From: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
To: Simon Glass <sjg@chromium.org>
Cc: u-boot@lists.denx.de, ilias.apalodimas@linaro.org,
trini@konsulko.com, simon.glass@canonical.com,
quentin.schulz@cherry.de
Subject: Re: EXTERNAL - [PATCH v6 0/6] UEFI Capsule - PKCS11 Support
Date: Fri, 20 Feb 2026 10:13:20 +0100 [thread overview]
Message-ID: <aZglsLcTv87S07By@mt.com> (raw)
In-Reply-To: <CAFLszTjNx8_eew0p1uQK_k4tR81SDtBPpNmDSVVBmZcc2mG3cA@mail.gmail.com>
On Thu, Feb 19, 2026 at 07:39:04PM -0700, Simon Glass wrote:
Hi Simon,
> Hi Wojciech,
>
> On Thu, 19 Feb 2026 at 06:12, Simon Glass <sjg@chromium.org> wrote:
> >
> > Hi Wojciech,
> >
> > On Tue, 17 Feb 2026 at 04:53, Wojciech Dubowik <Wojciech.Dubowik@mt.com> wrote:
> > >
> > > Add support for pkcs11 URI's when generating UEFI capsules and
> > > accept URI's for certificate in dts capsule nodes.
> > > Example:
> > > export PKCS11_MODULE_PATH=<pkcs11 provider path>/libsofthsm2.so
> > > tools/mkeficapsule --monotonic-count 1 \
> > > --private-key "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \
> > > --certificate "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \
> > > --index 1 \
> > > --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \
> > > "capsule-payload" \
> > > "capsule.cap
> > > Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
> > > ---
> > > Changes in v6:
> > > * mkeficapsule: use strlen instead of hardcoded values
> > > Changes in v5:
> > > * add bin wrappers in test for all external tools
> > > * improve error handling in python test
> > > * fix data types in python
> > > * standardize option name in mkeficapsule
> > > * fix typos
> > > Changes in v4:
> > > * adapt mkeficapsule python support to dump detached signature
> > > for authenticated capsules
> > > * verify detached capsule signature with openssl after generation
> > > * use p11-kit to figure out location of softhsm2 library
> > > * fix missing long option for dumping signatures in mkeficapsule
> > > Changes in v3:
> > > * fix write file encoding, env setting and extra line in binman test
> > > after review
> > > Changes in v2:
> > > * allow mixed file/pkcs11 URI as key specification in mkeficapsule
> > > * fix logic for accepting pkcs11 URI in binman device tree sections
> > > * add binman test for UEFI capsule signature where private key comes
> > > from softHSM
> > > ---
> > > Wojciech Dubowik (6):
> > > tools: mkeficapsule: Add support for pkcs11
> > > binman: Accept pkcs11 URI tokens for capsule updates
> > > tools: mkeficapsule: Fix dump signature long option
> > > binman: Add dump signature option to mkeficapsule
> > > binman: DTS: Add dump-signature option for capsules
> > > test: binman: Add test for pkcs11 signed capsule
> > >
> > > doc/mkeficapsule.1 | 4 +-
> > > tools/binman/btool/mkeficapsule.py | 8 +-
> > > tools/binman/btool/p11_kit.py | 21 ++++
> > > tools/binman/entries.rst | 4 +
> > > tools/binman/etype/efi_capsule.py | 17 ++-
> > > tools/binman/ftest.py | 66 ++++++++++
> > > .../binman/test/351_capsule_signed_pkcs11.dts | 22 ++++
> > > tools/mkeficapsule.c | 113 +++++++++++++-----
> > > 8 files changed, 221 insertions(+), 34 deletions(-)
> > > create mode 100644 tools/binman/btool/p11_kit.py
> > > create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts
> > >
> > > --
> > > 2.47.3
> > >
> >
> > Please make sure that you have 100% test coverage now. CI will fail
> > without it. If you need help on covering some code, please let me
> > know.
>
> Please note though that the only goal is to cover the code. Binman is
> full of fakes and other techniques to do that with the minimum of
> effort.
I have added pkcs11 tool support and now on my setup I get 100% test
coverage. I will send it in v7.
Regards,
Wojtek
>
> Regards,
> Simon
prev parent reply other threads:[~2026-02-20 9:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 11:53 [PATCH v6 0/6] UEFI Capsule - PKCS11 Support Wojciech Dubowik
2026-02-17 11:53 ` [PATCH v6 1/6] tools: mkeficapsule: Add support for pkcs11 Wojciech Dubowik
2026-02-17 11:53 ` [PATCH v6 2/6] binman: Accept pkcs11 URI tokens for capsule updates Wojciech Dubowik
2026-02-17 11:53 ` [PATCH v6 3/6] tools: mkeficapsule: Fix dump signature long option Wojciech Dubowik
2026-02-17 11:53 ` [PATCH v6 4/6] binman: Add dump signature option to mkeficapsule Wojciech Dubowik
2026-02-19 14:31 ` Simon Glass
2026-02-19 15:23 ` EXTERNAL - " Wojciech Dubowik
2026-02-23 17:51 ` Simon Glass
2026-02-17 11:53 ` [PATCH v6 5/6] binman: DTS: Add dump-signature option for capsules Wojciech Dubowik
2026-02-17 11:53 ` [PATCH v6 6/6] test: binman: Add test for pkcs11 signed capsule Wojciech Dubowik
2026-02-19 13:12 ` [PATCH v6 0/6] UEFI Capsule - PKCS11 Support Simon Glass
2026-02-19 13:23 ` EXTERNAL - " Wojciech Dubowik
2026-02-20 2:39 ` Simon Glass
2026-02-20 9:13 ` Wojciech Dubowik [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZglsLcTv87S07By@mt.com \
--to=wojciech.dubowik@mt.com \
--cc=ilias.apalodimas@linaro.org \
--cc=quentin.schulz@cherry.de \
--cc=simon.glass@canonical.com \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox