From: "Ilias Apalodimas" <ilias.apalodimas@linaro.org>
To: "Wojciech Dubowik" <Wojciech.Dubowik@mt.com>,
<simon.glass@canonical.com>, <u-boot@lists.denx.de>
Cc: <trini@konsulko.com>, <quentin.schulz@cherry.de>
Subject: Re: [PATCH v5 0/6] UEFI Capsule - PKCS11 Support
Date: Fri, 13 Feb 2026 14:40:55 +0200 [thread overview]
Message-ID: <DGDUAXWN8ZAA.8A73T56SKN9C@linaro.org> (raw)
In-Reply-To: <20260128080515.1275941-1-Wojciech.Dubowik@mt.com>
Simon,
This has ended up on my patchwork, but I wasn't cc'ed.
I'll have a look at the mkeficapsule changes soon, but do you mind if I
re-assign it you since it's mostly binman changes?
Thanks
/Ilias
On Wed Jan 28, 2026 at 10:05 AM EET, Wojciech Dubowik wrote:
> Add support for pkcs11 URI's when generating UEFI capsules and
> accept URI's for certificate in dts capsule nodes.
> Example:
> export PKCS11_MODULE_PATH=<pkcs11 provider path>/libsofthsm2.so
> tools/mkeficapsule --monotonic-count 1 \
> --private-key "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \
> --certificate "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \
> --index 1 \
> --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \
> "capsule-payload" \
> "capsule.cap
> Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
> ---
> Changes in v5:
> * add bin wrappers in test for all external tools
> * improve error handling in python test
> * fix data types in python
> * standardize option name in mkeficapsule
> * fix typos
> Changes in v4:
> * adapt mkeficapsule python support to dump detached signature
> for authenticated capsules
> * verify detached capsule signature with openssl after generation
> * use p11-kit to figure out location of softhsm2 library
> * fix missing long option for dumping signatures in mkeficapsule
> Changes in v3:
> * fix write file encoding, env setting and extra line in binman test
> after review
> Changes in v2:
> * allow mixed file/pkcs11 URI as key specification in mkeficapsule
> * fix logic for accepting pkcs11 URI in binman device tree sections
> * add binman test for UEFI capsule signature where private key comes
> from softHSM
> ---
> Wojciech Dubowik (6):
> tools: mkeficapsule: Add support for pkcs11
> binman: Accept pkcs11 URI tokens for capsule updates
> tools: mkeficapsule: Fix dump signature long option
> binman: Add dump signature option to mkeficapsule
> binman: DTS: Add dump-signature option for capsules
> test: binman: Add test for pkcs11 signed capsule
>
> doc/mkeficapsule.1 | 4 +-
> tools/binman/btool/mkeficapsule.py | 8 +-
> tools/binman/btool/p11_kit.py | 21 ++++
> tools/binman/entries.rst | 4 +
> tools/binman/etype/efi_capsule.py | 17 ++-
> tools/binman/ftest.py | 66 ++++++++++
> .../binman/test/351_capsule_signed_pkcs11.dts | 22 ++++
> tools/mkeficapsule.c | 113 +++++++++++++-----
> 8 files changed, 221 insertions(+), 34 deletions(-)
> create mode 100644 tools/binman/btool/p11_kit.py
> create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts
next prev parent reply other threads:[~2026-02-13 12:41 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-28 8:05 [PATCH v5 0/6] UEFI Capsule - PKCS11 Support Wojciech Dubowik
2026-01-28 8:05 ` [PATCH v5 1/6] tools: mkeficapsule: Add support for pkcs11 Wojciech Dubowik
2026-02-13 12:56 ` Ilias Apalodimas
2026-02-16 9:01 ` EXTERNAL - " Wojciech Dubowik
2026-02-16 9:52 ` Ilias Apalodimas
2026-01-28 8:05 ` [PATCH v5 2/6] binman: Accept pkcs11 URI tokens for capsule updates Wojciech Dubowik
2026-01-28 8:05 ` [PATCH v5 3/6] tools: mkeficapsule: Fix dump signature long option Wojciech Dubowik
2026-02-13 12:41 ` Ilias Apalodimas
2026-01-28 8:05 ` [PATCH v5 4/6] binman: Add dump signature option to mkeficapsule Wojciech Dubowik
2026-01-28 8:05 ` [PATCH v5 5/6] binman: DTS: Add dump-signature option for capsules Wojciech Dubowik
2026-01-28 8:05 ` [PATCH v5 6/6] test: binman: Add test for pkcs11 signed capsule Wojciech Dubowik
2026-02-13 17:52 ` Simon Glass
2026-02-16 8:49 ` EXTERNAL - " Wojciech Dubowik
2026-02-13 12:40 ` Ilias Apalodimas [this message]
2026-02-13 20:20 ` [PATCH v5 0/6] UEFI Capsule - PKCS11 Support Simon Glass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGDUAXWN8ZAA.8A73T56SKN9C@linaro.org \
--to=ilias.apalodimas@linaro.org \
--cc=Wojciech.Dubowik@mt.com \
--cc=quentin.schulz@cherry.de \
--cc=simon.glass@canonical.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox