Hi Wojciech,
I didn't see you had sent a v3 (going through my inbox from older to
newer :) ). Please ignore review on v2, i'll repeat it here.
On 1/8/26 3:13 PM, Wojciech Dubowik wrote:
Test pkcs11 URI support for UEFI capsule generation. For
simplicity only private key is defined in binman section
as softhsm tool doesn't support certificate import (yet).
Signed-off-by: Wojciech Dubowik <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
---
tools/binman/ftest.py | 42 +++++++++++++++++++
.../binman/test/351_capsule_signed_pkcs11.dts | 20 +++++++++
2 files changed, 62 insertions(+)
create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index 21ec48d86fd1..ad5c2d63900a 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -7532,6 +7532,48 @@ fdt fdtmap Extract the devicetree
blob from the fdtmap
self._CheckCapsule(data, signed_capsule=True)
+ def testPkcs11SignedCapsuleGen(self):
+ """Test generation of EFI capsule (with PKCS11)"""
+ data = tools.read_file(self.TestFile("key.key"))
+ private_key = self._MakeInputFile("key.key", data)
+ data = tools.read_file(self.TestFile("key.pem"))
+ self._MakeInputFile("key.crt", data)
+
+ softhsm2_util = bintool.Bintool.create('softhsm2_util')
+ self._CheckBintool(softhsm2_util)
+
+ prefix = "testPkcs11SignedCapsuleGen."
+ # Configure SoftHSMv2
+ data = tools.read_file(self.TestFile('340_softhsm2.conf'))
+ softhsm2_conf = self._MakeInputFile(f'{prefix}softhsm2.conf', data)
+ softhsm2_tokens_dir = self._MakeInputDir(f'{prefix}softhsm2.tokens')
+ tools.write_file(softhsm2_conf, data +
+ f'\ndirectories.tokendir = \
+ {softhsm2_tokens_dir}\n'.encode("utf-8"))
+
+ softhsm_paths="/usr/local/lib/softhsm/libsofthsm2.so \
+ /usr/lib/softhsm/libsofthsm2.so \
+ /usr/lib64/pkcs11/libsofthsm2.so \
+ /usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so \
+ /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"
+
+ for softhsm2_lib_loc in softhsm_paths.split():
+ if os.path.exists(softhsm2_lib_loc):
+ softhsm2_lib = softhsm2_lib_loc
+
This seems brittle, isn't there a better mechanism than this that can be
offered by distros? For openssl, installing libengine-pkcs11-openssl
(and setting the provider in the OPENSSL_CONF env variable) was enough.
Is there something similar to that for gnutls?
I don't think this will work on arm64 hosts, c.f.
https://debian.pkgs.org/13/debian-main-arm64/libsofthsm2_2.6.1-3_arm64.deb.html
+ os.environ['SOFTHSM2_CONF'] = softhsm2_conf
+ tools.run('softhsm2-util', '--init-token', '--free', '--label',
+ 'U-Boot token', '--pin', '1111', '--so-pin',
+ '222222')
+ tools.run('softhsm2-util', '--import', private_key, '--token',
+ 'U-Boot token', '--label', 'test_key', '--id', '999999',
+ '--pin', '1111')
+
+ os.environ['PKCS11_MODULE_PATH'] = softhsm2_lib
+ data = self._DoReadFile('351_capsule_signed_pkcs11.dts')
+
+ self._CheckCapsule(data, signed_capsule=True)
+
Don't you want to validate it's properly signed?
Cheers,
Quentin
