[PATCH v5 2/2] binman: x509_cert: support PKCS#11 URI in keyfile for HSM signing

Sergio Prado sergio.prado at e-labworks.com
Thu Jul 2 18:46:46 CEST 2026


Hi Simon,

Em dom., 14 de jun. de 2026 às 13:01, Simon Glass <sjg at chromium.org>
escreveu:
[...]
> nit: the 'pkcs11:' substring test is loose - a filesystem path
> containing that token would be treated as a URI. Please use
> key_fname.startswith(('pkcs11:', 'org.openssl.engine:')) instead.

Will fix it in v6. I'll make it slightly stricter than suggested,
startswith(('pkcs11:',
'org.openssl.engine:pkcs11:')), so that a non-pkcs11 engine key (e.g.
org.openssl.engine:tpm2tss:...) doesn't get a pin-value attribute appended
to it.

> Also, the commit message says the URI is forwarded as-is to openssl
> -key, which isn't quite true once PKCS11_PIN is appended. Please
> reword to match the code.

Will reword in v6.

> The test only exercises the provider form; the engine prefix is
> documented as supported but not covered. A small extra case in
> testX509CertBuildPkcs11Key for an engine-prefixed URI would catch
> regressions in the combiner without needing libengine-pkcs11-openssl
> installed.

Good idea, will add it in v6.

Thanks for the review!

Sergio Prado


More information about the U-Boot mailing list