[PATCH v4 6/6] test: binman: Add test for pkcs11 signed capsule
Wojciech Dubowik
Wojciech.Dubowik at mt.com
Tue Jan 20 09:12:03 CET 2026
Test pkcs11 URI support for UEFI capsule generation. For
simplicity only private key is defined in binman section
as softhsm tool doesn't support certificate import (yet).
Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik at mt.com>
Reviewed-by: Simon Glass <simon.glass at canonical.com>
---
tools/binman/ftest.py | 53 +++++++++++++++++++
.../binman/test/351_capsule_signed_pkcs11.dts | 22 ++++++++
2 files changed, 75 insertions(+)
create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index 21ec48d86fd1..a005a167e414 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -7,6 +7,7 @@
# python -m unittest func_test.TestFunctional.testHelp
import collections
+import configparser
import glob
import gzip
import hashlib
@@ -7532,6 +7533,58 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
self._CheckCapsule(data, signed_capsule=True)
+ def testPkcs11SignedCapsuleGen(self):
+ """Test generation of EFI capsule (with PKCS11)"""
+ data = tools.read_file(self.TestFile("key.key"))
+ private_key = self._MakeInputFile("key.key", data)
+ data = tools.read_file(self.TestFile("key.pem"))
+ cert_file = self._MakeInputFile("key.crt", data)
+
+ softhsm2_util = bintool.Bintool.create('softhsm2_util')
+ self._CheckBintool(softhsm2_util)
+
+ prefix = "testPkcs11SignedCapsuleGen."
+ # Configure SoftHSMv2
+ data = tools.read_file(self.TestFile('340_softhsm2.conf'))
+ softhsm2_conf = self._MakeInputFile(f'{prefix}softhsm2.conf', data)
+ softhsm2_tokens_dir = self._MakeInputDir(f'{prefix}softhsm2.tokens')
+ tools.write_file(softhsm2_conf, data +
+ f'\ndirectories.tokendir = \
+ {softhsm2_tokens_dir}\n'.encode("utf-8"))
+
+ p11_kit_config = configparser.ConfigParser()
+ out = tools.run('p11-kit', 'print-config')
+ p11_kit_config.read_string(out)
+ softhsm2_lib = p11_kit_config['softhsm2']['module']
+
+ os.environ['SOFTHSM2_CONF'] = softhsm2_conf
+ tools.run('softhsm2-util', '--init-token', '--free', '--label',
+ 'U-Boot token', '--pin', '1111', '--so-pin',
+ '222222')
+ tools.run('softhsm2-util', '--import', private_key, '--token',
+ 'U-Boot token', '--label', 'test_key', '--id', '999999',
+ '--pin', '1111')
+
+ os.environ['PKCS11_MODULE_PATH'] = softhsm2_lib
+ data = self._DoReadFile('351_capsule_signed_pkcs11.dts')
+
+ self._CheckCapsule(data, signed_capsule=True)
+
+ # Verify signed capsule
+ hdr = self._GetCapsuleHeaders(data)
+ monotonic_count = hdr['EFI_FIRMWARE_IMAGE_AUTH.MONOTONIC_COUNT']
+
+ with open(self._indir + '/capsule_input.bin', 'ab') as f:
+ f.write(struct.pack('<Q', int(monotonic_count, 16)))
+
+ try:
+ tools.run('openssl', 'smime', '-verify', '-inform', 'DER',
+ '-in', tools.get_output_dir() + '/capsule.efi-capsule.p7',
+ '-content', self._indir + '/capsule_input.bin',
+ '-CAfile', cert_file, '-no_check_time')
+ except ValueError:
+ self.assertIn('UEFI Capsule verification failed')
+
def testCapsuleGenVersionSupport(self):
"""Test generation of EFI capsule with version support"""
data = self._DoReadFile('313_capsule_version.dts')
diff --git a/tools/binman/test/351_capsule_signed_pkcs11.dts b/tools/binman/test/351_capsule_signed_pkcs11.dts
new file mode 100644
index 000000000000..ae93bf83936f
--- /dev/null
+++ b/tools/binman/test/351_capsule_signed_pkcs11.dts
@@ -0,0 +1,22 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+ binman {
+ efi-capsule {
+ image-index = <0x1>;
+ /* Image GUID for testing capsule update */
+ image-guid = "binman-test";
+ hardware-instance = <0x0>;
+ monotonic-count = <0x1>;
+ dump-signature;
+ private-key = "pkcs11:token=U-Boot%20token;object=test_key;type=private;pin-value=1111";
+ public-key-cert = "key.crt";
+
+ blob {
+ filename = "capsule_input.bin";
+ };
+ };
+ };
+};
--
2.47.3
More information about the U-Boot
mailing list