[PATCH] tools: mkeficapsule: Add disable pkcs11 menu option

Franz Schnyder fra.schnyder at gmail.com
Thu Apr 16 17:51:13 CEST 2026 

On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:
> Some distros are using gnutls library without pkcs11 support
> and linking of mkeficapsule will fail. Add disable pkcs11
> option with default set to no so distros can control this
> feature with config option.
> 
> Suggested-by: Tom Rini <trini at konsulko.com>
> Cc: Franz Schnyder <fra.schnyder at gmail.com>
> Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik at mt.com>
> ---
>  tools/Kconfig        |  8 ++++++++
>  tools/Makefile       |  3 +++
>  tools/mkeficapsule.c | 14 ++++++++++++++
>  3 files changed, 25 insertions(+)
> 
> diff --git a/tools/Kconfig b/tools/Kconfig
> index ef33295b8ecd..ccc878595d3b 100644
> --- a/tools/Kconfig
> +++ b/tools/Kconfig
> @@ -114,6 +114,14 @@ config TOOLS_MKEFICAPSULE
>  	  optionally sign that file. If you want to enable UEFI capsule
>  	  update feature on your target, you certainly need this.
>  
> +config MKEFICAPSULE_DISABLE_PKCS11
> +	bool "Disable pkcs11 support"
> +	depends on TOOLS_MKEFICAPSULE
> +	default n
> +	help
> +	  Disable pkcs11 support. Can be used in cases when host GnuTLS
> +	  library doesn't support it.
> +
>  menuconfig FSPI_CONF_HEADER
>  	bool "FlexSPI Header Configuration"
>  	help
> diff --git a/tools/Makefile b/tools/Makefile
> index 1a5f425ecdaa..60e84bfbf20d 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -271,6 +271,9 @@ mkeficapsule-objs := generated/lib/uuid.o \
>  	$(LIBFDT_OBJS) \
>  	mkeficapsule.o
>  hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
> +ifeq ($(CONFIG_MKEFICAPSULE_DISABLE_PKCS11),y)
> +HOSTCFLAGS_mkeficapsule.o += -DCONFIG_MKEFICAPSULE_DISABLE_PKCS11
> +endif
>  
>  include tools/fwumdata_src/fwumdata.mk
>  
> diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> index ec640c57e8a5..ad1c46f0e909 100644
> --- a/tools/mkeficapsule.c
> +++ b/tools/mkeficapsule.c
> @@ -229,9 +229,11 @@ static int create_auth_data(struct auth_context *ctx)
>  	gnutls_pkcs7_t pkcs7;
>  	gnutls_datum_t data;
>  	gnutls_datum_t signature;
> +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
>  	gnutls_pkcs11_obj_t *obj_list;
>  	unsigned int obj_list_size = 0;
>  	const char *lib;
> +#endif
>  	int ret;
>  	bool pkcs11_cert = false;
>  	bool pkcs11_key = false;
> @@ -242,6 +244,7 @@ static int create_auth_data(struct auth_context *ctx)
>  	if (!strncmp(ctx->key_file, "pkcs11:", strlen("pkcs11:")))
>  		pkcs11_key = true;
>  
> +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
>  	if (pkcs11_cert || pkcs11_key) {
>  		lib = getenv("PKCS11_MODULE_PATH");
>  		if (!lib) {
> @@ -259,6 +262,7 @@ static int create_auth_data(struct auth_context *ctx)
>  			return -1;
>  		}
>  	}
> +#endif
>  
>  	if (!pkcs11_cert) {
>  		ret = read_bin_file(ctx->cert_file, &cert.data, &file_size);
> @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)
>  
>  	/* load x509 certificate */
>  	if (pkcs11_cert) {
> +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
>  		ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,
>  							 ctx->cert_file, 0);
>  		if (ret < 0 || obj_list_size == 0) {
> @@ -309,6 +314,10 @@ static int create_auth_data(struct auth_context *ctx)
>  		}
>  
>  		gnutls_x509_crt_import_pkcs11(x509, obj_list[0]);
> +#else
> +		fprintf(stdout, "Pkcs11 support is disabled\n");
> +		return -1;
> +#endif
>  	} else {
>  		ret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM);
>  		if (ret < 0) {
> @@ -320,12 +329,17 @@ static int create_auth_data(struct auth_context *ctx)
>  
>  	/* load a private key */
>  	if (pkcs11_key) {
> +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
>  		ret = gnutls_privkey_import_pkcs11_url(pkey, ctx->key_file);
>  		if (ret < 0) {
>  			fprintf(stderr, "error in %d: %s\n", __LINE__,
>  				gnutls_strerror(ret));
>  			return -1;
>  		}
> +#else
> +		fprintf(stdout, "Pkcs11 support is disabled\n");
> +		return -1;
> +#endif
>  	} else {
>  		ret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM,
>  						     0, 0);
> -- 
> 2.47.3
> 

Hi Wojciech,

Shouldn't it be the other way around? Use of pkcs11 should be disabled 
by default and enabled if required. As it is now, it would still depend
on the the gnutls library having pkcs11 support and therefore still 
would break our OE builds with mainline u-boot if we don't change our
modules defconfig.

kind regards

Franz

More information about the U-Boot mailing list