/recipes-support/gnutls/gnutls_3.8.12.bbappend

PACKAGECONFIG:append:class-native = " p11-kit"

until the patch gets picked up in OE-Core. Even if we fix this in 
U-Boot, enabling pkcs11 support in U-Boot (a target recipe) would 
require enabling pkcs11 support in gnutls-native according to the patch 
sent by Franz to the OE ML. This kind of dependency is pretty bad as you 
generally do not want to have to modify a native recipe for a specific 
target machine or configuration. So, I think OE should take that patch.

Cheers,
Quentin

Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option

[Simon Glass]

Hi Wojciech,

On 2026-04-09T07:47:07, Wojciech Dubowik <Wojciech.Dubowik@mt.com> wrote:
> tools: mkeficapsule: Add disable pkcs11 menu option
>
> Some distros are using gnutls library without pkcs11 support
> and linking of mkeficapsule will fail. Add disable pkcs11
> option with default set to no so distros can control this
> feature with config option.
>
> Suggested-by: Tom Rini <trini@konsulko.com>
> Cc: Franz Schnyder <fra.schnyder@gmail.com>
> Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
>
> tools/Kconfig        |  8 ++++++++
>  tools/Makefile       |  3 +++
>  tools/mkeficapsule.c | 14 ++++++++++++++
>  3 files changed, 25 insertions(+)

> diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)
> +#else
> +             fprintf(stdout, "Pkcs11 support is disabled\n");
> +             return -1;

Please can you use stderr here for consistency with surrounding error handling.

> diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)

The cleanup code at lines 420-423 calls gnutls_pkcs11_deinit() when
pkcs11_cert || pkcs11_key is true. When
CONFIG_MKEFICAPSULE_DISABLE_PKCS11 is defined, these can still be set
if the user provides a "pkcs11:" URL, but gnutls_pkcs11_deinit() will
not be available. Please can you wrap that cleanup block with #ifndef
CONFIG_MKEFICAPSULE_DISABLE_PKCS11 as well, or ensure the function
returns before reaching that code path.

Regards,
Simon

Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option

[Wojciech Dubowik]

On Mon, Apr 20, 2026 at 04:27:03PM +1200, Simon Glass wrote:
Hello Simon,

> Hi Wojciech,
> 
> On 2026-04-09T07:47:07, Wojciech Dubowik <Wojciech.Dubowik@mt.com> wrote:
> > tools: mkeficapsule: Add disable pkcs11 menu option
> >
> > Some distros are using gnutls library without pkcs11 support
> > and linking of mkeficapsule will fail. Add disable pkcs11
> > option with default set to no so distros can control this
> > feature with config option.
> >
> > Suggested-by: Tom Rini <trini@konsulko.com>
> > Cc: Franz Schnyder <fra.schnyder@gmail.com>
> > Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
> >
> > tools/Kconfig        |  8 ++++++++
> >  tools/Makefile       |  3 +++
> >  tools/mkeficapsule.c | 14 ++++++++++++++
> >  3 files changed, 25 insertions(+)
> 
> > diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> > @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)
> > +#else
> > +             fprintf(stdout, "Pkcs11 support is disabled\n");
> > +             return -1;
> 
> Please can you use stderr here for consistency with surrounding error handling.
> 
> > diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> > @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)
> 
> The cleanup code at lines 420-423 calls gnutls_pkcs11_deinit() when
> pkcs11_cert || pkcs11_key is true. When
> CONFIG_MKEFICAPSULE_DISABLE_PKCS11 is defined, these can still be set
> if the user provides a "pkcs11:" URL, but gnutls_pkcs11_deinit() will
> not be available. Please can you wrap that cleanup block with #ifndef
> CONFIG_MKEFICAPSULE_DISABLE_PKCS11 as well, or ensure the function
> returns before reaching that code path.

Will do it and send V2.

Regards,
Wojtek

> 
> Regards,
> Simon