[PATCH v5 0/6] UEFI Capsule - PKCS11 Support

Wojciech Dubowik Wojciech.Dubowik at mt.com
Wed Jan 28 09:05:07 CET 2026 

Add support for pkcs11 URI's when generating UEFI capsules and
accept URI's for certificate in dts capsule nodes.
Example:
export PKCS11_MODULE_PATH=<pkcs11 provider path>/libsofthsm2.so
tools/mkeficapsule --monotonic-count 1 \
 --private-key "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \
 --certificate "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \
 --index 1 \
 --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \
 "capsule-payload" \
 "capsule.cap
Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik at mt.com>
---
Changes in v5:
* add bin wrappers in test for all external tools
* improve error handling in python test
* fix data types in python
* standardize option name in mkeficapsule
* fix typos
Changes in v4:
* adapt mkeficapsule python support to dump detached signature
  for authenticated capsules
* verify detached capsule signature with openssl after generation
* use p11-kit to figure out location of softhsm2 library
* fix missing long option for dumping signatures in mkeficapsule
Changes in v3:
* fix write file encoding, env setting and extra line in binman test
  after review
Changes in v2:
* allow mixed file/pkcs11 URI as key specification in mkeficapsule
* fix logic for accepting pkcs11 URI in binman device tree sections
* add binman test for UEFI capsule signature where private key comes
  from softHSM
---
Wojciech Dubowik (6):
  tools: mkeficapsule: Add support for pkcs11
  binman: Accept pkcs11 URI tokens for capsule updates
  tools: mkeficapsule: Fix dump signature long option
  binman: Add dump signature option to mkeficapsule
  binman: DTS: Add dump-signature option for capsules
  test: binman: Add test for pkcs11 signed capsule

 doc/mkeficapsule.1                            |   4 +-
 tools/binman/btool/mkeficapsule.py            |   8 +-
 tools/binman/btool/p11_kit.py                 |  21 ++++
 tools/binman/entries.rst                      |   4 +
 tools/binman/etype/efi_capsule.py             |  17 ++-
 tools/binman/ftest.py                         |  66 ++++++++++
 .../binman/test/351_capsule_signed_pkcs11.dts |  22 ++++
 tools/mkeficapsule.c                          | 113 +++++++++++++-----
 8 files changed, 221 insertions(+), 34 deletions(-)
 create mode 100644 tools/binman/btool/p11_kit.py
 create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts

-- 
2.47.3

More information about the U-Boot mailing list