[PATCH] binman: x509_cert: add PKCS#11/HSM signing support

Sergio Prado sergio.prado at e-labworks.com
Fri Apr 17 14:45:13 CEST 2026 

Hi Simon,

> For some reason I cannot see this in patchwork.
It seems my email is waiting for moderator approval. I received this email:
"Your message to U-Boot awaits moderator approval. The reason it is being
held: Post to moderated list".

> In any case, please can you add tests and check that the coverage is
still 100% ?
Good point. I will work on the test cases, validate test coverage and
submit v2.

Best regards,

Sergio Prado

Em qui., 16 de abr. de 2026 às 18:35, Simon Glass <sjg at chromium.org>
escreveu:

> Hi Sergio,
>
> On Fri, 17 Apr 2026 at 02:53, Sergio Prado <sergio.prado at e-labworks.com>
> wrote:
> >
> > Allow X509 certificates used for K3/TI secure boot to be signed via an
> > HSM using the PKCS#11 standard.
> >
> > Two new make variables are introduced:
> >
> >   BINMAN_PKCS11_URI    PKCS#11 URI identifying the signing key on the HSM
> >   BINMAN_PKCS11_MODULE Path to the PKCS#11 shared library (.so)
> >
> > When BINMAN_PKCS11_URI is set, it is passed to binman as the pkcs11-uri
> > entry argument, which overrides the keyfile property at signing time.
> >
> > The openssl bintool gains three helper methods:
> >
> >   _pkcs11_use_provider() detects whether the pkcs11 provider (OpenSSL
> >     >= 3.1) or the legacy pkcs11 engine (libp11) is available.
> >
> >   _build_key_args() builds the appropriate -key/-provider/-engine
> >     arguments for the openssl command line, appending ?pin-value=<pin>
> >     from the PKCS11_PIN environment variable when set.
> >
> >   _run_cmd_pkcs11() exports PKCS11_MODULE_PATH and PKCS11_PROVIDER_MODULE
> >     before invoking openssl when a module path is provided.
> >
> > Existing behavior is unchanged when neither BINMAN_PKCS11_URI nor
> > BINMAN_PKCS11_MODULE is set.
> >
> > Tested with SoftHSM2 and a Yubikey using the verdin-am62_a53_defconfig
> > configuration.
> >
> > Signed-off-by: Sergio Prado <sergio.prado at e-labworks.com>
> > ---
> >  Makefile                        |   2 +
> >  tools/binman/binman.rst         |  18 ++++++
> >  tools/binman/btool/openssl.py   | 106 +++++++++++++++++++++++++++-----
> >  tools/binman/etype/x509_cert.py |  47 ++++++++++++--
> >  4 files changed, 153 insertions(+), 20 deletions(-)
>
> For some reason I cannot see this in patchwork.
>
> In any case, please can you add tests and check that the coverage is
> still 100% ?
>
> Regards,
> Simon
>

More information about the U-Boot mailing list