Hi Wojciech,
On 5/13/26 6:45 AM, Wojciech Dubowik wrote:
Some distros like OpenEmbedded are using gnutls library
without pkcs11 support and linking of mkeficapsule will fail.
It would make maintenance of default configs a hurdle.
Add detection of pkcs11 support in gnutls so it's enabled
when available and doesn't need to be set explicitly.
Suggested-by: Tom Rini <[email protected]>
Cc: Franz Schnyder <[email protected]>
Signed-off-by: Wojciech Dubowik <[email protected]>
---
Changes in v4:
- abstract pkcs11 init function
- removed unreleted cleanup improvements, to be sent in
another patch later
Changes in v3:
- remove config option for pkcs11 support and add auto
detection in Makefile
- reduce amount of ifdefs by abstracting import pkcs11
functions
- add missing free and deinit functions
Changes in v2:
- make use of stderr more consistent
- add missing ifndef around pkcs11 deinit functions
---
tools/Makefile | 5 +++
tools/mkeficapsule.c | 99 ++++++++++++++++++++++++++++++++++----------
2 files changed, 81 insertions(+), 23 deletions(-)
diff --git a/tools/Makefile b/tools/Makefile
index 1a5f425ecdaa..e85f5a354b81 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -271,6 +271,11 @@ mkeficapsule-objs := generated/lib/uuid.o \
$(LIBFDT_OBJS) \
mkeficapsule.o
hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
+GNUTLS_SUPPORTS_P11KIT = $(shell pkg-config --libs gnutls
--print-requires-private \
+ 2> /dev/null | grep p11-kit-1)
+ifeq ($(GNUTLS_SUPPORTS_P11KIT),p11-kit-1)
+HOSTCFLAGS_mkeficapsule.o += -DMKEFICAPSULE_PKCS11
+endif
include tools/fwumdata_src/fwumdata.mk
diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
index ec640c57e8a5..132bba286e4c 100644
--- a/tools/mkeficapsule.c
+++ b/tools/mkeficapsule.c
@@ -207,6 +207,75 @@ static int write_capsule_file(FILE *f, void *data, size_t
size, const char *msg)
return 0;
}
+#ifdef MKEFICAPSULE_PKCS11
+static int pkcs11_init(void)
+{
+ const char *lib;
+ int ret;
+
+ lib = getenv("PKCS11_MODULE_PATH");
+ if (!lib) {
+ fprintf(stderr,
We currently use stdout for this. The change is fine, but in a separate
patch please.
+ "PKCS11_MODULE_PATH not set in the environment\n");
+ return -1;
+ }
+
+ gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+ gnutls_global_init();
+
+ ret = gnutls_pkcs11_add_provider(lib, "trusted");
+ if (ret < 0) {
+ fprintf(stderr, "Failed to add pkcs11 provider\n");
Ditto.
+ return -1;
+ }
+
+ return 0;
+}
+
+static int import_pkcs11_crt(gnutls_x509_crt_t *x509, struct auth_context *ctx)
+{
+ gnutls_pkcs11_obj_t *obj_list;
+ unsigned int obj_list_size = 0;
+ int i, ret;
+
+ ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,
+ ctx->cert_file, 0);
+ if (ret < 0 || obj_list_size == 0)
+ return ret;
+
+ ret = gnutls_x509_crt_import_pkcs11(*x509, obj_list[0]);
+
+ for (i = 0; i < obj_list_size; i++)
+ gnutls_pkcs11_obj_deinit(obj_list[i]);
+ gnutls_free(obj_list);
+
Those three lines are new, please have them in a separate patch.
+ return ret;
So far, we've ignored the return value of
gnutls_x509_crt_import_pkcs11(), so please do the same in this patch.
Another patch for checking the return value can make sense (haven't
checked).
Looks good to me otherwise, thanks for working on this!
Cheers,
Quentin
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237444):
https://lists.openembedded.org/g/openembedded-core/message/237444
Mute This Topic: https://lists.openembedded.org/mt/119293292/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
