Re: [PATCH v3 3/3] test: binman: Add test for pkcs11 signed capsule

[Quentin Schulz <quentin.schulz@cherry.de>]

Hi Wojciech,

I didn't see you had sent a v3 (going through my inbox from older to 
newer :) ). Please ignore review on v2, i'll repeat it here.

On 1/8/26 3:13 PM, Wojciech Dubowik wrote:
> Test pkcs11 URI support for UEFI capsule generation. For
> simplicity only private key is defined in binman section
> as softhsm tool doesn't support certificate import (yet).
> 
> Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
> Reviewed-by: Simon Glass <simon.glass@canonical.com>
> ---
>   tools/binman/ftest.py                         | 42 +++++++++++++++++++
>   .../binman/test/351_capsule_signed_pkcs11.dts | 20 +++++++++
>   2 files changed, 62 insertions(+)
>   create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts
> 
> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
> index 21ec48d86fd1..ad5c2d63900a 100644
> --- a/tools/binman/ftest.py
> +++ b/tools/binman/ftest.py
> @@ -7532,6 +7532,48 @@ fdt         fdtmap                Extract the devicetree blob from the fdtmap
>   
>           self._CheckCapsule(data, signed_capsule=True)
>   
> +    def testPkcs11SignedCapsuleGen(self):
> +        """Test generation of EFI capsule (with PKCS11)"""
> +        data = tools.read_file(self.TestFile("key.key"))
> +        private_key = self._MakeInputFile("key.key", data)
> +        data = tools.read_file(self.TestFile("key.pem"))
> +        self._MakeInputFile("key.crt", data)
> +
> +        softhsm2_util = bintool.Bintool.create('softhsm2_util')
> +        self._CheckBintool(softhsm2_util)
> +
> +        prefix = "testPkcs11SignedCapsuleGen."
> +        # Configure SoftHSMv2
> +        data = tools.read_file(self.TestFile('340_softhsm2.conf'))
> +        softhsm2_conf = self._MakeInputFile(f'{prefix}softhsm2.conf', data)
> +        softhsm2_tokens_dir = self._MakeInputDir(f'{prefix}softhsm2.tokens')
> +        tools.write_file(softhsm2_conf, data +
> +                         f'\ndirectories.tokendir = \
> +                         {softhsm2_tokens_dir}\n'.encode("utf-8"))
> +
> +        softhsm_paths="/usr/local/lib/softhsm/libsofthsm2.so \
> +                /usr/lib/softhsm/libsofthsm2.so \
> +                /usr/lib64/pkcs11/libsofthsm2.so \
> +                /usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so \
> +                /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"
> +
> +        for softhsm2_lib_loc in softhsm_paths.split():
> +                if os.path.exists(softhsm2_lib_loc):
> +                        softhsm2_lib = softhsm2_lib_loc
> +

This seems brittle, isn't there a better mechanism than this that can be
offered by distros? For openssl, installing libengine-pkcs11-openssl
(and setting the provider in the OPENSSL_CONF env variable) was enough.
Is there something similar to that for gnutls?

I don't think this will work on arm64 hosts, c.f.
https://debian.pkgs.org/13/debian-main-arm64/libsofthsm2_2.6.1-3_arm64.deb.html

> +        os.environ['SOFTHSM2_CONF'] = softhsm2_conf
> +        tools.run('softhsm2-util', '--init-token', '--free', '--label',
> +                  'U-Boot token', '--pin', '1111', '--so-pin',
> +                  '222222')
> +        tools.run('softhsm2-util', '--import', private_key, '--token',
> +                  'U-Boot token', '--label', 'test_key', '--id', '999999',
> +                  '--pin', '1111')
> +
> +        os.environ['PKCS11_MODULE_PATH'] = softhsm2_lib
> +        data = self._DoReadFile('351_capsule_signed_pkcs11.dts')
> +
> +        self._CheckCapsule(data, signed_capsule=True)
> +

Don't you want to validate it's properly signed?

Cheers,
Quentin