[PATCH 3/3] binman: Flesh out the softhsm2-util bintool docstring

Fri Apr 24 19:50:33 CEST 2026

Hi Simon,

On 4/22/26 1:11 AM, Simon Glass wrote:
> The Sphinx-generated bintools.rst currently produces an empty section
> for this bintool, since its class docstring is only a single line and
> so the body under the heading is blank.
> 
> Extend the docstring with a short description of what softhsm2-util
> does and how binman uses it, so the generated documentation has useful
> content.
> 

Welllllllll... Binman currently doesn't use it for anything but checking 
if the tool is installed on the system and if not downloads it. I've 
basically abused this to check that softhsm2-util is available on the 
system, but I'm not using the bintool to run commands.

I'm now wondering why, because I guess we could replace 
tools.run('softhsm2-util', args) with softhsm2_util.run(args)...

And the same for pkcs11-tool I guess?

> Suggested-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
> Signed-off-by: Simon Glass <sjg at chromium.org>
> ---
> 
>   tools/binman/btool/softhsm2_util.py | 11 ++++++++++-
>   1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/binman/btool/softhsm2_util.py b/tools/binman/btool/softhsm2_util.py
> index 869221d841d..e79584da11d 100644
> --- a/tools/binman/btool/softhsm2_util.py
> +++ b/tools/binman/btool/softhsm2_util.py
> @@ -7,7 +7,16 @@ from binman import bintool
>   
>   
>   class Bintoolsofthsm2_util(bintool.Bintool):
> -    """SoftHSMv2 -- support tool for libsofthsm2"""
> +    """SoftHSMv2 -- support tool for libsofthsm2
> +
> +    This bintool supports running `softhsm2-util`, the command-line utility
> +    shipped with SoftHSMv2 (a software implementation of a PKCS#11 token).
> +    Binman uses it to initialise a token so that keys can be imported and used
> +    to sign FIT images or capsules via the PKCS#11 interface, without requiring
> +    real hardware.
> +

Yeah I don't know, this is all transparent to binman really. You 
configure the FIT via DT to use pkcs11 and binman will simply call 
mkimage with that which in turn will call openssl which in turn will 
call softhsm2 engine (see tools/binman/test/fit/openssl.conf). So it can 
be used for anything, and binman really doesn't care about this bintool 
except for its own unit tests signing FIT images with a pkcs11 engine.

I would remove the last sentence. Maybe we should tell the user to use 
this bintool only to check whether the package is installed but that the 
actual signature/token setup is expected to be done outside of binman?

Cheers,
Quentin