[PATCH v2 3/3] test: binman: Add test for pkcs11 signed capsule
Quentin Schulz
quentin.schulz at cherry.de
Wed Jan 14 15:45:28 CET 2026
Hi Wojciech,
On 1/6/26 12:09 PM, Wojciech Dubowik wrote:
> Test pkcs11 URI support for UEFI capsule generation. For
> simplicity only private key is defined in binman section
> as softhsm tool doesn't support certificate import (yet).
>
> Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik at mt.com>
> ---
> tools/binman/ftest.py | 46 +++++++++++++++++++
> .../binman/test/351_capsule_signed_pkcs11.dts | 20 ++++++++
> 2 files changed, 66 insertions(+)
> create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts
>
> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
> index 21ec48d86fd1..cb5d69982772 100644
> --- a/tools/binman/ftest.py
> +++ b/tools/binman/ftest.py
> @@ -7532,6 +7532,52 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
>
> self._CheckCapsule(data, signed_capsule=True)
>
> + def testPkcs11SignedCapsuleGen(self):
> + """Test generation of EFI capsule (with PKCS11)"""
> + data = tools.read_file(self.TestFile("key.key"))
> + private_key = self._MakeInputFile("key.key", data)
> + data = tools.read_file(self.TestFile("key.pem"))
> + self._MakeInputFile("key.crt", data)
> +
> + softhsm2_util = bintool.Bintool.create('softhsm2_util')
> + self._CheckBintool(softhsm2_util)
> +
> + prefix = "testPkcs11SignedCapsuleGen."
> + # Configure SoftHSMv2
> + data = tools.read_file(self.TestFile('340_softhsm2.conf'))
> + softhsm2_conf = self._MakeInputFile(f'{prefix}softhsm2.conf', data)
> + softhsm2_tokens_dir = self._MakeInputDir(f'{prefix}softhsm2.tokens')
> +
> + softhsm_paths="/usr/local/lib/softhsm/libsofthsm2.so \
> + /usr/lib/softhsm/libsofthsm2.so \
> + /usr/lib64/pkcs11/libsofthsm2.so \
> + /usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so \
> + /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"> +
> + for softhsm2_lib_loc in softhsm_paths.split():
> + if os.path.exists(softhsm2_lib_loc):
> + softhsm2_lib = softhsm2_lib_loc
> +
This seems brittle, isn't there a better mechanism than this that can be
offered by distros? For openssl, installing libengine-pkcs11-openssl
(and setting the provider in the OPENSSL_CONF env variable) was enough.
Is there something similar to that for gnutls?
I don't think this will work on arm64 hosts, c.f.
https://debian.pkgs.org/13/debian-main-arm64/libsofthsm2_2.6.1-3_arm64.deb.html
> + with open(softhsm2_conf, 'a') as f:
> + f.write(f'directories.tokendir = {softhsm2_tokens_dir}\n')
> +
> + with unittest.mock.patch.dict('os.environ',
> + {'SOFTHSM2_CONF': softhsm2_conf}):
> + tools.run('softhsm2-util', '--init-token', '--free', '--label',
> + 'U-Boot token', '--pin', '1111', '--so-pin',
> + '222222')
> + tools.run('softhsm2-util', '--import', private_key, '--token',
> + 'U-Boot token', '--label', 'test_key', '--id', '999999',
> + '--pin', '1111')
> +
> + with unittest.mock.patch.dict('os.environ',
> + {'PKCS11_MODULE_PATH': softhsm2_lib,
> + 'SOFTHSM2_CONF': softhsm2_conf}):
> + data = self._DoReadFile('351_capsule_signed_pkcs11.dts')
> +
> +
> + self._CheckCapsule(data, signed_capsule=True)
> +
Don't you want to validate it's properly signed?
Cheers,
Quentin
More information about the U-Boot
mailing list