Re: EXTERNAL - [PATCH v5 1/6] tools: mkeficapsule: Add support for pkcs11

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
To: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: simon.glass@canonical.com, u-boot@lists.denx.de,
	trini@konsulko.com, quentin.schulz@cherry.de
Subject: Re: EXTERNAL - [PATCH v5 1/6] tools: mkeficapsule: Add support for pkcs11
Date: Mon, 16 Feb 2026 10:01:35 +0100	[thread overview]
Message-ID: <aZLc7zC5PJyyXkxv@mt.com> (raw)
In-Reply-To: <DGDUN3ZI09SP.36P8F54DEPVUQ@linaro.org>

On Fri, Feb 13, 2026 at 02:56:48PM +0200, Ilias Apalodimas wrote:

Hi Ilias,

> Hi Wojciech,
> 
> On Wed Jan 28, 2026 at 10:05 AM EET, Wojciech Dubowik wrote:
> > With pkcs11 support it's now possible to specify keys
> > with URI format. To use this feature the filename must
> > begin "pkcs11:.." and have valid URI pointing to certificate
> > and private key in HSM.
> >
> > The environment variable PKCS11_MODULE_PATH must point to the
> > right pkcs11 provider i.e. with softhsm:
> > export PKCS11_MODULE_PATH=<path>/libsofthsm2.so
> >
> >
> 
> [...]
> 
> > -	ret = read_bin_file(ctx->cert_file, &cert.data, &file_size);
> > -	if (ret < 0)
> > -		return -1;
> > -	if (file_size > UINT_MAX)
> > -		return -1;
> > -	cert.size = file_size;
> > +	if (!strncmp(ctx->cert_file, "pkcs11:", 7))
> 
> Can we do strlen() instead of 7 ?

Will do in the next iteration.
> 
> > +		pkcs11_cert = true;
> >
> > -	ret = read_bin_file(ctx->key_file, &key.data, &file_size);
> > -	if (ret < 0)
> > -		return -1;
> > -	if (file_size > UINT_MAX)
> > -		return -1;
> > -	key.size = file_size;
> > +	if (!strncmp(ctx->key_file, "pkcs11:", 7))
> 
> Same
> 
> > +		pkcs11_key = true;
> > +
> > +	if (pkcs11_cert || pkcs11_key) {
> 
> Don't you need both the cert & key to sign the capsule?
> I'd simplify the logic here. Instead of having both a pkcs_key and a pkcs_cert,
> replace the variables with is_pcks and have that set to true if both the key
> and cert have been found.
This is what I have done in the first iteration. Later I have learned that there
is a need for mixed pkcs11/local file usage. The HSM devices are very expensive
(at least some of them) and have limited memory. It's quite common to use private
key from HSM over pkcs11 protocol and all the public stuff locally.

The test is implemented so at the moment.

Regards,
Wojtek
> 
> Then the if/else cases later will become a bit easier to read since you'll have
> to load the private key & crt on a single if/else cases depending on is_pkcs.
> 
> > +		lib = getenv("PKCS11_MODULE_PATH");
> > +		if (!lib) {
> 
> [...]
> 
> Thanks
> /Ilias

next prev parent reply	other threads:[~2026-02-16  9:01 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-28  8:05 [PATCH v5 0/6] UEFI Capsule - PKCS11 Support Wojciech Dubowik
2026-01-28  8:05 ` [PATCH v5 1/6] tools: mkeficapsule: Add support for pkcs11 Wojciech Dubowik
2026-02-13 12:56   ` Ilias Apalodimas
2026-02-16  9:01     ` Wojciech Dubowik [this message]
2026-02-16  9:52       ` EXTERNAL - " Ilias Apalodimas
2026-01-28  8:05 ` [PATCH v5 2/6] binman: Accept pkcs11 URI tokens for capsule updates Wojciech Dubowik
2026-01-28  8:05 ` [PATCH v5 3/6] tools: mkeficapsule: Fix dump signature long option Wojciech Dubowik
2026-02-13 12:41   ` Ilias Apalodimas
2026-01-28  8:05 ` [PATCH v5 4/6] binman: Add dump signature option to mkeficapsule Wojciech Dubowik
2026-01-28  8:05 ` [PATCH v5 5/6] binman: DTS: Add dump-signature option for capsules Wojciech Dubowik
2026-01-28  8:05 ` [PATCH v5 6/6] test: binman: Add test for pkcs11 signed capsule Wojciech Dubowik
2026-02-13 17:52   ` Simon Glass
2026-02-16  8:49     ` EXTERNAL - " Wojciech Dubowik
2026-02-13 12:40 ` [PATCH v5 0/6] UEFI Capsule - PKCS11 Support Ilias Apalodimas
2026-02-13 20:20   ` Simon Glass

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aZLc7zC5PJyyXkxv@mt.com \
    --to=wojciech.dubowik@mt.com \
    --cc=ilias.apalodimas@linaro.org \
    --cc=quentin.schulz@cherry.de \
    --cc=simon.glass@canonical.com \
    --cc=trini@konsulko.com \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox