From: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
To: Quentin Schulz <quentin.schulz@cherry.de>
Cc: u-boot@lists.denx.de, trini@konsulko.com, simon.glass@canonical.com
Subject: Re: EXTERNAL - [PATCH v3 3/3] test: binman: Add test for pkcs11 signed capsule
Date: Thu, 15 Jan 2026 08:48:47 +0100 [thread overview]
Message-ID: <aWib34Okz188cYDq@mt.com> (raw)
In-Reply-To: <72dbeec9-448c-4828-a887-61a596e4451d@cherry.de>
On Wed, Jan 14, 2026 at 05:36:40PM +0100, Quentin Schulz wrote:
Hello Quentin,
> Hi Wojciech,
>
> I didn't see you had sent a v3 (going through my inbox from older to newer
> :) ). Please ignore review on v2, i'll repeat it here.
>
> On 1/8/26 3:13 PM, Wojciech Dubowik wrote:
> > Test pkcs11 URI support for UEFI capsule generation. For
> > simplicity only private key is defined in binman section
> > as softhsm tool doesn't support certificate import (yet).
> >
> > Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
> > Reviewed-by: Simon Glass <simon.glass@canonical.com>
> > ---
> > tools/binman/ftest.py | 42 +++++++++++++++++++
> > .../binman/test/351_capsule_signed_pkcs11.dts | 20 +++++++++
> > 2 files changed, 62 insertions(+)
> > create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts
> >
> > diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
> > index 21ec48d86fd1..ad5c2d63900a 100644
> > --- a/tools/binman/ftest.py
> > +++ b/tools/binman/ftest.py
> > @@ -7532,6 +7532,48 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
> > self._CheckCapsule(data, signed_capsule=True)
> > + def testPkcs11SignedCapsuleGen(self):
> > + """Test generation of EFI capsule (with PKCS11)"""
> > + data = tools.read_file(self.TestFile("key.key"))
> > + private_key = self._MakeInputFile("key.key", data)
> > + data = tools.read_file(self.TestFile("key.pem"))
> > + self._MakeInputFile("key.crt", data)
> > +
> > + softhsm2_util = bintool.Bintool.create('softhsm2_util')
> > + self._CheckBintool(softhsm2_util)
> > +
> > + prefix = "testPkcs11SignedCapsuleGen."
> > + # Configure SoftHSMv2
> > + data = tools.read_file(self.TestFile('340_softhsm2.conf'))
> > + softhsm2_conf = self._MakeInputFile(f'{prefix}softhsm2.conf', data)
> > + softhsm2_tokens_dir = self._MakeInputDir(f'{prefix}softhsm2.tokens')
> > + tools.write_file(softhsm2_conf, data +
> > + f'\ndirectories.tokendir = \
> > + {softhsm2_tokens_dir}\n'.encode("utf-8"))
> > +
> > + softhsm_paths="/usr/local/lib/softhsm/libsofthsm2.so \
> > + /usr/lib/softhsm/libsofthsm2.so \
> > + /usr/lib64/pkcs11/libsofthsm2.so \
> > + /usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so \
> > + /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"
> > +
> > + for softhsm2_lib_loc in softhsm_paths.split():
> > + if os.path.exists(softhsm2_lib_loc):
> > + softhsm2_lib = softhsm2_lib_loc
> > +
>
> This seems brittle, isn't there a better mechanism than this that can be
> offered by distros? For openssl, installing libengine-pkcs11-openssl
> (and setting the provider in the OPENSSL_CONF env variable) was enough.
> Is there something similar to that for gnutls?
I have based my code on gnutls test where the lib has been hardcoded as well.
There could be a better way i.e. with pkg-config but I havn't analyzed it yet.
Also p11 kit might give more info. Need to dig furher.
Wojtek
>
> I don't think this will work on arm64 hosts, c.f.
> https://debian.pkgs.org/13/debian-main-arm64/libsofthsm2_2.6.1-3_arm64.deb.html
>
> > + os.environ['SOFTHSM2_CONF'] = softhsm2_conf
> > + tools.run('softhsm2-util', '--init-token', '--free', '--label',
> > + 'U-Boot token', '--pin', '1111', '--so-pin',
> > + '222222')
> > + tools.run('softhsm2-util', '--import', private_key, '--token',
> > + 'U-Boot token', '--label', 'test_key', '--id', '999999',
> > + '--pin', '1111')
> > +
> > + os.environ['PKCS11_MODULE_PATH'] = softhsm2_lib
> > + data = self._DoReadFile('351_capsule_signed_pkcs11.dts')
> > +
> > + self._CheckCapsule(data, signed_capsule=True)
> > +
>
> Don't you want to validate it's properly signed?
>
> Cheers,
> Quentin
prev parent reply other threads:[~2026-01-15 7:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-08 14:13 [PATCH v3 0/3] UEFI Capsule - PKCS11 Support Wojciech Dubowik
2026-01-08 14:13 ` [PATCH v3 1/3] tools: mkeficapsule: Add support for pkcs11 Wojciech Dubowik
2026-01-08 14:13 ` [PATCH v3 2/3] binman: Accept pkcs11 URI tokens for capsule updates Wojciech Dubowik
2026-01-08 14:13 ` [PATCH v3 3/3] test: binman: Add test for pkcs11 signed capsule Wojciech Dubowik
2026-01-14 16:36 ` Quentin Schulz
2026-01-15 7:48 ` Wojciech Dubowik [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aWib34Okz188cYDq@mt.com \
--to=wojciech.dubowik@mt.com \
--cc=quentin.schulz@cherry.de \
--cc=simon.glass@canonical.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox