[PATCH v2 0/3] UEFI Capsule - PKCS11 Support
Wojciech Dubowik
Wojciech.Dubowik at mt.com
Tue Jan 6 12:09:56 CET 2026
Add support for pkcs11 URI's when generating UEFI capsules and
accept URI's for certificate in dts capsule nodes.
Example:
export PKCS11_MODULE_PATH=<pkcs11 provider path>/libsofthsm2.so
tools/mkeficapsule --monotonic-count 1 \
--private-key "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \
--certificate "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \
--index 1 \
--guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \
"capsule-payload" \
"capsule.cap
Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik at mt.com>
---
Changes in v2:
* allow mixed file/pkcs11 URI as key specification in mkeficapsule
* fix logic for accepting pkcs11 URI in binman device tree sections
* add binman test for UEFI capsule signature where private key comes
from softHSM
---
Wojciech Dubowik (3):
tools: mkeficapsule: Add support for pkcs11
binman: Accept pkcs11 URI tokens for capsule updates
test: binman: Add test for pkcs11 signed capsule
tools/binman/etype/efi_capsule.py | 8 +-
tools/binman/ftest.py | 46 ++++++++
.../binman/test/351_capsule_signed_pkcs11.dts | 20 ++++
tools/mkeficapsule.c | 110 +++++++++++++-----
4 files changed, 156 insertions(+), 28 deletions(-)
create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts
--
2.47.3
More information about the U-Boot
mailing list