[PATCH v7] tools: mkeficapsule: Rework pkcs11 support

Quentin Schulz quentin.schulz at cherry.de
Fri Jun 26 12:32:18 CEST 2026 

+Cc Heinrich and Ilias, maintainers of tools/mkeficapsule.c according to 
./scripts/get_maintainer.pl

On 6/9/26 9:01 AM, Wojciech Dubowik wrote:
> From: Wojciech Dubowik <Wojciech.Dubowik at mt.com>
> 
> Some distros like OpenEmbedded are using gnutls library
> without pkcs11 support and linking of mkeficapsule will fail.
> It would make maintenance of default configs a hurdle.
> Add detection of pkcs11 support in gnutls so it's enabled
> when available and doesn't need to be set explicitly.
> 
> Reviewed-by: Simon Glass <sjg at chromium.org>
> Acked-by: Quentin Schulz <quentin.schulz at cherry.de>
> Suggested-by: Tom Rini <trini at konsulko.com>
> Cc: Franz Schnyder <fra.schnyder at gmail.com>
> Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik at mt.com>
> ---
> Changes in v7:
> - fixed return code in import_pkcs11_crt to restore the old
>    behaviour, spotted by Simon
> Changes in v6:
> - removed return code check from gnutls_x509_crt_import_pkcs11
>     sugessted by Quentin, to be sent in separate patch later
> Changes in v5:
> - removed more unrelated cleanup improvements spotted by
>     Quentin, to be sent in another patch later
> Changes in v4:
> - abstract pkcs11 init function
> - removed unrelated cleanup improvements, to be sent in
>     another patch later
> Changes in v3:
> - remove config option for pkcs11 support and add auto
>     detection in Makefile
> - reduce amount of ifdefs by abstracting import pkcs11
>     functions
> - add missing free and deinit functions
> Changes in v2:
> - make use of stderr more consistent
> - add missing ifndef around pkcs11 deinit functions
> ---
>   tools/Makefile       |  5 +++
>   tools/mkeficapsule.c | 95 +++++++++++++++++++++++++++++++++-----------
>   2 files changed, 77 insertions(+), 23 deletions(-)
> 
> diff --git a/tools/Makefile b/tools/Makefile
> index 1a5f425ecdaa..e85f5a354b81 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -271,6 +271,11 @@ mkeficapsule-objs := generated/lib/uuid.o \
>   	$(LIBFDT_OBJS) \
>   	mkeficapsule.o
>   hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
> +GNUTLS_SUPPORTS_P11KIT = $(shell pkg-config --libs gnutls --print-requires-private \
> +			 2> /dev/null | grep p11-kit-1)
> +ifeq ($(GNUTLS_SUPPORTS_P11KIT),p11-kit-1)
> +HOSTCFLAGS_mkeficapsule.o += -DMKEFICAPSULE_PKCS11
> +endif
>   
>   include tools/fwumdata_src/fwumdata.mk
>   
> diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> index ec640c57e8a5..c3cf48f4cc1d 100644
> --- a/tools/mkeficapsule.c
> +++ b/tools/mkeficapsule.c
> @@ -207,6 +207,71 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg)
>   	return 0;
>   }
>   
> +#ifdef MKEFICAPSULE_PKCS11
> +static int pkcs11_init(void)
> +{
> +	const char *lib;
> +	int ret;
> +
> +	lib = getenv("PKCS11_MODULE_PATH");
> +	if (!lib) {
> +		fprintf(stdout,
> +			"PKCS11_MODULE_PATH not set in the environment\n");
> +		return -1;
> +	}
> +
> +	gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
> +	gnutls_global_init();
> +
> +	ret = gnutls_pkcs11_add_provider(lib, "trusted");
> +	if (ret < 0) {
> +		fprintf(stdout, "Failed to add pkcs11 provider\n");
> +		return -1;
> +	}
> +
> +	return 0;
> +}
> +
> +static int import_pkcs11_crt(gnutls_x509_crt_t *x509, struct auth_context *ctx)
> +{
> +	gnutls_pkcs11_obj_t *obj_list;
> +	unsigned int obj_list_size = 0;
> +	int ret;
> +
> +	ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,
> +						 ctx->cert_file, 0);
> +	if (ret < 0 || obj_list_size == 0)
> +		return -1;
> +
> +	gnutls_x509_crt_import_pkcs11(*x509, obj_list[0]);
> +
> +	return 0;
> +}
> +
> +static int import_pkcs11_key(gnutls_privkey_t *pkey, struct auth_context *ctx)
> +{
> +	return gnutls_privkey_import_pkcs11_url(*pkey, ctx->key_file);
> +}
> +#else
> +static int pkcs11_init(void)
> +{
> +	fprintf(stderr, "Pkcs11 support is disabled\n");
> +	return -1;
> +}
> +
> +static int import_pkcs11_crt(gnutls_x509_crt_t *x509, struct auth_context *ctx)
> +{
> +	fprintf(stderr, "Pkcs11 support is disabled\n");
> +	return -1;
> +}
> +
> +static int import_pkcs11_key(gnutls_privkey_t *pkey, struct auth_context *ctx)
> +{
> +	fprintf(stderr, "Pkcs11 support is disabled\n");
> +	return -1;
> +}
> +#endif
> +
>   /**
>    * create_auth_data - compose authentication data in capsule
>    * @auth_context:	Pointer to authentication context
> @@ -229,9 +294,6 @@ static int create_auth_data(struct auth_context *ctx)
>   	gnutls_pkcs7_t pkcs7;
>   	gnutls_datum_t data;
>   	gnutls_datum_t signature;
> -	gnutls_pkcs11_obj_t *obj_list;
> -	unsigned int obj_list_size = 0;
> -	const char *lib;
>   	int ret;
>   	bool pkcs11_cert = false;
>   	bool pkcs11_key = false;
> @@ -243,19 +305,8 @@ static int create_auth_data(struct auth_context *ctx)
>   		pkcs11_key = true;
>   
>   	if (pkcs11_cert || pkcs11_key) {
> -		lib = getenv("PKCS11_MODULE_PATH");
> -		if (!lib) {
> -			fprintf(stdout,
> -				"PKCS11_MODULE_PATH not set in the environment\n");
> -			return -1;
> -		}
> -
> -		gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
> -		gnutls_global_init();
> -
> -		ret = gnutls_pkcs11_add_provider(lib, "trusted");
> +		ret = pkcs11_init();
>   		if (ret < 0) {
> -			fprintf(stdout, "Failed to add pkcs11 provider\n");
>   			return -1;
>   		}
>   	}
> @@ -301,14 +352,12 @@ static int create_auth_data(struct auth_context *ctx)
>   
>   	/* load x509 certificate */
>   	if (pkcs11_cert) {
> -		ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,
> -							 ctx->cert_file, 0);
> -		if (ret < 0 || obj_list_size == 0) {
> -			fprintf(stdout, "Failed to import crt_file URI objects\n");
> +		ret =  import_pkcs11_crt(&x509, ctx);
> +		if (ret < 0) {
> +			fprintf(stderr, "error in import_pkcs11_crt(): %s\n",
> +				gnutls_strerror(ret));
>   			return -1;
>   		}
> -
> -		gnutls_x509_crt_import_pkcs11(x509, obj_list[0]);
>   	} else {
>   		ret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM);
>   		if (ret < 0) {
> @@ -320,9 +369,9 @@ static int create_auth_data(struct auth_context *ctx)
>   
>   	/* load a private key */
>   	if (pkcs11_key) {
> -		ret = gnutls_privkey_import_pkcs11_url(pkey, ctx->key_file);
> +		ret = import_pkcs11_key(&pkey, ctx);
>   		if (ret < 0) {
> -			fprintf(stderr, "error in %d: %s\n", __LINE__,
> +			fprintf(stderr,	"error in import_pkcs11_key(): %s\n",
>   				gnutls_strerror(ret));
>   			return -1;
>   		}

More information about the U-Boot mailing list