Hi Wojciech,
On 5/28/26 10:03 AM, Wojciech Dubowik wrote:
Some distros like OpenEmbedded are using gnutls library
without pkcs11 support and linking of mkeficapsule will fail.
It would make maintenance of default configs a hurdle.
Add detection of pkcs11 support in gnutls so it's enabled
when available and doesn't need to be set explicitly.
Suggested-by: Tom Rini <[email protected]>
Cc: Franz Schnyder <[email protected]>
Signed-off-by: Wojciech Dubowik <[email protected]>
---
Changes in v5:
- removed more unrelated cleanup improvements spotted by
Quentin, to be sent in another patch later
Changes in v4:
- abstract pkcs11 init function
- removed unrelated cleanup improvements, to be sent in
another patch later
Changes in v3:
- remove config option for pkcs11 support and add auto
detection in Makefile
- reduce amount of ifdefs by abstracting import pkcs11
functions
- add missing free and deinit functions
Changes in v2:
- make use of stderr more consistent
- add missing ifndef around pkcs11 deinit functions
---
tools/Makefile | 5 +++
tools/mkeficapsule.c | 95 +++++++++++++++++++++++++++++++++-----------
2 files changed, 77 insertions(+), 23 deletions(-)
diff --git a/tools/Makefile b/tools/Makefile
index 1a5f425ecdaa..e85f5a354b81 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -271,6 +271,11 @@ mkeficapsule-objs := generated/lib/uuid.o \
$(LIBFDT_OBJS) \
mkeficapsule.o
hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
+GNUTLS_SUPPORTS_P11KIT = $(shell pkg-config --libs gnutls
--print-requires-private \
+ 2> /dev/null | grep p11-kit-1)
+ifeq ($(GNUTLS_SUPPORTS_P11KIT),p11-kit-1)
+HOSTCFLAGS_mkeficapsule.o += -DMKEFICAPSULE_PKCS11
+endif
include tools/fwumdata_src/fwumdata.mk
diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
index ec640c57e8a5..a36332567e0c 100644
--- a/tools/mkeficapsule.c
+++ b/tools/mkeficapsule.c
@@ -207,6 +207,71 @@ static int write_capsule_file(FILE *f, void *data, size_t
size, const char *msg)
return 0;
}
+#ifdef MKEFICAPSULE_PKCS11
+static int pkcs11_init(void)
+{
+ const char *lib;
+ int ret;
+
+ lib = getenv("PKCS11_MODULE_PATH");
+ if (!lib) {
+ fprintf(stdout,
+ "PKCS11_MODULE_PATH not set in the environment\n");
+ return -1;
+ }
+
+ gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+ gnutls_global_init();
+
+ ret = gnutls_pkcs11_add_provider(lib, "trusted");
+ if (ret < 0) {
+ fprintf(stdout, "Failed to add pkcs11 provider\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+static int import_pkcs11_crt(gnutls_x509_crt_t *x509, struct auth_context *ctx)
+{
+ gnutls_pkcs11_obj_t *obj_list;
+ unsigned int obj_list_size = 0;
+ int ret;
+
+ ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,
+ ctx->cert_file, 0);
+ if (ret < 0 || obj_list_size == 0)
+ return ret;
+
+ ret = gnutls_x509_crt_import_pkcs11(*x509, obj_list[0]);
+
+ return ret;
This is still doing something we currently do not do, that is, checking
the return code of gnutls_x509_crt_import_pkcs11(). I'm not saying we
shouldn't (I haven't checked), but this now does more than just
ifdef'ing pkcs11 support.
With that done, feel free to add my
Acked-by: Quentin Schulz <[email protected]>
on the next version.
Thanks!
Quentin
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237695):
https://lists.openembedded.org/g/openembedded-core/message/237695
Mute This Topic: https://lists.openembedded.org/mt/119526819/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
