[PATCH] binman: x509_cert: add PKCS#11/HSM signing support
Simon Glass
sjg at chromium.org
Thu Apr 16 23:34:52 CEST 2026
Hi Sergio,
On Fri, 17 Apr 2026 at 02:53, Sergio Prado <sergio.prado at e-labworks.com> wrote:
>
> Allow X509 certificates used for K3/TI secure boot to be signed via an
> HSM using the PKCS#11 standard.
>
> Two new make variables are introduced:
>
> BINMAN_PKCS11_URI PKCS#11 URI identifying the signing key on the HSM
> BINMAN_PKCS11_MODULE Path to the PKCS#11 shared library (.so)
>
> When BINMAN_PKCS11_URI is set, it is passed to binman as the pkcs11-uri
> entry argument, which overrides the keyfile property at signing time.
>
> The openssl bintool gains three helper methods:
>
> _pkcs11_use_provider() detects whether the pkcs11 provider (OpenSSL
> >= 3.1) or the legacy pkcs11 engine (libp11) is available.
>
> _build_key_args() builds the appropriate -key/-provider/-engine
> arguments for the openssl command line, appending ?pin-value=<pin>
> from the PKCS11_PIN environment variable when set.
>
> _run_cmd_pkcs11() exports PKCS11_MODULE_PATH and PKCS11_PROVIDER_MODULE
> before invoking openssl when a module path is provided.
>
> Existing behavior is unchanged when neither BINMAN_PKCS11_URI nor
> BINMAN_PKCS11_MODULE is set.
>
> Tested with SoftHSM2 and a Yubikey using the verdin-am62_a53_defconfig
> configuration.
>
> Signed-off-by: Sergio Prado <sergio.prado at e-labworks.com>
> ---
> Makefile | 2 +
> tools/binman/binman.rst | 18 ++++++
> tools/binman/btool/openssl.py | 106 +++++++++++++++++++++++++++-----
> tools/binman/etype/x509_cert.py | 47 ++++++++++++--
> 4 files changed, 153 insertions(+), 20 deletions(-)
For some reason I cannot see this in patchwork.
In any case, please can you add tests and check that the coverage is
still 100% ?
Regards,
Simon
More information about the U-Boot
mailing list