[PATCH v5 0/6] UEFI Capsule - PKCS11 Support

Simon Glass sjg at chromium.org
Fri Feb 13 21:20:00 CET 2026 

Hi Ilias,

On Fri, 13 Feb 2026 at 05:41, Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> Simon,
> This has ended up on my patchwork, but I wasn't cc'ed.
> I'll have a look at the mkeficapsule changes soon, but do you mind if I
> re-assign it you since it's mostly binman changes?

Yes that's fine (we synced up on irc).

Regards,
Simon


>
> Thanks
> /Ilias
> On Wed Jan 28, 2026 at 10:05 AM EET, Wojciech Dubowik wrote:
> > Add support for pkcs11 URI's when generating UEFI capsules and
> > accept URI's for certificate in dts capsule nodes.
> > Example:
> > export PKCS11_MODULE_PATH=<pkcs11 provider path>/libsofthsm2.so
> > tools/mkeficapsule --monotonic-count 1 \
> >  --private-key "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \
> >  --certificate "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \
> >  --index 1 \
> >  --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \
> >  "capsule-payload" \
> >  "capsule.cap
> > Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik at mt.com>
> > ---
> > Changes in v5:
> > * add bin wrappers in test for all external tools
> > * improve error handling in python test
> > * fix data types in python
> > * standardize option name in mkeficapsule
> > * fix typos
> > Changes in v4:
> > * adapt mkeficapsule python support to dump detached signature
> >   for authenticated capsules
> > * verify detached capsule signature with openssl after generation
> > * use p11-kit to figure out location of softhsm2 library
> > * fix missing long option for dumping signatures in mkeficapsule
> > Changes in v3:
> > * fix write file encoding, env setting and extra line in binman test
> >   after review
> > Changes in v2:
> > * allow mixed file/pkcs11 URI as key specification in mkeficapsule
> > * fix logic for accepting pkcs11 URI in binman device tree sections
> > * add binman test for UEFI capsule signature where private key comes
> >   from softHSM
> > ---
> > Wojciech Dubowik (6):
> >   tools: mkeficapsule: Add support for pkcs11
> >   binman: Accept pkcs11 URI tokens for capsule updates
> >   tools: mkeficapsule: Fix dump signature long option
> >   binman: Add dump signature option to mkeficapsule
> >   binman: DTS: Add dump-signature option for capsules
> >   test: binman: Add test for pkcs11 signed capsule
> >
> >  doc/mkeficapsule.1                            |   4 +-
> >  tools/binman/btool/mkeficapsule.py            |   8 +-
> >  tools/binman/btool/p11_kit.py                 |  21 ++++
> >  tools/binman/entries.rst                      |   4 +
> >  tools/binman/etype/efi_capsule.py             |  17 ++-
> >  tools/binman/ftest.py                         |  66 ++++++++++
> >  .../binman/test/351_capsule_signed_pkcs11.dts |  22 ++++
> >  tools/mkeficapsule.c                          | 113 +++++++++++++-----
> >  8 files changed, 221 insertions(+), 34 deletions(-)
> >  create mode 100644 tools/binman/btool/p11_kit.py
> >  create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts
>

More information about the U-Boot mailing list