On Thu, Feb 19, 2026 at 06:12:51AM -0700, Simon Glass wrote: Hi Simon, > Hi Wojciech, > > On Tue, 17 Feb 2026 at 04:53, Wojciech Dubowik <[email protected]> > wrote: > > > > Add support for pkcs11 URI's when generating UEFI capsules and > > accept URI's for certificate in dts capsule nodes. > > Example: > > export PKCS11_MODULE_PATH=<pkcs11 provider path>/libsofthsm2.so > > tools/mkeficapsule --monotonic-count 1 \ > > --private-key > > "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \ > > --certificate > > "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \ > > --index 1 \ > > --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \ > > "capsule-payload" \ > > "capsule.cap > > Signed-off-by: Wojciech Dubowik <[email protected]> > > --- > > Changes in v6: > > * mkeficapsule: use strlen instead of hardcoded values > > Changes in v5: > > * add bin wrappers in test for all external tools > > * improve error handling in python test > > * fix data types in python > > * standardize option name in mkeficapsule > > * fix typos > > Changes in v4: > > * adapt mkeficapsule python support to dump detached signature > > for authenticated capsules > > * verify detached capsule signature with openssl after generation > > * use p11-kit to figure out location of softhsm2 library > > * fix missing long option for dumping signatures in mkeficapsule > > Changes in v3: > > * fix write file encoding, env setting and extra line in binman test > > after review > > Changes in v2: > > * allow mixed file/pkcs11 URI as key specification in mkeficapsule > > * fix logic for accepting pkcs11 URI in binman device tree sections > > * add binman test for UEFI capsule signature where private key comes > > from softHSM > > --- > > Wojciech Dubowik (6): > > tools: mkeficapsule: Add support for pkcs11 > > binman: Accept pkcs11 URI tokens for capsule updates > > tools: mkeficapsule: Fix dump signature long option > > binman: Add dump signature option to mkeficapsule > > binman: DTS: Add dump-signature option for capsules > > test: binman: Add test for pkcs11 signed capsule > > > > doc/mkeficapsule.1 | 4 +- > > tools/binman/btool/mkeficapsule.py | 8 +- > > tools/binman/btool/p11_kit.py | 21 ++++ > > tools/binman/entries.rst | 4 + > > tools/binman/etype/efi_capsule.py | 17 ++- > > tools/binman/ftest.py | 66 ++++++++++ > > .../binman/test/351_capsule_signed_pkcs11.dts | 22 ++++ > > tools/mkeficapsule.c | 113 +++++++++++++----- > > 8 files changed, 221 insertions(+), 34 deletions(-) > > create mode 100644 tools/binman/btool/p11_kit.py > > create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts > > > > -- > > 2.47.3 > > > > Please make sure that you have 100% test coverage now. CI will fail > without it. If you need help on covering some code, please let me > know. > > Regards, > Simon
I will need to integrate pkcs11 tool and make two tests, one with mixed keys and one with pkcs11 tokens only. I hope it will solve the issue. Will contact you when in doubt. Thanks, Wojtek
