Hi Wojciech,
On 5/29/26 1:05 PM, Wojciech Dubowik wrote:
Some distros like OpenEmbedded are using gnutls library
without pkcs11 support and linking of mkeficapsule will fail.
It would make maintenance of default configs a hurdle.
Add detection of pkcs11 support in gnutls so it's enabled
when available and doesn't need to be set explicitly.
Acked-by: Quentin Schulz <[email protected]>
Suggested-by: Tom Rini <[email protected]>
Cc: Franz Schnyder <[email protected]>
Signed-off-by: Wojciech Dubowik <[email protected]>
---
Changes in v6:
- removed return code check from gnutls_x509_crt_import_pkcs11
sugessted by Quentin, to be sent in separate patch later
Changes in v5:
- removed more unrelated cleanup improvements spotted by
Quentin, to be sent in another patch later
Changes in v4:
- abstract pkcs11 init function
- removed unrelated cleanup improvements, to be sent in
another patch later
Changes in v3:
- remove config option for pkcs11 support and add auto
detection in Makefile
- reduce amount of ifdefs by abstracting import pkcs11
functions
- add missing free and deinit functions
Changes in v2:
- make use of stderr more consistent
- add missing ifndef around pkcs11 deinit functions
---
tools/Makefile | 5 +++
tools/mkeficapsule.c | 95 +++++++++++++++++++++++++++++++++-----------
2 files changed, 77 insertions(+), 23 deletions(-)
diff --git a/tools/Makefile b/tools/Makefile
index 1a5f425ecdaa..e85f5a354b81 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -271,6 +271,11 @@ mkeficapsule-objs := generated/lib/uuid.o \
$(LIBFDT_OBJS) \
mkeficapsule.o
hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
+GNUTLS_SUPPORTS_P11KIT = $(shell pkg-config --libs gnutls
--print-requires-private \
+ 2> /dev/null | grep p11-kit-1)
+ifeq ($(GNUTLS_SUPPORTS_P11KIT),p11-kit-1)
+HOSTCFLAGS_mkeficapsule.o += -DMKEFICAPSULE_PKCS11
+endif
include tools/fwumdata_src/fwumdata.mk
diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
index ec640c57e8a5..576903753660 100644
--- a/tools/mkeficapsule.c
+++ b/tools/mkeficapsule.c
@@ -207,6 +207,71 @@ static int write_capsule_file(FILE *f, void *data, size_t
size, const char *msg)
return 0;
}
+#ifdef MKEFICAPSULE_PKCS11
+static int pkcs11_init(void)
+{
+ const char *lib;
+ int ret;
+
+ lib = getenv("PKCS11_MODULE_PATH");
+ if (!lib) {
+ fprintf(stdout,
+ "PKCS11_MODULE_PATH not set in the environment\n");
+ return -1;
+ }
+
+ gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+ gnutls_global_init();
+
+ ret = gnutls_pkcs11_add_provider(lib, "trusted");
+ if (ret < 0) {
+ fprintf(stdout, "Failed to add pkcs11 provider\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+static int import_pkcs11_crt(gnutls_x509_crt_t *x509, struct auth_context *ctx)
+{
+ gnutls_pkcs11_obj_t *obj_list;
+ unsigned int obj_list_size = 0;
+ int ret;
+
+ ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,
+ ctx->cert_file, 0);
+ if (ret < 0 || obj_list_size == 0)
+ return ret;
+
As noted by Simon on v5 (after the v6 was posted, so you did *not*
ignore review), this should return -1 to conserve the same behavior as
before this commit.
Indeed, if gnutls_pkcs11_obj_list_import_url4 returns anything but 0 and
obj_list_size=0, then this function will return ret, which can be 0, or
anything > 0, which isn't what we currently do.
Can you send a v7 with this fixed please?
Cheers,
Quentin
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#238240):
https://lists.openembedded.org/g/openembedded-core/message/238240
Mute This Topic: https://lists.openembedded.org/mt/119545392/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
