[PATCH 3/3] binman: Flesh out the softhsm2-util bintool docstring
Quentin Schulz
quentin.schulz at cherry.de
Fri Apr 24 19:52:53 CEST 2026
On 4/24/26 7:50 PM, Quentin Schulz wrote:
> Hi Simon,
>
> On 4/22/26 1:11 AM, Simon Glass wrote:
>> The Sphinx-generated bintools.rst currently produces an empty section
>> for this bintool, since its class docstring is only a single line and
>> so the body under the heading is blank.
>>
>> Extend the docstring with a short description of what softhsm2-util
>> does and how binman uses it, so the generated documentation has useful
>> content.
>>
>
> Welllllllll... Binman currently doesn't use it for anything but checking
> if the tool is installed on the system and if not downloads it. I've
> basically abused this to check that softhsm2-util is available on the
> system, but I'm not using the bintool to run commands.
>
> I'm now wondering why, because I guess we could replace
> tools.run('softhsm2-util', args) with softhsm2_util.run(args)...
>
> And the same for pkcs11-tool I guess?
>
>> Suggested-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
>> Signed-off-by: Simon Glass <sjg at chromium.org>
>> ---
>>
>> tools/binman/btool/softhsm2_util.py | 11 ++++++++++-
>> 1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/tools/binman/btool/softhsm2_util.py b/tools/binman/btool/
>> softhsm2_util.py
>> index 869221d841d..e79584da11d 100644
>> --- a/tools/binman/btool/softhsm2_util.py
>> +++ b/tools/binman/btool/softhsm2_util.py
>> @@ -7,7 +7,16 @@ from binman import bintool
>> class Bintoolsofthsm2_util(bintool.Bintool):
>> - """SoftHSMv2 -- support tool for libsofthsm2"""
>> + """SoftHSMv2 -- support tool for libsofthsm2
>> +
>> + This bintool supports running `softhsm2-util`, the command-line
>> utility
>> + shipped with SoftHSMv2 (a software implementation of a PKCS#11
>> token).
>> + Binman uses it to initialise a token so that keys can be imported
>> and used
>> + to sign FIT images or capsules via the PKCS#11 interface, without
>> requiring
>> + real hardware.
>> +
>
> Yeah I don't know, this is all transparent to binman really. You
> configure the FIT via DT to use pkcs11 and binman will simply call
> mkimage with that which in turn will call openssl which in turn will
> call softhsm2 engine (see tools/binman/test/fit/openssl.conf). So it can
> be used for anything, and binman really doesn't care about this bintool
> except for its own unit tests signing FIT images with a pkcs11 engine.
>
> I would remove the last sentence. Maybe we should tell the user to use
> this bintool only to check whether the package is installed but that the
> actual signature/token setup is expected to be done outside of binman?
>
and I didn't read the other two patches before sending the previous
mail, but it applies to those two other bintools as well.
> Cheers,
> Quentin
More information about the U-Boot
mailing list