On Wed, Jan 14, 2026 at 05:36:40PM +0100, Quentin Schulz wrote: Hello Quentin, > Hi Wojciech, > > I didn't see you had sent a v3 (going through my inbox from older to newer > :) ). Please ignore review on v2, i'll repeat it here. > > On 1/8/26 3:13 PM, Wojciech Dubowik wrote: > > Test pkcs11 URI support for UEFI capsule generation. For > > simplicity only private key is defined in binman section > > as softhsm tool doesn't support certificate import (yet). > > > > Signed-off-by: Wojciech Dubowik <[email protected]> > > Reviewed-by: Simon Glass <[email protected]> > > --- > > tools/binman/ftest.py | 42 +++++++++++++++++++ > > .../binman/test/351_capsule_signed_pkcs11.dts | 20 +++++++++ > > 2 files changed, 62 insertions(+) > > create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts > > > > diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py > > index 21ec48d86fd1..ad5c2d63900a 100644 > > --- a/tools/binman/ftest.py > > +++ b/tools/binman/ftest.py > > @@ -7532,6 +7532,48 @@ fdt fdtmap Extract the > > devicetree blob from the fdtmap > > self._CheckCapsule(data, signed_capsule=True) > > + def testPkcs11SignedCapsuleGen(self): > > + """Test generation of EFI capsule (with PKCS11)""" > > + data = tools.read_file(self.TestFile("key.key")) > > + private_key = self._MakeInputFile("key.key", data) > > + data = tools.read_file(self.TestFile("key.pem")) > > + self._MakeInputFile("key.crt", data) > > + > > + softhsm2_util = bintool.Bintool.create('softhsm2_util') > > + self._CheckBintool(softhsm2_util) > > + > > + prefix = "testPkcs11SignedCapsuleGen." > > + # Configure SoftHSMv2 > > + data = tools.read_file(self.TestFile('340_softhsm2.conf')) > > + softhsm2_conf = self._MakeInputFile(f'{prefix}softhsm2.conf', data) > > + softhsm2_tokens_dir = > > self._MakeInputDir(f'{prefix}softhsm2.tokens') > > + tools.write_file(softhsm2_conf, data + > > + f'\ndirectories.tokendir = \ > > + {softhsm2_tokens_dir}\n'.encode("utf-8")) > > + > > + softhsm_paths="/usr/local/lib/softhsm/libsofthsm2.so \ > > + /usr/lib/softhsm/libsofthsm2.so \ > > + /usr/lib64/pkcs11/libsofthsm2.so \ > > + /usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so \ > > + /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so" > > + > > + for softhsm2_lib_loc in softhsm_paths.split(): > > + if os.path.exists(softhsm2_lib_loc): > > + softhsm2_lib = softhsm2_lib_loc > > + > > This seems brittle, isn't there a better mechanism than this that can be > offered by distros? For openssl, installing libengine-pkcs11-openssl > (and setting the provider in the OPENSSL_CONF env variable) was enough. > Is there something similar to that for gnutls?
I have based my code on gnutls test where the lib has been hardcoded as well. There could be a better way i.e. with pkg-config but I havn't analyzed it yet. Also p11 kit might give more info. Need to dig furher. Wojtek > > I don't think this will work on arm64 hosts, c.f. > https://debian.pkgs.org/13/debian-main-arm64/libsofthsm2_2.6.1-3_arm64.deb.html > > > + os.environ['SOFTHSM2_CONF'] = softhsm2_conf > > + tools.run('softhsm2-util', '--init-token', '--free', '--label', > > + 'U-Boot token', '--pin', '1111', '--so-pin', > > + '222222') > > + tools.run('softhsm2-util', '--import', private_key, '--token', > > + 'U-Boot token', '--label', 'test_key', '--id', '999999', > > + '--pin', '1111') > > + > > + os.environ['PKCS11_MODULE_PATH'] = softhsm2_lib > > + data = self._DoReadFile('351_capsule_signed_pkcs11.dts') > > + > > + self._CheckCapsule(data, signed_capsule=True) > > + > > Don't you want to validate it's properly signed? > > Cheers, > Quentin
