[PATCH v7 5/6] binman: DTS: Add dump-signature option for capsules

Simon Glass sjg at chromium.org
Mon Feb 23 18:51:25 CET 2026 

On Fri, 20 Feb 2026 at 02:16, Wojciech Dubowik <Wojciech.Dubowik at mt.com> wrote:
>
> Mkeficapsule can dump signature for signed capsules. It can
> be used in test to validate signature i.e. with openssl.
> Add an entry for device tree node.
>
> Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik at mt.com>
> ---
>  tools/binman/entries.rst          | 4 ++++
>  tools/binman/etype/efi_capsule.py | 9 ++++++++-
>  2 files changed, 12 insertions(+), 1 deletion(-)
>

Reviewed-by: Simon Glass <simon.glass at canonical.com>


> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
> index a81fcbd3891f..91f855f6d7a3 100644
> --- a/tools/binman/entries.rst
> +++ b/tools/binman/entries.rst
> @@ -552,6 +552,10 @@ Properties / Entry arguments:
>      - public-key-cert: Path to PEM formatted .crt public key certificate
>        file. Mandatory property for generating signed capsules.
>      - oem-flags - OEM flags to be passed through capsule header.
> +    - dump-signature: Optional boolean (default: false). Instruct
> +      mkeficapsule to write signature data to a separate file. The
> +      filename will be <capsule file>.p7. It might be used to verify
> +      capsule authentication with external tools.
>
>  Since this is a subclass of Entry_section, all properties of the parent
>  class also apply here. Except for the properties stated as mandatory, the
> diff --git a/tools/binman/etype/efi_capsule.py b/tools/binman/etype/efi_capsule.py
> index 3b30c12ea514..022d57ee5519 100644
> --- a/tools/binman/etype/efi_capsule.py
> +++ b/tools/binman/etype/efi_capsule.py
> @@ -53,6 +53,10 @@ class Entry_efi_capsule(Entry_section):
>          - public-key-cert: Path to PEM formatted .crt public key certificate
>            file. Mandatory property for generating signed capsules.
>          - oem-flags - OEM flags to be passed through capsule header.
> +        - dump-signature: Optional boolean (default: false). Instruct
> +          mkeficapsule to write signature data to a separate file. The
> +          filename will be <capsule file>.p7. It might be used to verify
> +          capsule authentication with external tools.
>
>      Since this is a subclass of Entry_section, all properties of the parent
>      class also apply here. Except for the properties stated as mandatory, the
> @@ -101,6 +105,7 @@ class Entry_efi_capsule(Entry_section):
>          self.private_key = ''
>          self.public_key_cert = ''
>          self.auth = 0
> +        self.dump_signature = False
>
>      def ReadNode(self):
>          super().ReadNode()
> @@ -111,6 +116,7 @@ class Entry_efi_capsule(Entry_section):
>          self.hardware_instance = fdt_util.GetInt(self._node, 'hardware-instance')
>          self.monotonic_count = fdt_util.GetInt(self._node, 'monotonic-count')
>          self.oem_flags = fdt_util.GetInt(self._node, 'oem-flags')
> +        self.dump_signature = fdt_util.GetBool(self._node, 'dump-signature')
>
>          self.private_key = fdt_util.GetString(self._node, 'private-key')
>          self.public_key_cert = fdt_util.GetString(self._node, 'public-key-cert')
> @@ -150,7 +156,8 @@ class Entry_efi_capsule(Entry_section):
>                                                   public_key_cert,
>                                                   self.monotonic_count,
>                                                   self.fw_version,
> -                                                 self.oem_flags)
> +                                                 self.oem_flags,
> +                                                 self.dump_signature)
>          if ret is not None:
>              return tools.read_file(capsule_fname)
>          else:
> --
> 2.47.3
>

More information about the U-Boot mailing list