* [PATCH 0/2] UEFI Capsule - PKCS11 Support @ 2025-12-16 15:08 Wojciech Dubowik 2025-12-16 15:08 ` [PATCH 1/2] tools: mkeficapsule: Add support for pkcs11 Wojciech Dubowik 2025-12-16 15:08 ` [PATCH 2/2] binman: Accept pkcs11 URI tokens for capsule updates Wojciech Dubowik 0 siblings, 2 replies; 6+ messages in thread From: Wojciech Dubowik @ 2025-12-16 15:08 UTC (permalink / raw) To: u-boot@lists.denx.de; +Cc: Wojciech Dubowik, trini Add support for pkcs11 URI's when generating UEFI capsules and accept URI's for certificate in dts capsule nodes. Example: export PKCS11_MODULE_PATH=<pkcs11 provider path>/libsofthsm2.so tools/mkeficapsule --monotonic-count 1 \ --private-key "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \ --certificate "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \ --index 1 \ --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \ "capsule-payload" \ "capsule.cap Wojciech Dubowik (2): tools: mkeficapsule: Add support for pkcs11 binman: Accept pkcs11 URI tokens for capsule updates tools/binman/etype/efi_capsule.py | 4 +- tools/mkeficapsule.c | 102 ++++++++++++++++++++++-------- 2 files changed, 76 insertions(+), 30 deletions(-) -- 2.47.3 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/2] tools: mkeficapsule: Add support for pkcs11 2025-12-16 15:08 [PATCH 0/2] UEFI Capsule - PKCS11 Support Wojciech Dubowik @ 2025-12-16 15:08 ` Wojciech Dubowik 2025-12-16 15:08 ` [PATCH 2/2] binman: Accept pkcs11 URI tokens for capsule updates Wojciech Dubowik 1 sibling, 0 replies; 6+ messages in thread From: Wojciech Dubowik @ 2025-12-16 15:08 UTC (permalink / raw) To: u-boot@lists.denx.de; +Cc: Wojciech Dubowik, trini With pkcs11 support it's now possible to spefify keys with URI format. To use this feature the filename must begin "pkcs11:.." and have valid URI pointing to certificate and private key in HSM. The environemnt variable PKCS11_MODULE_PATH must point to the right pkcs11 provider i.e. with softhsm: export PKCS11_MODULE_PATH=<path>/libsofthsm2.so Example command line: tools/mkeficapsule --monotonic-count 1 \ --private-key "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \ --certificate "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \ --index 1 \ --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \ "capsule-payload" \ "capsule.cap" Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> --- tools/mkeficapsule.c | 102 +++++++++++++++++++++++++++++++------------ 1 file changed, 74 insertions(+), 28 deletions(-) diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 0f41cdb64f54..c55d4f1000b3 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -228,21 +228,46 @@ static int create_auth_data(struct auth_context *ctx) gnutls_pkcs7_t pkcs7; gnutls_datum_t data; gnutls_datum_t signature; + gnutls_pkcs11_obj_t *obj_list; + unsigned int obj_list_size = 0; + const char *lib; int ret; + bool pkcs11 = false; - ret = read_bin_file(ctx->cert_file, &cert.data, &file_size); - if (ret < 0) - return -1; - if (file_size > UINT_MAX) - return -1; - cert.size = file_size; + if (!strncmp(ctx->cert_file, "pkcs11:", 7) && + !strncmp(ctx->key_file, "pkcs11:", 7)) { + pkcs11 = true; - ret = read_bin_file(ctx->key_file, &key.data, &file_size); - if (ret < 0) - return -1; - if (file_size > UINT_MAX) - return -1; - key.size = file_size; + lib = getenv("PKCS11_MODULE_PATH"); + if (!lib) { + fprintf(stdout, + "PKCS11_MODULE_PATH not set in the environment\n"); + return -1; + } + + gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); + gnutls_global_init(); + + ret = gnutls_pkcs11_add_provider(lib, "trusted"); + if (ret < 0) { + fprintf(stdout, "Failed to add pkcs11 provider\n"); + return -1; + } + } else { + ret = read_bin_file(ctx->cert_file, &cert.data, &file_size); + if (ret < 0) + return -1; + if (file_size > UINT_MAX) + return -1; + cert.size = file_size; + + ret = read_bin_file(ctx->key_file, &key.data, &file_size); + if (ret < 0) + return -1; + if (file_size > UINT_MAX) + return -1; + key.size = file_size; + } /* * For debugging, @@ -264,25 +289,41 @@ static int create_auth_data(struct auth_context *ctx) gnutls_strerror(ret)); return -1; } + if (pkcs11) { + ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size, + ctx->cert_file, 0); + if (ret < 0 || obj_list_size == 0) { + fprintf(stdout, "Failed to import crt_file URI objects\n"); + return -1; + } - /* load a private key */ - ret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM, - 0, 0); - if (ret < 0) { - fprintf(stderr, - "error in gnutls_privkey_import_x509_raw(): %s\n", - gnutls_strerror(ret)); - return -1; - } + gnutls_x509_crt_import_pkcs11(x509, obj_list[0]); - /* load x509 certificate */ - ret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM); - if (ret < 0) { - fprintf(stderr, "error in gnutls_x509_crt_import(): %s\n", - gnutls_strerror(ret)); - return -1; - } + ret = gnutls_privkey_import_pkcs11_url(pkey, ctx->key_file); + if (ret < 0) { + fprintf(stderr, "error in %d: %s\n", __LINE__, + gnutls_strerror(ret)); + return -1; + } + } else { + /* load a private key */ + ret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM, + 0, 0); + if (ret < 0) { + fprintf(stderr, + "error in gnutls_privkey_import_x509_raw(): %s\n", + gnutls_strerror(ret)); + return -1; + } + /* load x509 certificate */ + ret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fprintf(stderr, "error in gnutls_x509_crt_import(): %s\n", + gnutls_strerror(ret)); + return -1; + } + } /* generate a PKCS #7 structure */ ret = gnutls_pkcs7_init(&pkcs7); if (ret < 0) { @@ -349,6 +390,11 @@ static int create_auth_data(struct auth_context *ctx) * gnutls_free(signature.data); */ + if (pkcs11) { + gnutls_global_deinit(); + gnutls_pkcs11_deinit(); + } + return 0; } -- 2.47.3 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/2] binman: Accept pkcs11 URI tokens for capsule updates 2025-12-16 15:08 [PATCH 0/2] UEFI Capsule - PKCS11 Support Wojciech Dubowik 2025-12-16 15:08 ` [PATCH 1/2] tools: mkeficapsule: Add support for pkcs11 Wojciech Dubowik @ 2025-12-16 15:08 ` Wojciech Dubowik 2025-12-27 14:52 ` Simon Glass 1 sibling, 1 reply; 6+ messages in thread From: Wojciech Dubowik @ 2025-12-16 15:08 UTC (permalink / raw) To: u-boot@lists.denx.de; +Cc: Wojciech Dubowik, trini With pkcs11 support in mkeficapsule we can now accept URI tokens and not only files. Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> --- tools/binman/etype/efi_capsule.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/binman/etype/efi_capsule.py b/tools/binman/etype/efi_capsule.py index 9f06cc88e6e5..8ab022915d9d 100644 --- a/tools/binman/etype/efi_capsule.py +++ b/tools/binman/etype/efi_capsule.py @@ -125,9 +125,9 @@ class Entry_efi_capsule(Entry_section): private_key = '' public_key_cert = '' if self.auth: - if not os.path.isabs(self.private_key): + if not os.path.isabs(self.private_key) and not 'pkcs11:' in self.private_key: private_key = tools.get_input_filename(self.private_key) - if not os.path.isabs(self.public_key_cert): + if not os.path.isabs(self.public_key_cert) and not 'pkcs11:' in self.public_key_cert: public_key_cert = tools.get_input_filename(self.public_key_cert) data, payload, uniq = self.collect_contents_to_file( self._entries.values(), 'capsule_in') -- 2.47.3 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 2/2] binman: Accept pkcs11 URI tokens for capsule updates 2025-12-16 15:08 ` [PATCH 2/2] binman: Accept pkcs11 URI tokens for capsule updates Wojciech Dubowik @ 2025-12-27 14:52 ` Simon Glass 2026-01-05 8:48 ` EXTERNAL - " Wojciech Dubowik 0 siblings, 1 reply; 6+ messages in thread From: Simon Glass @ 2025-12-27 14:52 UTC (permalink / raw) To: Wojciech Dubowik; +Cc: u-boot@lists.denx.de, trini Hi Wojciech, On Tue, 16 Dec 2025 at 08:09, Wojciech Dubowik <Wojciech.Dubowik@mt.com> wrote: > > With pkcs11 support in mkeficapsule we can now accept URI > tokens and not only files. > > Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> > --- > tools/binman/etype/efi_capsule.py | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/tools/binman/etype/efi_capsule.py b/tools/binman/etype/efi_capsule.py > index 9f06cc88e6e5..8ab022915d9d 100644 > --- a/tools/binman/etype/efi_capsule.py > +++ b/tools/binman/etype/efi_capsule.py > @@ -125,9 +125,9 @@ class Entry_efi_capsule(Entry_section): > private_key = '' > public_key_cert = '' > if self.auth: > - if not os.path.isabs(self.private_key): > + if not os.path.isabs(self.private_key) and not 'pkcs11:' in self.private_key: > private_key = tools.get_input_filename(self.private_key) > - if not os.path.isabs(self.public_key_cert): > + if not os.path.isabs(self.public_key_cert) and not 'pkcs11:' in self.public_key_cert: > public_key_cert = tools.get_input_filename(self.public_key_cert) > data, payload, uniq = self.collect_contents_to_file( > self._entries.values(), 'capsule_in') > -- > 2.47.3 > Does this have a test case? Regards, Simon ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: EXTERNAL - [PATCH 2/2] binman: Accept pkcs11 URI tokens for capsule updates 2025-12-27 14:52 ` Simon Glass @ 2026-01-05 8:48 ` Wojciech Dubowik 2026-01-05 23:30 ` Simon Glass 0 siblings, 1 reply; 6+ messages in thread From: Wojciech Dubowik @ 2026-01-05 8:48 UTC (permalink / raw) To: Simon Glass; +Cc: u-boot@lists.denx.de, trini On Sat, Dec 27, 2025 at 07:52:36AM -0700, Simon Glass wrote: > Hi Wojciech, > > On Tue, 16 Dec 2025 at 08:09, Wojciech Dubowik <Wojciech.Dubowik@mt.com> wrote: > > > > With pkcs11 support in mkeficapsule we can now accept URI > > tokens and not only files. > > > > Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> > > --- > > tools/binman/etype/efi_capsule.py | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/tools/binman/etype/efi_capsule.py b/tools/binman/etype/efi_capsule.py > > index 9f06cc88e6e5..8ab022915d9d 100644 > > --- a/tools/binman/etype/efi_capsule.py > > +++ b/tools/binman/etype/efi_capsule.py > > @@ -125,9 +125,9 @@ class Entry_efi_capsule(Entry_section): > > private_key = '' > > public_key_cert = '' > > if self.auth: > > - if not os.path.isabs(self.private_key): > > + if not os.path.isabs(self.private_key) and not 'pkcs11:' in self.private_key: > > private_key = tools.get_input_filename(self.private_key) > > - if not os.path.isabs(self.public_key_cert): > > + if not os.path.isabs(self.public_key_cert) and not 'pkcs11:' in self.public_key_cert: > > public_key_cert = tools.get_input_filename(self.public_key_cert) > > data, payload, uniq = self.collect_contents_to_file( > > self._entries.values(), 'capsule_in') > > -- > > 2.47.3 > > > > Does this have a test case? Not yet. I have seen that pkcs11 engine and softhsm test framework have been recently merged into next so I will try to make a testcase for it. Regards, Wojtek > > Regards, > Simon ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: EXTERNAL - [PATCH 2/2] binman: Accept pkcs11 URI tokens for capsule updates 2026-01-05 8:48 ` EXTERNAL - " Wojciech Dubowik @ 2026-01-05 23:30 ` Simon Glass 0 siblings, 0 replies; 6+ messages in thread From: Simon Glass @ 2026-01-05 23:30 UTC (permalink / raw) To: Wojciech Dubowik; +Cc: u-boot@lists.denx.de, trini Hi Wojciech, On Mon, 5 Jan 2026 at 01:48, Wojciech Dubowik <Wojciech.Dubowik@mt.com> wrote: > > On Sat, Dec 27, 2025 at 07:52:36AM -0700, Simon Glass wrote: > > Hi Wojciech, > > > > On Tue, 16 Dec 2025 at 08:09, Wojciech Dubowik <Wojciech.Dubowik@mt.com> wrote: > > > > > > With pkcs11 support in mkeficapsule we can now accept URI > > > tokens and not only files. > > > > > > Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> > > > --- > > > tools/binman/etype/efi_capsule.py | 4 ++-- > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > diff --git a/tools/binman/etype/efi_capsule.py b/tools/binman/etype/efi_capsule.py > > > index 9f06cc88e6e5..8ab022915d9d 100644 > > > --- a/tools/binman/etype/efi_capsule.py > > > +++ b/tools/binman/etype/efi_capsule.py > > > @@ -125,9 +125,9 @@ class Entry_efi_capsule(Entry_section): > > > private_key = '' > > > public_key_cert = '' > > > if self.auth: > > > - if not os.path.isabs(self.private_key): > > > + if not os.path.isabs(self.private_key) and not 'pkcs11:' in self.private_key: > > > private_key = tools.get_input_filename(self.private_key) > > > - if not os.path.isabs(self.public_key_cert): > > > + if not os.path.isabs(self.public_key_cert) and not 'pkcs11:' in self.public_key_cert: > > > public_key_cert = tools.get_input_filename(self.public_key_cert) > > > data, payload, uniq = self.collect_contents_to_file( > > > self._entries.values(), 'capsule_in') > > > -- > > > 2.47.3 > > > > > > > Does this have a test case? > > Not yet. I have seen that pkcs11 engine and softhsm test framework have been recently merged into > next so I will try to make a testcase for it. We may have lost the history here. You can mock things as needed to simplify the test. Regards, Simon ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-01-05 23:30 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-12-16 15:08 [PATCH 0/2] UEFI Capsule - PKCS11 Support Wojciech Dubowik 2025-12-16 15:08 ` [PATCH 1/2] tools: mkeficapsule: Add support for pkcs11 Wojciech Dubowik 2025-12-16 15:08 ` [PATCH 2/2] binman: Accept pkcs11 URI tokens for capsule updates Wojciech Dubowik 2025-12-27 14:52 ` Simon Glass 2026-01-05 8:48 ` EXTERNAL - " Wojciech Dubowik 2026-01-05 23:30 ` Simon Glass
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox