On Thu, Feb 19, 2026 at 07:39:04PM -0700, Simon Glass wrote: Hi Simon, > Hi Wojciech, > > On Thu, 19 Feb 2026 at 06:12, Simon Glass <[email protected]> wrote: > > > > Hi Wojciech, > > > > On Tue, 17 Feb 2026 at 04:53, Wojciech Dubowik <[email protected]> > > wrote: > > > > > > Add support for pkcs11 URI's when generating UEFI capsules and > > > accept URI's for certificate in dts capsule nodes. > > > Example: > > > export PKCS11_MODULE_PATH=<pkcs11 provider path>/libsofthsm2.so > > > tools/mkeficapsule --monotonic-count 1 \ > > > --private-key > > > "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \ > > > --certificate > > > "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \ > > > --index 1 \ > > > --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \ > > > "capsule-payload" \ > > > "capsule.cap > > > Signed-off-by: Wojciech Dubowik <[email protected]> > > > --- > > > Changes in v6: > > > * mkeficapsule: use strlen instead of hardcoded values > > > Changes in v5: > > > * add bin wrappers in test for all external tools > > > * improve error handling in python test > > > * fix data types in python > > > * standardize option name in mkeficapsule > > > * fix typos > > > Changes in v4: > > > * adapt mkeficapsule python support to dump detached signature > > > for authenticated capsules > > > * verify detached capsule signature with openssl after generation > > > * use p11-kit to figure out location of softhsm2 library > > > * fix missing long option for dumping signatures in mkeficapsule > > > Changes in v3: > > > * fix write file encoding, env setting and extra line in binman test > > > after review > > > Changes in v2: > > > * allow mixed file/pkcs11 URI as key specification in mkeficapsule > > > * fix logic for accepting pkcs11 URI in binman device tree sections > > > * add binman test for UEFI capsule signature where private key comes > > > from softHSM > > > --- > > > Wojciech Dubowik (6): > > > tools: mkeficapsule: Add support for pkcs11 > > > binman: Accept pkcs11 URI tokens for capsule updates > > > tools: mkeficapsule: Fix dump signature long option > > > binman: Add dump signature option to mkeficapsule > > > binman: DTS: Add dump-signature option for capsules > > > test: binman: Add test for pkcs11 signed capsule > > > > > > doc/mkeficapsule.1 | 4 +- > > > tools/binman/btool/mkeficapsule.py | 8 +- > > > tools/binman/btool/p11_kit.py | 21 ++++ > > > tools/binman/entries.rst | 4 + > > > tools/binman/etype/efi_capsule.py | 17 ++- > > > tools/binman/ftest.py | 66 ++++++++++ > > > .../binman/test/351_capsule_signed_pkcs11.dts | 22 ++++ > > > tools/mkeficapsule.c | 113 +++++++++++++----- > > > 8 files changed, 221 insertions(+), 34 deletions(-) > > > create mode 100644 tools/binman/btool/p11_kit.py > > > create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts > > > > > > -- > > > 2.47.3 > > > > > > > Please make sure that you have 100% test coverage now. CI will fail > > without it. If you need help on covering some code, please let me > > know. > > Please note though that the only goal is to cover the code. Binman is > full of fakes and other techniques to do that with the minimum of > effort.
I have added pkcs11 tool support and now on my setup I get 100% test coverage. I will send it in v7. Regards, Wojtek > > Regards, > Simon
