Add support for pkcs11 URI's when generating UEFI capsules and accept URI's for certificate in dts capsule nodes. Example: export PKCS11_MODULE_PATH=<pkcs11 provider path>/libsofthsm2.so tools/mkeficapsule --monotonic-count 1 \ --private-key "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \ --certificate "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \ --index 1 \ --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \ "capsule-payload" \ "capsule.cap Signed-off-by: Wojciech Dubowik <[email protected]> --- Changes in v4: * adapt mkeficapsule python support to dump detached signature for authenticated capsules * verify detached capsule signature with openssl after generation * use p11-kit to figure out location of softhsm2 library * fix missing long option for dumping signatures in mkeficapsule Changes in v3: * fix write file encoding, env setting and extra line in binman test after review Changes in v2: * allow mixed file/pkcs11 URI as key specification in mkeficapsule * fix logic for accepting pkcs11 URI in binman device tree sections * add binman test for UEFI capsule signature where private key comes from softHSM --- Wojciech Dubowik (6): tools: mkeficapsule: Add support for pkcs11 binman: Accept pkcs11 URI tokens for capsule updates tools: Fix long option --dump_sig in mkeficapsule binman: Add dump signarture option to mkeficapsule binman: DTS: Add dump-signature option for capsules test: binman: Add test for pkcs11 signed capsule
tools/binman/btool/mkeficapsule.py | 6 +- tools/binman/entries.rst | 2 + tools/binman/etype/efi_capsule.py | 13 +- tools/binman/ftest.py | 53 +++++++++ .../binman/test/351_capsule_signed_pkcs11.dts | 22 ++++ tools/mkeficapsule.c | 111 ++++++++++++++---- 6 files changed, 177 insertions(+), 30 deletions(-) create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts -- 2.47.3
