Hi Wojciech, On Tue, 17 Feb 2026 at 04:53, Wojciech Dubowik <[email protected]> wrote: > > Add support for pkcs11 URI's when generating UEFI capsules and > accept URI's for certificate in dts capsule nodes. > Example: > export PKCS11_MODULE_PATH=<pkcs11 provider path>/libsofthsm2.so > tools/mkeficapsule --monotonic-count 1 \ > --private-key > "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \ > --certificate "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \ > --index 1 \ > --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \ > "capsule-payload" \ > "capsule.cap > Signed-off-by: Wojciech Dubowik <[email protected]> > --- > Changes in v6: > * mkeficapsule: use strlen instead of hardcoded values > Changes in v5: > * add bin wrappers in test for all external tools > * improve error handling in python test > * fix data types in python > * standardize option name in mkeficapsule > * fix typos > Changes in v4: > * adapt mkeficapsule python support to dump detached signature > for authenticated capsules > * verify detached capsule signature with openssl after generation > * use p11-kit to figure out location of softhsm2 library > * fix missing long option for dumping signatures in mkeficapsule > Changes in v3: > * fix write file encoding, env setting and extra line in binman test > after review > Changes in v2: > * allow mixed file/pkcs11 URI as key specification in mkeficapsule > * fix logic for accepting pkcs11 URI in binman device tree sections > * add binman test for UEFI capsule signature where private key comes > from softHSM > --- > Wojciech Dubowik (6): > tools: mkeficapsule: Add support for pkcs11 > binman: Accept pkcs11 URI tokens for capsule updates > tools: mkeficapsule: Fix dump signature long option > binman: Add dump signature option to mkeficapsule > binman: DTS: Add dump-signature option for capsules > test: binman: Add test for pkcs11 signed capsule > > doc/mkeficapsule.1 | 4 +- > tools/binman/btool/mkeficapsule.py | 8 +- > tools/binman/btool/p11_kit.py | 21 ++++ > tools/binman/entries.rst | 4 + > tools/binman/etype/efi_capsule.py | 17 ++- > tools/binman/ftest.py | 66 ++++++++++ > .../binman/test/351_capsule_signed_pkcs11.dts | 22 ++++ > tools/mkeficapsule.c | 113 +++++++++++++----- > 8 files changed, 221 insertions(+), 34 deletions(-) > create mode 100644 tools/binman/btool/p11_kit.py > create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts > > -- > 2.47.3 >
Please make sure that you have 100% test coverage now. CI will fail without it. If you need help on covering some code, please let me know. Regards, Simon
