[PATCH v4] tools: mkeficapsule: Rework pkcs11 support

Quentin Schulz quentin.schulz at cherry.de
Wed May 20 12:45:36 CEST 2026 

Hi Wojciech,

On 5/13/26 6:45 AM, Wojciech Dubowik wrote:
> Some distros like OpenEmbedded are using gnutls library
> without pkcs11 support and linking of mkeficapsule will fail.
> It would make maintenance of default configs a hurdle.
> Add detection of pkcs11 support in gnutls so it's enabled
> when available and doesn't need to be set explicitly.
> 
> Suggested-by: Tom Rini <trini at konsulko.com>
> Cc: Franz Schnyder <fra.schnyder at gmail.com>
> Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik at mt.com>
> ---
> Changes in v4:
> - abstract pkcs11 init function
> - removed unreleted cleanup improvements, to be sent in
>    another patch later
> Changes in v3:
> - remove config option for pkcs11 support and add auto
>     detection in Makefile
> - reduce amount of ifdefs by abstracting import pkcs11
>     functions
> - add missing free and deinit functions
> Changes in v2:
> - make use of stderr more consistent
> - add missing ifndef around pkcs11 deinit functions
> ---
>   tools/Makefile       |  5 +++
>   tools/mkeficapsule.c | 99 ++++++++++++++++++++++++++++++++++----------
>   2 files changed, 81 insertions(+), 23 deletions(-)
> 
> diff --git a/tools/Makefile b/tools/Makefile
> index 1a5f425ecdaa..e85f5a354b81 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -271,6 +271,11 @@ mkeficapsule-objs := generated/lib/uuid.o \
>   	$(LIBFDT_OBJS) \
>   	mkeficapsule.o
>   hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
> +GNUTLS_SUPPORTS_P11KIT = $(shell pkg-config --libs gnutls --print-requires-private \
> +			 2> /dev/null | grep p11-kit-1)
> +ifeq ($(GNUTLS_SUPPORTS_P11KIT),p11-kit-1)
> +HOSTCFLAGS_mkeficapsule.o += -DMKEFICAPSULE_PKCS11
> +endif
>   
>   include tools/fwumdata_src/fwumdata.mk
>   
> diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> index ec640c57e8a5..132bba286e4c 100644
> --- a/tools/mkeficapsule.c
> +++ b/tools/mkeficapsule.c
> @@ -207,6 +207,75 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg)
>   	return 0;
>   }
>   
> +#ifdef MKEFICAPSULE_PKCS11
> +static int pkcs11_init(void)
> +{
> +	const char *lib;
> +	int ret;
> +
> +	lib = getenv("PKCS11_MODULE_PATH");
> +	if (!lib) {
> +		fprintf(stderr,

We currently use stdout for this. The change is fine, but in a separate 
patch please.

> +			"PKCS11_MODULE_PATH not set in the environment\n");
> +		return -1;
> +	}
> +
> +	gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
> +	gnutls_global_init();
> +
> +	ret = gnutls_pkcs11_add_provider(lib, "trusted");
> +	if (ret < 0) {
> +		fprintf(stderr, "Failed to add pkcs11 provider\n");

Ditto.

> +		return -1;
> +	}
> +
> +	return 0;
> +}
> +
> +static int import_pkcs11_crt(gnutls_x509_crt_t *x509, struct auth_context *ctx)
> +{
> +	gnutls_pkcs11_obj_t *obj_list;
> +	unsigned int obj_list_size = 0;
> +	int i, ret;
> +
> +	ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,
> +						 ctx->cert_file, 0);
> +	if (ret < 0 || obj_list_size == 0)
> +		return ret;
> +
> +	ret = gnutls_x509_crt_import_pkcs11(*x509, obj_list[0]);
> +
> +	for (i = 0; i < obj_list_size; i++)
> +                gnutls_pkcs11_obj_deinit(obj_list[i]);
> +	gnutls_free(obj_list);
> +

Those three lines are new, please have them in a separate patch.

> +	return ret;

So far, we've ignored the return value of 
gnutls_x509_crt_import_pkcs11(), so please do the same in this patch. 
Another patch for checking the return value can make sense (haven't 
checked).

Looks good to me otherwise, thanks for working on this!

Cheers,
Quentin

More information about the U-Boot mailing list