[PATCH v5 2/2] binman: x509_cert: support PKCS#11 URI in keyfile for HSM signing
Sergio Prado
sergio.prado at e-labworks.com
Thu Jul 2 18:46:46 CEST 2026
Hi Simon,
Em dom., 14 de jun. de 2026 às 13:01, Simon Glass <sjg at chromium.org>
escreveu:
[...]
> nit: the 'pkcs11:' substring test is loose - a filesystem path
> containing that token would be treated as a URI. Please use
> key_fname.startswith(('pkcs11:', 'org.openssl.engine:')) instead.
Will fix it in v6. I'll make it slightly stricter than suggested,
startswith(('pkcs11:',
'org.openssl.engine:pkcs11:')), so that a non-pkcs11 engine key (e.g.
org.openssl.engine:tpm2tss:...) doesn't get a pin-value attribute appended
to it.
> Also, the commit message says the URI is forwarded as-is to openssl
> -key, which isn't quite true once PKCS11_PIN is appended. Please
> reword to match the code.
Will reword in v6.
> The test only exercises the provider form; the engine prefix is
> documented as supported but not covered. A small extra case in
> testX509CertBuildPkcs11Key for an engine-prefixed URI would catch
> regressions in the combiner without needing libengine-pkcs11-openssl
> installed.
Good idea, will add it in v6.
Thanks for the review!
Sergio Prado
More information about the U-Boot
mailing list