[OE-core] [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option

Quentin Schulz quentin.schulz at cherry.de
Tue Apr 21 12:22:02 CEST 2026 


On 4/21/26 12:16 PM, Francesco Dolcini via lists.openembedded.org wrote:
> [You don't often get email from francesco=dolcini.it at lists.openembedded.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
> 
> On Tue, Apr 21, 2026 at 11:07:21AM +0100, Paul Barker wrote:
>> On Mon, 2026-04-20 at 10:50 +0200, Francesco Dolcini wrote:
>>> + Paul Barker
>>>
>>> Hello all,
>>>
>>> On Mon, Apr 20, 2026 at 10:14:46AM +0200, Wojciech Dubowik wrote:
>>>> On Thu, Apr 16, 2026 at 05:51:13PM +0200, Franz Schnyder wrote:
>>>>> On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:
>>>>>> Some distros are using gnutls library without pkcs11 support
>>>>>> and linking of mkeficapsule will fail. Add disable pkcs11
>>>>>> option with default set to no so distros can control this
>>>>>> feature with config option.
>>>>> Shouldn't it be the other way around? Use of pkcs11 should be disabled
>>>>> by default and enabled if required. As it is now, it would still depend
>>>>> on the the gnutls library having pkcs11 support and therefore still
>>>>> would break our OE builds with mainline u-boot if we don't change our
>>>>> modules defconfig.
>>>>
>>>> As far as I understand, gnutls is built by default with pkcs11 support. So for
>>>> most of the distribution it should be ok. Security by default.
>>>> I don't have yn strong opinion for this but default enabled has been suggested
>>>> by the maintainer.
>>>
>>> We are in the very unfortunate situation in which we are not able to run
>>> any test at the moment in our CI and automated test infrastructure (not
>>> in U-Boot, not in OE), and the reason is that we have pcks11 enabled in
>>> U-Boot, and OE core is not picking up the patch to enable it [1].
>>>
>>> Any advise to have a way forward?
>>>
>>> Francesco
>>>
>>> [1] https://lore.kernel.org/all/20260408130553.819420-1-fra.schnyder@gmail.com/
>>
>> Which versions of U-Boot and openembedded-core are you trying to build?
> 
> U-Boot master + openembedded-core master.
> 

I'm assuming something along the lines of:

your-layer/recipes-support/gnutls/gnutls_3.8.12.bbappend

PACKAGECONFIG:append:class-native = " p11-kit"

until the patch gets picked up in OE-Core. Even if we fix this in 
U-Boot, enabling pkcs11 support in U-Boot (a target recipe) would 
require enabling pkcs11 support in gnutls-native according to the patch 
sent by Franz to the OE ML. This kind of dependency is pretty bad as you 
generally do not want to have to modify a native recipe for a specific 
target machine or configuration. So, I think OE should take that patch.

Cheers,
Quentin

More information about the U-Boot mailing list