Cover Letter Detail
Show a cover letter.
GET /api/1.1/covers/2228271/?format=api
{ "id": 2228271, "url": "http://patchwork.ozlabs.org/api/1.1/covers/2228271/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/cover/20260423154536.768603-1-sergio.prado@e-labworks.com/", "project": { "id": 18, "url": "http://patchwork.ozlabs.org/api/1.1/projects/18/?format=api", "name": "U-Boot", "link_name": "uboot", "list_id": "u-boot.lists.denx.de", "list_email": "u-boot@lists.denx.de", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260423154536.768603-1-sergio.prado@e-labworks.com>", "date": "2026-04-23T15:45:34", "name": "[v3,0/2] binman: add PKCS#11/HSM signing support for X509 certificates", "submitter": { "id": 67358, "url": "http://patchwork.ozlabs.org/api/1.1/people/67358/?format=api", "name": "Sergio Prado", "email": "sergio.prado@e-labworks.com" }, "mbox": "http://patchwork.ozlabs.org/project/uboot/cover/20260423154536.768603-1-sergio.prado@e-labworks.com/mbox/", "series": [ { "id": 501468, "url": "http://patchwork.ozlabs.org/api/1.1/series/501468/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/list/?series=501468", "date": "2026-04-23T15:45:36", "name": "binman: add PKCS#11/HSM signing support for X509 certificates", "version": 3, "mbox": "http://patchwork.ozlabs.org/series/501468/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/covers/2228271/comments/", "headers": { "Return-Path": "<u-boot-bounces@lists.denx.de>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=e-labworks-com.20251104.gappssmtp.com\n header.i=@e-labworks-com.20251104.gappssmtp.com header.a=rsa-sha256\n header.s=20251104 header.b=zlkTSDCF;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)", "phobos.denx.de;\n dmarc=fail (p=none dis=none) header.from=e-labworks.com", "phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de", "phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=e-labworks-com.20251104.gappssmtp.com\n header.i=@e-labworks-com.20251104.gappssmtp.com header.b=\"zlkTSDCF\";\n\tdkim-atps=neutral", "phobos.denx.de; dmarc=fail (p=none dis=none)\n header.from=e-labworks.com", "phobos.denx.de;\n spf=none smtp.mailfrom=sergio.prado@e-labworks.com" ], "Received": [ "from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g2yzz3Lvkz1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 26 Apr 2026 04:30:07 +1000 (AEST)", "from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id F29A484314;\n\tSat, 25 Apr 2026 20:29:59 +0200 (CEST)", "by phobos.denx.de (Postfix, from userid 109)\n id A66D284370; Sat, 25 Apr 2026 20:29:58 +0200 (CEST)", "from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com\n [IPv6:2607:f8b0:4864:20::f34])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id B7E8C842E7\n for <u-boot@lists.denx.de>; Sat, 25 Apr 2026 20:29:54 +0200 (CEST)", "by mail-qv1-xf34.google.com with SMTP id\n 6a1803df08f44-899d6b7b073so94168416d6.2\n for <u-boot@lists.denx.de>; Sat, 25 Apr 2026 11:29:54 -0700 (PDT)", "from desktop.. ([2804:7f0:6401:dc31:4200:1760:44a0:9daa])\n by smtp.gmail.com with ESMTPSA id\n 5a478bee46e88-2e539fa5c86sm33732055eec.1.2026.04.23.08.46.17\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 23 Apr 2026 08:46:20 -0700 (PDT)" ], "X-Spam-Checker-Version": "SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de", "X-Spam-Level": "", "X-Spam-Status": "No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE autolearn=ham\n autolearn_force=no version=3.4.2", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=e-labworks-com.20251104.gappssmtp.com; s=20251104; t=1777141793;\n x=1777746593;\n darn=lists.denx.de;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=6no6ML6Iq/qveYgoXgq5rlTzz8LOIQ3UBaDqH7XCbUA=;\n b=zlkTSDCF7xlQ7mE5rUfvvOUQC4/1EDnqlpkh89IJdMoshNalOavYySyEfPyNDqL+Nz\n dRP1U0sVS7PcTAPGDimLzTdlNS6PGw2pmrWODSYQhGPKkB9bKupfXDNEGvcu2s/MCn2/\n AwahS3mylBLhgXNIgZARhkYS44LWrlU76H9uyfyMSfL4JJ8BR5tMy9xZFrUJ/MO6afcA\n VSXcd2LIEyffuiJ41JHpSyQMb21IwKzlDeFPGRB7BdEQAg2vxs6z1urJgE8Vga+dgWkc\n ySHAyezOXUrybXg8FGQYq3rLcpN82d4q0U2XcSP90J70nK5aNoxQgwCrH0DPiIcqdkvR\n 4d3w==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777141793; x=1777746593;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=6no6ML6Iq/qveYgoXgq5rlTzz8LOIQ3UBaDqH7XCbUA=;\n b=OM1ScKdRCaIwb76x3NKH8e8J63OVy6sF44h7nVzLUoisAhti2JQsCliz4kAgSTRZDQ\n 2GOh0h1e+BZ7JYldGn9r2gYqDHpYyxxa3NdZ6WO6FooNs4ZsKmQOAY6g4d1rJs+4BKal\n rrby0TOxZxWwJdLCh7iTAmVK72x4lcPdAwNV1q8ArGMi5Xk2b+N5RqfJAmx9WtZeNI2U\n 06bpZHLZND8UlpVD4ATcrIVnF/qECJcrjFp6g50xA0JvXXcY+9hOn73GFAU0m7lgiVdK\n vPynT+PSvR5f2xiH4KFAqJi0rlFkQppSioye3KiOlCHkvYOwdYTvfdIMyu7ewigX6KkG\n qGoQ==", "X-Gm-Message-State": "AOJu0YwoXrsGhY0tVl3IfYR5BQBbd/mveB3FZx1lEdbIpcIbIVazafd8\n UbdqnlOqzz28lgvSizzqE5FG9vS4dOyj851Lx9wfm3n695+nDC9qnH8qQ2XRXcQ2SmJsGkvmplL\n ZngTk+lVmAg==", "X-Gm-Gg": "AeBDietgFtqUmPoFAtAHI72f6JeET9B+Of/CgFbMK2iqbSBqolwaC8xJY58Misarz7a\n DxmqZ5AlTAQnPV+5PCAzsNZ8IekIkoiRL69yF9bJ8Ljp9YF1C4zX0Lmfq0XKKSKJ6g1z8Ai/Acp\n YiW8KTd7TkYqe5Ka2hcgrLaHtNWQDfqNdzffLCdNQve4dq2QkcIalqjFZ1AScStisSS/I0zbqNJ\n qI2WGPQ9dLtqO0FvNzA60nyx1yfGDuvIelmEQr+WLD89ahO2zG5OsjK7xzOKtk2q36PYk9twD00\n PW0Rh6cwD1YB3Hvoav/krbVQwS7BTpSV6U9uosIuTcEpK0JNd3L8vCczAq/M3r43ht5V6NapzbV\n I/aNlMnpscvEPSY6rd7EGN6gk/o5Y+2zME1qDSZwdKbL1PYkbH/mrUxAiWlmndOQG9p1AX6+EaE\n Ygz/fk59GOmK8MyWrXuJ43eRrcCebz/mcG0RNp8Tb1lw==", "X-Received": "by 2002:a05:693c:3007:b0:2ea:5057:a2f9 with SMTP id\n 5a478bee46e88-2ea5057b737mr6662607eec.16.1776959181212;\n Thu, 23 Apr 2026 08:46:21 -0700 (PDT)", "From": "Sergio Prado <sergio.prado@e-labworks.com>", "To": "u-boot@lists.denx.de", "Cc": "trini@konsulko.com, sjg@chromium.org, alpernebiyasak@gmail.com,\n ilias.apalodimas@linaro.org, marek.vasut+renesas@mailbox.org,\n sughosh.ganu@arm.com, wolfgang.wallner@at.abb.com, bb@ti.com,\n y.moog@phytec.de, xypron.glpk@gmx.de, sergio.prado@e-labworks.com,\n jerome.forissier@arm.com, afd@ti.com, quentin.schulz@cherry.de,\n Wojciech.Dubowik@mt.com", "Subject": "[PATCH v3 0/2] binman: add PKCS#11/HSM signing support for X509\n certificates", "Date": "Thu, 23 Apr 2026 12:45:34 -0300", "Message-Id": "<20260423154536.768603-1-sergio.prado@e-labworks.com>", "X-Mailer": "git-send-email 2.34.1", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=UTF-8", "Content-Transfer-Encoding": "8bit", "X-BeenThere": "u-boot@lists.denx.de", "X-Mailman-Version": "2.1.39", "Precedence": "list", "List-Id": "U-Boot discussion <u-boot.lists.denx.de>", "List-Unsubscribe": "<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>", "List-Archive": "<https://lists.denx.de/pipermail/u-boot/>", "List-Post": "<mailto:u-boot@lists.denx.de>", "List-Help": "<mailto:u-boot-request@lists.denx.de?subject=help>", "List-Subscribe": "<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>", "Errors-To": "u-boot-bounces@lists.denx.de", "Sender": "\"U-Boot\" <u-boot-bounces@lists.denx.de>", "X-Virus-Scanned": "clamav-milter 0.103.8 at phobos.denx.de", "X-Virus-Status": "Clean" }, "content": "Motivation\n----------\n\nTI K3 secure boot requires X509 certificates to be signed with a private\nkey at build time. Until now, binman expected this key to be present as a\nplain PEM file on the build host. For production use, however, private keys\nshould never exist unprotected on a build machine — they belong inside a\nHardware Security Module (HSM) that enforces access control and keeps the\nkey material unexportable.\n\nThis series adds support for signing X509 certificates via any PKCS#11-\ncapable HSM (YubiKey, TPM, network HSM, SoftHSM2 for development, etc.).\n\nDesign\n------\n\nTwo new make variables are the sole user-visible interface:\n\n BINMAN_PKCS11_URI PKCS#11 URI of the signing key on the HSM, e.g.\n pkcs11:token=mytoken;object=mykey;type=private\n BINMAN_PKCS11_MODULE Path to the PKCS#11 shared library (.so), e.g.\n /usr/lib/softhsm/libsofthsm2.so (optional when the\n module is already configured via openssl.cnf or\n PKCS11_MODULE_PATH)\n\nWhen BINMAN_PKCS11_URI is set, binman replaces the on-disk keyfile with\nthe URI at signing time. The PKCS11_PIN environment variable can be used\nto supply the token PIN non-interactively; it is appended as a\npin-value=<pin> query parameter to the URI.\n\nThe openssl bintool auto-detects which OpenSSL PKCS#11 interface to use:\n\n - If the pkcs11 provider is loaded (OpenSSL >= 3.1 + pkcs11-provider),\n it uses -provider default -provider pkcs11.\n - Otherwise it falls back to the legacy libp11 engine\n (-engine pkcs11 -keyform engine).\n\nDetection is done once via 'openssl list -providers' and the result is\ncached, so there is no per-signing subprocess overhead.\n\nTesting\n-------\n\nTested on a Toradex Verdin AM62 (verdin-am62_a53_defconfig) board with\nboth legacy engine path and pkcs11 provider path using SoftHSM2 and\nYubiKey 5 NFC.\n\nA subtle issue was discovered during testing: binman uses a\nThreadPoolExecutor internally (etype/section.py) and may call multiple\nObtainContents() methods concurrently even under make -j1. SoftHSM2 and\nsome real HSMs do not support simultaneous logins from different threads,\nwhich caused intermittent \"login failed\" and \"object not found\" errors\nduring multi-certificate builds. To fix it, a module-level threading.Lock\nwas used to serialise all PKCS#11 signing calls.\n\nTest coverage: btool/openssl.py and etype/x509_cert.py remain at 100%\n(verified with 'binman test -T').\n\nChanges in v3:\n- Split into two patches: bintool infrastructure (1/2) and x509_cert\n feature (2/2)\n- Fix global environment mutation: _run_cmd_pkcs11() no longer writes to\n os.environ directly; it now uses the new extra_env parameter so module\n paths are scoped to the subprocess only, which is both cleaner and safe\n under concurrent execution\n- Add module-level threading.Lock to serialise concurrent PKCS#11 signing\n calls and fix intermittent login failures caused by binman's\n ThreadPoolExecutor\n- Fix URI query string separator: use '&' when the URI already contains\n '?' (e.g. module-path already present), '?' otherwise\n- Test cases updated\n\nChanges in v2:\n- Add tests for _build_key_args() (PEM path, PKCS#11 provider, PKCS#11\n engine, PIN appending), _pkcs11_use_provider() (caching),\n _run_cmd_pkcs11() (with and without module path), and end-to-end\n x509_cert signing with a PKCS#11 URI (testX509CertPkcs11), ensuring\n btool/openssl.py and etype/x509_cert.py have 100% test coverage\n\nSergio Prado (2):\n binman: bintool: add extra_env parameter to run_cmd\n binman: x509_cert: add PKCS#11/HSM signing support\n\n Makefile | 2 +\n tools/binman/binman.rst | 18 +++++\n tools/binman/bintool.py | 15 +++-\n tools/binman/btool/openssl.py | 117 +++++++++++++++++++++++++++-----\n tools/binman/etype/x509_cert.py | 47 +++++++++++--\n tools/binman/ftest.py | 110 ++++++++++++++++++++++++++++++\n 6 files changed, 286 insertions(+), 23 deletions(-)" }