[{"id":3678701,"web_url":"http://patchwork.ozlabs.org/comment/3678701/","msgid":"<7xe72m3tkzultqh3hw4cubfognfryjk5ababajoe6w6zt7jx4c@aaxa2kehv635>","list_archive_url":null,"date":"2026-04-16T15:51:13","subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","submitter":{"id":92056,"url":"http://patchwork.ozlabs.org/api/people/92056/","name":"Franz Schnyder","email":"fra.schnyder@gmail.com"},"content":"On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:\n> Some distros are using gnutls library without pkcs11 support\n> and linking of mkeficapsule will fail. Add disable pkcs11\n> option with default set to no so distros can control this\n> feature with config option.\n> \n> Suggested-by: Tom Rini \n> Cc: Franz Schnyder \n> Signed-off-by: Wojciech Dubowik \n> ---\n> tools/Kconfig | 8 ++++++++\n> tools/Makefile | 3 +++\n> tools/mkeficapsule.c | 14 ++++++++++++++\n> 3 files changed, 25 insertions(+)\n> \n> diff --git a/tools/Kconfig b/tools/Kconfig\n> index ef33295b8ecd..ccc878595d3b 100644\n> --- a/tools/Kconfig\n> +++ b/tools/Kconfig\n> @@ -114,6 +114,14 @@ config TOOLS_MKEFICAPSULE\n> \t optionally sign that file. If you want to enable UEFI capsule\n> \t update feature on your target, you certainly need this.\n> \n> +config MKEFICAPSULE_DISABLE_PKCS11\n> +\tbool \"Disable pkcs11 support\"\n> +\tdepends on TOOLS_MKEFICAPSULE\n> +\tdefault n\n> +\thelp\n> +\t Disable pkcs11 support. Can be used in cases when host GnuTLS\n> +\t library doesn't support it.\n> +\n> menuconfig FSPI_CONF_HEADER\n> \tbool \"FlexSPI Header Configuration\"\n> \thelp\n> diff --git a/tools/Makefile b/tools/Makefile\n> index 1a5f425ecdaa..60e84bfbf20d 100644\n> --- a/tools/Makefile\n> +++ b/tools/Makefile\n> @@ -271,6 +271,9 @@ mkeficapsule-objs := generated/lib/uuid.o \\\n> \t$(LIBFDT_OBJS) \\\n> \tmkeficapsule.o\n> hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule\n> +ifeq ($(CONFIG_MKEFICAPSULE_DISABLE_PKCS11),y)\n> +HOSTCFLAGS_mkeficapsule.o += -DCONFIG_MKEFICAPSULE_DISABLE_PKCS11\n> +endif\n> \n> include tools/fwumdata_src/fwumdata.mk\n> \n> diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c\n> index ec640c57e8a5..ad1c46f0e909 100644\n> --- a/tools/mkeficapsule.c\n> +++ b/tools/mkeficapsule.c\n> @@ -229,9 +229,11 @@ static int create_auth_data(struct auth_context *ctx)\n> \tgnutls_pkcs7_t pkcs7;\n> \tgnutls_datum_t data;\n> \tgnutls_datum_t signature;\n> +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11\n> \tgnutls_pkcs11_obj_t *obj_list;\n> \tunsigned int obj_list_size = 0;\n> \tconst char *lib;\n> +#endif\n> \tint ret;\n> \tbool pkcs11_cert = false;\n> \tbool pkcs11_key = false;\n> @@ -242,6 +244,7 @@ static int create_auth_data(struct auth_context *ctx)\n> \tif (!strncmp(ctx->key_file, \"pkcs11:\", strlen(\"pkcs11:\")))\n> \t\tpkcs11_key = true;\n> \n> +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11\n> \tif (pkcs11_cert || pkcs11_key) {\n> \t\tlib = getenv(\"PKCS11_MODULE_PATH\");\n> \t\tif (!lib) {\n> @@ -259,6 +262,7 @@ static int create_auth_data(struct auth_context *ctx)\n> \t\t\treturn -1;\n> \t\t}\n> \t}\n> +#endif\n> \n> \tif (!pkcs11_cert) {\n> \t\tret = read_bin_file(ctx->cert_file, &cert.data, &file_size);\n> @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)\n> \n> \t/* load x509 certificate */\n> \tif (pkcs11_cert) {\n> +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11\n> \t\tret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,\n> \t\t\t\t\t\t\t ctx->cert_file, 0);\n> \t\tif (ret < 0 || obj_list_size == 0) {\n> @@ -309,6 +314,10 @@ static int create_auth_data(struct auth_context *ctx)\n> \t\t}\n> \n> \t\tgnutls_x509_crt_import_pkcs11(x509, obj_list[0]);\n> +#else\n> +\t\tfprintf(stdout, \"Pkcs11 support is disabled\\n\");\n> +\t\treturn -1;\n> +#endif\n> \t} else {\n> \t\tret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM);\n> \t\tif (ret < 0) {\n> @@ -320,12 +329,17 @@ static int create_auth_data(struct auth_context *ctx)\n> \n> \t/* load a private key */\n> \tif (pkcs11_key) {\n> +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11\n> \t\tret = gnutls_privkey_import_pkcs11_url(pkey, ctx->key_file);\n> \t\tif (ret < 0) {\n> \t\t\tfprintf(stderr, \"error in %d: %s\\n\", __LINE__,\n> \t\t\t\tgnutls_strerror(ret));\n> \t\t\treturn -1;\n> \t\t}\n> +#else\n> +\t\tfprintf(stdout, \"Pkcs11 support is disabled\\n\");\n> +\t\treturn -1;\n> +#endif\n> \t} else {\n> \t\tret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM,\n> \t\t\t\t\t\t 0, 0);\n> -- \n> 2.47.3\n> \n\nHi Wojciech,\n\nShouldn't it be the other way around? Use of pkcs11 should be disabled \nby default and enabled if required. As it is now, it would still depend\non the the gnutls library having pkcs11 support and therefore still \nwould break our OE builds with mainline u-boot if we don't change our\nmodules defconfig.\n\nkind regards\n\nFranz","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=gaSeUjIP;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=85.214.62.61; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=gmail.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.b=\"gaSeUjIP\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=gmail.com","phobos.denx.de;\n spf=pass smtp.mailfrom=fra.schnyder@gmail.com"],"Received":["from phobos.denx.de (phobos.denx.de [85.214.62.61])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxvjs3mbWz1yCv\n\tfor ; Fri, 17 Apr 2026 22:45:21 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id EC82B84309;\n\tFri, 17 Apr 2026 14:44:01 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id BE21984201; Thu, 16 Apr 2026 17:51:17 +0200 (CEST)","from mail-wm1-x335.google.com (mail-wm1-x335.google.com\n [IPv6:2a00:1450:4864:20::335])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 9C5C683EEF\n for ; Thu, 16 Apr 2026 17:51:15 +0200 (CEST)","by mail-wm1-x335.google.com with SMTP id\n 5b1f17b1804b1-488b00ed86fso82197005e9.3\n for ; Thu, 16 Apr 2026 08:51:15 -0700 (PDT)","from franzs-nb\n (248.201.173.83.static.wline.lns.sme.cust.swisscom.ch. [83.173.201.248])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488f584e306sm74276835e9.11.2026.04.16.08.51.13\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 16 Apr 2026 08:51:14 -0700 (PDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_GMAIL_RCVD,FREEMAIL_FROM,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=no\n autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776354675; x=1776959475; darn=lists.denx.de;\n h=in-reply-to:content-disposition:mime-version:references:message-id\n :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;\n bh=ijxK31UKfkp1DpRBTTIzwXNN21ByR9LiwFdqvBVazLc=;\n b=gaSeUjIPOi5v1DZQbaJDAC8dtHkXKFoDHeDftiouJ5I65HZQ2ko6SDv7wEXnJAXRlU\n 6TP198JJUBtscW783IQpFcBYPxFDExl6W13eVwhUiGtvOZnstZzVS64Bzm5T3reL5UmO\n 0iCs1He05c75doMEuLO0HgR6lSvfI3FaPKBYKxIZGbP4Hvc+gBEf8r3pjgEpWhobhfyG\n yMeOMumJy+9AtRkaHeyH698djBhknZb/RntbGnbTibZxENLxuYKiWXpCHlkJEB1CQ8ye\n OhqBbp4DE914o0YBoN1c5VZ/GYUhnMiSxDtxb0BG5d+DQyKJwouUPXzSWDRlpf0oKwh4\n uhsw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776354675; x=1776959475;\n h=in-reply-to:content-disposition:mime-version:references:message-id\n :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc\n :subject:date:message-id:reply-to;\n bh=ijxK31UKfkp1DpRBTTIzwXNN21ByR9LiwFdqvBVazLc=;\n b=PBvxWGcox7qYcIK3HYYNCIyATNj+XGPVD59mHrIu/otNzdEiS5vMDzD/YhMM1JxbDp\n nEtwJC02/gj4C/3BI13cqFfdm/3WCyRXjwGgcCZd/oT1oTmDJHeEpT8lvRQqJNF6k4hW\n ktd7Ypq2xzIcnpaMxxxkcP4WS4ka6bh9F0EWugubOcLS0sM7Gms1CglrRktN1gndyUy+\n eyxd8NmF7Vw6q2JBT/9kXikjpOqybSenKZ7Z1A2J6qSk9y7utLFytK162w5S/TOIndXQ\n sCnA3aWdvJYlj+rGPeTnLGgS2KVwuJII/V6WZj/p+3ItIMiwq9At+Xtjs6WNqgD7BFkf\n szIQ==","X-Gm-Message-State":"AOJu0Yw6LGXWZiANghA2z/lAEiVDw45D0rKqYTEWVMX7G2wSYH1VlwBc\n SENj3rbBCkBCQsFiwb676GcP8YSD1uOK1bW7leIusMdwwaUkgZbLCPDj","X-Gm-Gg":"AeBDietAXtRnkY8oaJzGC67looxLttAiTBxwV0B/0JGNioxHEgXhzBQTSm9hRH1mTJo\n 93CNepf7cQF1die+cRxLMnZVPpQpy20zPi3T2o8F4hYLXXkPtb+9uwteSQ6xw1iFELcz0HzU7wu\n Ou7cl9iSnI2RBmxhZkFgrqhSoYBpNVG25M7xaY9KGF6qL1Uhh7fAEJaUQ+L3+eBBgZ1vRWnmnYe\n cXBF/MSgS7Harl4Su9n0o+5tFMiXezm4kZIgWSFgH2g8ERfSkACazp/rruc2NEeY6I4FIqLCLeL\n F2W2U7dme4+DhpCJUeBxf1GTz4x5KRvZlKOsj8iZz1JNLu4DQuugG/jU8MgIwLh5D3+FCqoeUof\n 6bdbu2PPB/22lHgOodArmqCXHCcbNFLLwD2ERRPlqss5vWlbAbXvtIh6W0r8RcWwtn0VzkvXTNp\n pOfKb15+1gH1VUzdcZkKLygUJ6nya7R5u2B/xW8489IsBhT8T75AQfLIE5I/DLHuo63XQQDOHsh\n fV4Xh/FitiXl/yqzSsdfFkqV601jCQ+o4ZaLUuAosEFEIunERiUErNAPmUife35oVUGzvL5dA==","X-Received":"by 2002:a05:600c:8207:b0:488:bf0c:a372 with SMTP id\n 5b1f17b1804b1-488d68a0ec8mr376113135e9.31.1776354674594;\n Thu, 16 Apr 2026 08:51:14 -0700 (PDT)","Date":"Thu, 16 Apr 2026 17:51:13 +0200","From":"Franz Schnyder ","To":"Wojciech Dubowik ","Cc":"u-boot@lists.denx.de, trini@konsulko.com,\n \"openembedded-core @ lists . openembedded . org\"\n ,\n Francesco Dolcini ","Subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","Message-ID":"<7xe72m3tkzultqh3hw4cubfognfryjk5ababajoe6w6zt7jx4c@aaxa2kehv635>","References":"<20260409074710.1322519-1-Wojciech.Dubowik@mt.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260409074710.1322519-1-Wojciech.Dubowik@mt.com>","X-Mailman-Approved-At":"Fri, 17 Apr 2026 14:43:59 +0200","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}},{"id":3679214,"web_url":"http://patchwork.ozlabs.org/comment/3679214/","msgid":"","list_archive_url":null,"date":"2026-04-20T04:27:03","subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","submitter":{"id":6170,"url":"http://patchwork.ozlabs.org/api/people/6170/","name":"Simon Glass","email":"sjg@chromium.org"},"content":"Hi Wojciech,\n\nOn 2026-04-09T07:47:07, Wojciech Dubowik wrote:\n> tools: mkeficapsule: Add disable pkcs11 menu option\n>\n> Some distros are using gnutls library without pkcs11 support\n> and linking of mkeficapsule will fail. Add disable pkcs11\n> option with default set to no so distros can control this\n> feature with config option.\n>\n> Suggested-by: Tom Rini \n> Cc: Franz Schnyder \n> Signed-off-by: Wojciech Dubowik \n>\n> tools/Kconfig | 8 ++++++++\n> tools/Makefile | 3 +++\n> tools/mkeficapsule.c | 14 ++++++++++++++\n> 3 files changed, 25 insertions(+)\n\n> diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c\n> @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)\n> +#else\n> + fprintf(stdout, \"Pkcs11 support is disabled\\n\");\n> + return -1;\n\nPlease can you use stderr here for consistency with surrounding error handling.\n\n> diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c\n> @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)\n\nThe cleanup code at lines 420-423 calls gnutls_pkcs11_deinit() when\npkcs11_cert || pkcs11_key is true. When\nCONFIG_MKEFICAPSULE_DISABLE_PKCS11 is defined, these can still be set\nif the user provides a \"pkcs11:\" URL, but gnutls_pkcs11_deinit() will\nnot be available. Please can you wrap that cleanup block with #ifndef\nCONFIG_MKEFICAPSULE_DISABLE_PKCS11 as well, or ensure the function\nreturns before reaching that code path.\n\nRegards,\nSimon","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256\n header.s=google header.b=CXLSP/dM;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org\n header.b=\"CXLSP/dM\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=sjg@chromium.org"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzXX1041hz1yHB\n\tfor ; Mon, 20 Apr 2026 14:27:28 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 64BCC83B99;\n\tMon, 20 Apr 2026 06:27:20 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 0E93C83BC8; Mon, 20 Apr 2026 06:27:19 +0200 (CEST)","from mail-ej1-x633.google.com (mail-ej1-x633.google.com\n [IPv6:2a00:1450:4864:20::633])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 1261B83693\n for ; Mon, 20 Apr 2026 06:27:17 +0200 (CEST)","by mail-ej1-x633.google.com with SMTP id\n a640c23a62f3a-ba3b9601b97so382880366b.2\n for ; Sun, 19 Apr 2026 21:27:17 -0700 (PDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; t=1776659236; cv=none;\n d=google.com; s=arc-20240605;\n b=TbAACJhsJYI2C6Qjywh353h3a1uzwwbh3pKRD8W4tZ/Gm+gOWKFFDXwiiJ2KarXD2a\n 0hI+sYRY9xmlMb2exscrc33rRtaorJ/2Du0JuhTXZnf+k/PnjQi0fFYOY6Mqs0e2lO9e\n BkXUkOGtdL51WGtINDNgef6Rssb2BvHXASdIGawcE6kARX3z3b+e783cwY8bM/OHFeqF\n hPYE5YcqYU2takPnlnkjKcPLoywCMfTCBYoPJ+7Q5ZQywcWa8yKVTNfzuNOd4iKjXUsF\n jBZXQcHJn0q5sRqOZP/dNRd2JXlLBTw0CGQ8jsiDtaMIodUnAtb70jAx9ySIjXOzMzTH\n QX9g==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:dkim-signature;\n bh=ebVc4ijCxOyOF4OhisBlxIRjzsqTdMQ4vk+J1uaQsT8=;\n fh=zWl3So9+fODPop9tZWtOyjgwqy8hGUpXRjmylG4dyN4=;\n b=NmYULZJ6qI3+6oXT310sbpTkL8RA5t8AyZa5aBHte53tcRzqEUyffmpIvvl3P2pQ6x\n xtuEmqrrixlYbo9p5OiuRpg/IG0zhMATCZtuf5A270NRPr7yM0jNoYJSpspUxSjUHKCA\n fq32qbAgaE8R3oiJix51H3EDdNAYDMt2rjS/Za7KFKrjMLn53tdAhpZfUg8CGnBopsiO\n AyUeFQXJlHt8NIHkx/Q7TP+5LMUiY9n8wQibtTT9oHPq6qs0yegdBVfE8VO4rNIoO2rx\n rWfeSF/UqOPAgxlrTS4ZaKxvbfZSlctygEVTKrynTGCZPxqSRqGRmmVhEPQlYDbXnJPd\n pf2w==; darn=lists.denx.de","ARC-Authentication-Results":"i=1; mx.google.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=chromium.org; s=google; t=1776659236; x=1777264036; darn=lists.denx.de;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:from:to:cc:subject:date:message-id:reply-to;\n bh=ebVc4ijCxOyOF4OhisBlxIRjzsqTdMQ4vk+J1uaQsT8=;\n b=CXLSP/dMI5+03m9c/b7NXFKCX3etRCnkgQeGPLiUJuYWidy3rJHQwWHq4hlArWQmW8\n CLsAfU+Oc4RnyHrjlY9YXouvE7vv20/DL2AkebZJsmN7zRO3i8D9o5d+kW9rBdl13NAE\n d3e71/Mz1p9ebpNmqSrhA3kg363vfJngDKUiI=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776659236; x=1777264036;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=ebVc4ijCxOyOF4OhisBlxIRjzsqTdMQ4vk+J1uaQsT8=;\n b=lrSJFx3GjP1Lf95T4pJ+7q2MSyXbX0K6gI+4beEqAFpnUnkjwiUaB1Ah+W3h1n/Omi\n up9zgh7t8DCU/svMT1zGN78d1B1WVI4RD5pBHzBw4GUeFt+dLOqedF6zars49OHf17Pd\n wgX1qmm4MDIwwG3WiX/69zX2dlfUGSw+qeVWFf0x3j38WeQMkqzvamZCJacU/pOphOKj\n JJx1M7tAsrVNEp+9pcA8fiBCgG4YC76Gbpih89HXC1JZergdHXQj9nCC+nyllxia8oTB\n 7KBP/0aHnKeWIz0/hOuOLD3a6lzxp22shIPsrAPX93Yt/Zt/J22tB0Qoe4OqA999Kyz1\n wZeA==","X-Gm-Message-State":"AOJu0Yx3N5kRP1INWTt9s3ILaigPtd6owqxhD9cyPPL5Z8DO6/RGT2Va\n o+pAFXaL4m83bqcGZTwLdaKaGTW1PppDojzK4QESd7sUVWqg3gaVpFGajmqH/gQqgVa35T6isnZ\n 3dNUdcEyp7djzZrODFzWIaDFdiuEtV++CN2WluWz1","X-Gm-Gg":"AeBDievStZPGlatzuSbDmwXWBjwuJlb5SMr5h0E/5znFZXKECPItdtkyLOZRNnYxmOG\n 5jEWHU67umApWY6M1W/1q/++CkYSwZYxjhrgjm3ul0m+UMp8iYYMrETLtRisBKO14F9gmm2G7ma\n 1W3DILdUQcVnH2ny11WLMw7R9dv6SQYSjM93x01b9KqDP4eVjIgTFI9XS92R6Y+4fmMcmO2OVqu\n OZAeTC5YxaC921ebV+iUwezPeXQ9ThM3E60m9HaT8W6m4C2UOQ0nejUPr3n5oKNCNg59bDvJQI/\n TTHsc41PpnkEt0kUz0kQ","X-Received":"by 2002:a17:907:6d1b:b0:b97:ce8f:b9db with SMTP id\n a640c23a62f3a-ba41916eb89mr525366566b.10.1776659236297; Sun, 19 Apr 2026\n 21:27:16 -0700 (PDT)","MIME-Version":"1.0","References":"<20260409074710.1322519-1-Wojciech.Dubowik@mt.com>","In-Reply-To":"<20260409074710.1322519-1-Wojciech.Dubowik@mt.com>","From":"Simon Glass ","Date":"Mon, 20 Apr 2026 16:27:03 +1200","X-Gm-Features":"AQROBzACsMqcZS2W3-E4GjMmaex2eovy9tsQ2r3T9pE2VdDWVox4SslQFKpS-8A","Message-ID":"\n ","Subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","To":"Wojciech.Dubowik@mt.com","Cc":"u-boot@lists.denx.de, Franz Schnyder ,\n trini@konsulko.com, \"openembedded-core @ lists . openembedded . org\"\n ,\n Francesco Dolcini ","Content-Type":"text/plain; charset=\"UTF-8\"","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}},{"id":3679280,"web_url":"http://patchwork.ozlabs.org/comment/3679280/","msgid":"","list_archive_url":null,"date":"2026-04-20T08:14:46","subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","submitter":{"id":90988,"url":"http://patchwork.ozlabs.org/api/people/90988/","name":"Wojciech Dubowik","email":"Wojciech.Dubowik@mt.com"},"content":"On Thu, Apr 16, 2026 at 05:51:13PM +0200, Franz Schnyder wrote:\nHello Franz,\n> On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:\n> > Some distros are using gnutls library without pkcs11 support\n> > and linking of mkeficapsule will fail. Add disable pkcs11\n> > option with default set to no so distros can control this\n> > feature with config option.\n> > \n> > Suggested-by: Tom Rini \n> > Cc: Franz Schnyder \n> > Signed-off-by: Wojciech Dubowik \n> > ---\n> > tools/Kconfig | 8 ++++++++\n> > tools/Makefile | 3 +++\n> > tools/mkeficapsule.c | 14 ++++++++++++++\n> > 3 files changed, 25 insertions(+)\n> > \n> > diff --git a/tools/Kconfig b/tools/Kconfig\n> > index ef33295b8ecd..ccc878595d3b 100644\n> > --- a/tools/Kconfig\n> > +++ b/tools/Kconfig\n> > @@ -114,6 +114,14 @@ config TOOLS_MKEFICAPSULE\n> > \t optionally sign that file. If you want to enable UEFI capsule\n> > \t update feature on your target, you certainly need this.\n> > \n> > +config MKEFICAPSULE_DISABLE_PKCS11\n> > +\tbool \"Disable pkcs11 support\"\n> > +\tdepends on TOOLS_MKEFICAPSULE\n> > +\tdefault n\n> > +\thelp\n> > +\t Disable pkcs11 support. Can be used in cases when host GnuTLS\n> > +\t library doesn't support it.\n> > +\n> > menuconfig FSPI_CONF_HEADER\n> > \tbool \"FlexSPI Header Configuration\"\n> > \thelp\n> > diff --git a/tools/Makefile b/tools/Makefile\n> > index 1a5f425ecdaa..60e84bfbf20d 100644\n> > --- a/tools/Makefile\n> > +++ b/tools/Makefile\n> > @@ -271,6 +271,9 @@ mkeficapsule-objs := generated/lib/uuid.o \\\n> > \t$(LIBFDT_OBJS) \\\n> > \tmkeficapsule.o\n> > hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule\n> > +ifeq ($(CONFIG_MKEFICAPSULE_DISABLE_PKCS11),y)\n> > +HOSTCFLAGS_mkeficapsule.o += -DCONFIG_MKEFICAPSULE_DISABLE_PKCS11\n> > +endif\n> > \n> > include tools/fwumdata_src/fwumdata.mk\n> > \n> > diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c\n> > index ec640c57e8a5..ad1c46f0e909 100644\n> > --- a/tools/mkeficapsule.c\n> > +++ b/tools/mkeficapsule.c\n> > @@ -229,9 +229,11 @@ static int create_auth_data(struct auth_context *ctx)\n> > \tgnutls_pkcs7_t pkcs7;\n> > \tgnutls_datum_t data;\n> > \tgnutls_datum_t signature;\n> > +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11\n> > \tgnutls_pkcs11_obj_t *obj_list;\n> > \tunsigned int obj_list_size = 0;\n> > \tconst char *lib;\n> > +#endif\n> > \tint ret;\n> > \tbool pkcs11_cert = false;\n> > \tbool pkcs11_key = false;\n> > @@ -242,6 +244,7 @@ static int create_auth_data(struct auth_context *ctx)\n> > \tif (!strncmp(ctx->key_file, \"pkcs11:\", strlen(\"pkcs11:\")))\n> > \t\tpkcs11_key = true;\n> > \n> > +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11\n> > \tif (pkcs11_cert || pkcs11_key) {\n> > \t\tlib = getenv(\"PKCS11_MODULE_PATH\");\n> > \t\tif (!lib) {\n> > @@ -259,6 +262,7 @@ static int create_auth_data(struct auth_context *ctx)\n> > \t\t\treturn -1;\n> > \t\t}\n> > \t}\n> > +#endif\n> > \n> > \tif (!pkcs11_cert) {\n> > \t\tret = read_bin_file(ctx->cert_file, &cert.data, &file_size);\n> > @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)\n> > \n> > \t/* load x509 certificate */\n> > \tif (pkcs11_cert) {\n> > +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11\n> > \t\tret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,\n> > \t\t\t\t\t\t\t ctx->cert_file, 0);\n> > \t\tif (ret < 0 || obj_list_size == 0) {\n> > @@ -309,6 +314,10 @@ static int create_auth_data(struct auth_context *ctx)\n> > \t\t}\n> > \n> > \t\tgnutls_x509_crt_import_pkcs11(x509, obj_list[0]);\n> > +#else\n> > +\t\tfprintf(stdout, \"Pkcs11 support is disabled\\n\");\n> > +\t\treturn -1;\n> > +#endif\n> > \t} else {\n> > \t\tret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM);\n> > \t\tif (ret < 0) {\n> > @@ -320,12 +329,17 @@ static int create_auth_data(struct auth_context *ctx)\n> > \n> > \t/* load a private key */\n> > \tif (pkcs11_key) {\n> > +#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11\n> > \t\tret = gnutls_privkey_import_pkcs11_url(pkey, ctx->key_file);\n> > \t\tif (ret < 0) {\n> > \t\t\tfprintf(stderr, \"error in %d: %s\\n\", __LINE__,\n> > \t\t\t\tgnutls_strerror(ret));\n> > \t\t\treturn -1;\n> > \t\t}\n> > +#else\n> > +\t\tfprintf(stdout, \"Pkcs11 support is disabled\\n\");\n> > +\t\treturn -1;\n> > +#endif\n> > \t} else {\n> > \t\tret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM,\n> > \t\t\t\t\t\t 0, 0);\n> > -- \n> > 2.47.3\n> > \n> \n> Hi Wojciech,\n> \n> Shouldn't it be the other way around? Use of pkcs11 should be disabled \n> by default and enabled if required. As it is now, it would still depend\n> on the the gnutls library having pkcs11 support and therefore still \n> would break our OE builds with mainline u-boot if we don't change our\n> modules defconfig.\n\nAs far as I understand, gnutls is built by default with pkcs11 support. So for\nmost of the distribution it should be ok. Security by default.\nI don't have yn strong opinion for this but default enabled has been suggested\nby the maintainer.\n\nRegards,\nWojtek\n\n> \n> kind regards\n> \n> Franz","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=mt.com header.i=@mt.com header.a=rsa-sha256\n header.s=selector2 header.b=mt1O6g0u;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=mt.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=mt.com header.i=@mt.com header.b=\"mt1O6g0u\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=mt.com","phobos.denx.de;\n spf=fail smtp.mailfrom=Wojciech.Dubowik@mt.com","dkim=none (message not signed)\n header.d=none;dmarc=none action=none header.from=mt.com;"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzdZg2ZrSz1yGs\n\tfor ; Mon, 20 Apr 2026 18:15:06 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 0C13D839D5;\n\tMon, 20 Apr 2026 10:15:03 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 1A3A283E16; Mon, 20 Apr 2026 10:15:01 +0200 (CEST)","from MRWPR03CU001.outbound.protection.outlook.com\n (mail-francesouthazlp170110003.outbound.protection.outlook.com\n [IPv6:2a01:111:f403:c207::3])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 8888E83693\n for ; Mon, 20 Apr 2026 10:14:58 +0200 (CEST)","from DB9PR03MB7180.eurprd03.prod.outlook.com (2603:10a6:10:22d::13)\n by DU4PR03MB10744.eurprd03.prod.outlook.com (2603:10a6:10:585::5)\n with Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.32; Mon, 20 Apr\n 2026 08:14:56 +0000","from DB9PR03MB7180.eurprd03.prod.outlook.com\n ([fe80::6fd2:12a9:4423:8ddc]) by DB9PR03MB7180.eurprd03.prod.outlook.com\n ([fe80::6fd2:12a9:4423:8ddc%6]) with mapi id 15.20.9818.032; Mon, 20 Apr 2026\n 08:14:55 +0000"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;\n b=EePaxZ226ZkdQwuLP/g7IoSRRakUryhu4ysgi/wh1XJQeOlf8CQseR3VnGWnC4GKTpYEpmf8hxxIcYCfxnMe4AqXpyNaRLA7eesZT5jSneNKCvFvEuWF+rU7bw8Dh4QlqtvCfKZ8K0IjCu6W6/16MZsO9fY3BW9sHBnQg1HlaFtpS3yK78IFkINIQjmDf9n06r2eQ9oNA7tkNxZDkD4vsTnhTy9Igs2+gIjxuBwkESEKcy9iITNiw6gfWVLRVKDyxM8YODRF1wM4jxifTNp5RRV4MmP6Bysz6ZhapvMAhuf2Oc0wEYLBiecgHRQ+VAiscF2yPErlxmlyNFc3hDL4ag==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;\n s=arcselector10001;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;\n bh=MOF2YOjy2u5dAAeqfQwxzdS2RII4PDs/qOhadP/liiU=;\n b=ogrTM7UMFmtyRvZPG+oVotV3Qjs53lK3JPWEoguwgY16u0dFJwJhPShDDGMBGJCKW7bIqSCSEIEyKpLamd/5FTmfP2QTsiyCVR0Lb+3wlUKfsJkWX1XijsviyagzC5gaS9lM6gIMhXuiBgSfehOD3jJYAAitIEJ2mHF9gyzPmUg5XlUkA0M4WWaXMoXqshwHdUdJz2WiC6cyMixu7XnYeYwn7VlefSf7ORrLNVD9kDotPuDLEwh7s9wfHQK3mhqrm/x6ywjoWkZyk8kHCJ6Aoq50YrN3jThJ8pn5GkgboNEdoBkezi6RzLqSN82WnVzELp94hvoOIAV0r9uG8tyapw==","ARC-Authentication-Results":"i=1; mx.microsoft.com 1; spf=pass\n smtp.mailfrom=mt.com; dmarc=pass action=none header.from=mt.com; dkim=pass\n header.d=mt.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=mt.com; s=selector2;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;\n bh=MOF2YOjy2u5dAAeqfQwxzdS2RII4PDs/qOhadP/liiU=;\n b=mt1O6g0uKU4VE39ZNG9nuaE+aY1GeeI3e5tk8e8sC0HAyklnQ2/V7wjxVRXOYUKX9XojwtsW8aPf2Iu4U3JROscW/aFVe1cYVWTy7VPJT3ofBPovWG8PFgcY2R4eYE9cigWWrcNMg06fj70jU4Er2YKFlXkpmggpFC6KwKt2+om2sUHFZTOG5kZHcppVNzpxxn4Awoqbcs0j7id0buJpny0DLw86PPXdluNWuNzu+NRoYLnZZT05Jm8NihN0B5lxmpjU6kYsykTojAq1BC1mtJ0SZmFFazCGgF4Vs4SjYDKE3dKa1f3nVvaimEmB1Fv405K3/kZUax3ssu7Mx7mHbg==","Date":"Mon, 20 Apr 2026 10:14:46 +0200","From":"Wojciech Dubowik ","To":"Franz Schnyder ","Cc":"u-boot@lists.denx.de, trini@konsulko.com,\n \"openembedded-core @ lists . openembedded . org\"\n ,\n Francesco Dolcini ","Subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","Message-ID":"","References":"<20260409074710.1322519-1-Wojciech.Dubowik@mt.com>\n <7xe72m3tkzultqh3hw4cubfognfryjk5ababajoe6w6zt7jx4c@aaxa2kehv635>","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<7xe72m3tkzultqh3hw4cubfognfryjk5ababajoe6w6zt7jx4c@aaxa2kehv635>","X-ClientProxiedBy":"MI0P293CA0011.ITAP293.PROD.OUTLOOK.COM\n (2603:10a6:290:44::11) To DB9PR03MB7180.eurprd03.prod.outlook.com\n (2603:10a6:10:22d::13)","MIME-Version":"1.0","X-MS-PublicTrafficType":"Email","X-MS-TrafficTypeDiagnostic":"DB9PR03MB7180:EE_|DU4PR03MB10744:EE_","X-MS-Office365-Filtering-Correlation-Id":"c7fa49e5-de61-4411-b810-08de9eb4e78d","X-MS-Exchange-SenderADCheck":"1","X-MS-Exchange-AntiSpam-Relay":"0","X-Microsoft-Antispam":"BCL:0;\n ARA:13230040|366016|1800799024|376014|52116014|19092799006|38350700014|56012099003|22082099003|18002099003;","X-Microsoft-Antispam-Message-Info":"\n Cks3Lj7nkllExs0B1KUic3mcqtpg6xHaW1SJCg+Kgw0qPJgqP5jNZvebtEEnbfAxjAFb/OG92rAn/TA3H8d6ASwzAUx5crrn6SNPpX10XwcN/Und5LiiQqYg3fLel2Jg3apmqg5oalmmZFoaKmJFD+l5pa8SC8/IAlahN3I/L/wRyQyMb4IcyU4DTwkQpE3tfZ4U618yNdV8stSx4gdib9MZLZq45qqfIZL81TyFCIgRMnHYswgQy/Zp53/TnPMwZHfI1//STywPhriDxPBOWY+of/mYGWSLcN6YhFK/iUtWR0hfhaHWEjv85hhMbol0EZhnK1WAFypL8Apyzl9f3K1V5gip1R/PHAeUYTdjEtFk6OamVqiWAq8LUT8Zf8TkU47+kjfZSQfgSKV7ce7PW8L3rnWzceTnTTde5CWmAAdkn700cDrgC8+l9M4cCL44YEtrT1XrBexMwLqRfAj81oghyUtgKCi4yV0ErZgRYTgQltrqqaMJMZxWoxmJiO1ZANr+qrvspjyzwqgj2B52PMWqeKsH0M8/+svSr1M3tp+ojPPn55FKq823NUArzH6gZhkFHGKdOb0ZA8Zs6x4YVT9CXVWSDqc3IfM8JHiZ3LC5ApCpoXEuCsdLW9UH7S0jcJvghv4OHjQveBwi7ewslUogVE2heH8fpo8JViDD7I5kppcxIpIJu1jULG51PFQbgu2kFDiv2XiKjkJFt4blFKGQ9eiReq0SUExEioYGSWWJlNxJQEVqlNPIecdcFDJIIrf96HEH83h07cE+LhqPWCSax598OnV3cbnglGy1RWk=","X-Forefront-Antispam-Report":"CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;\n IPV:NLI; SFV:NSPM; H:DB9PR03MB7180.eurprd03.prod.outlook.com; PTR:; CAT:NONE;\n SFS:(13230040)(366016)(1800799024)(376014)(52116014)(19092799006)(38350700014)(56012099003)(22082099003)(18002099003);\n DIR:OUT; SFP:1101;","X-MS-Exchange-AntiSpam-MessageData-ChunkCount":"1","X-MS-Exchange-AntiSpam-MessageData-0":"\n zhiJB9cNtMrWcS+uA7FXohTBoPJvVug9owpnhm9lvYSZJtb3uhbK2bxPu7r0KmwEqytm0v6dBNx9XncNvALtuIz/mJBNavFDP55grh/5wXRENITvKAAnv9Cz6M4mDXjH2kNdtqizZAg6B3ZtFz+7ZA4lLaXHfvrpp2merZCMCb2IyiGw3sf+Suhule6HEDlhXqXxy9nQ8+Ywq8bNaMdYbXHOdHBfdH+5//UQn9LsZAfof2PClMVmhtKvzG/ij/LttwACt3McxTUsR7/H28lDOcCHgkhUlFIwH6flNq2Xhgt+SGvz8XlTScWsNuyg6+53X1TOVVm7Wc24ol5fXGmT4PY54TvlhE0chXr6DOkrh4A9Q+4evoR42GspD9efh2Oi70BRtLy62RT+NYghPc84auGpCoW8tNQhSyzZ0OTuv1uO/OQ/YCeGn8gXS+oGOBNhSDAMxc8f6YJdUQ4FgSs4eenraYMtbrk/XV0lW/bx2jIxd2uHLlkOD5ASUBA4x16TzE3Kjil+o0wwNo3xboG4VPbs+VMR8PvRlHZEvh5HeAdRdnclplmni25JpIL62xh9twXzyiFEtHoqAViYE9Cu4wRj9gRl/I16GeYHOQ6+oaZGlTudFa69ry2CcjJXvlMl0Wmu/CKgwIfsPe4z2+kcPpo7M2zLFKSxOuyEPytd4KTMJ7tH34hQ5MGmqe71jDZPKi6lVplVXm+E/qdhDJ5w4t9z6BtJlKk7Fxn42WLS7Ps8c2PR2fbCBL0Vdq2oPHtE3ThlkmqVIewn5f7QLUJUZvW6mtBAQk5q6lAmglSTLFDLF6aldjA70ZhdlgOhews8TIUT9ynHz/7FvNK3S/a2wZZofs29qERuazlb68zSg39N7iLNotgibHG3nwnVA9aF6yo+4jVtYcsvgx14DlnmR9ZHUA/+ckWJdAaAhZ4EJwNlSbP1P7SRw5tG7wIMlEzBzXEHJrDhfxLP48ZCiZHP36UjEFQxjC4X/iitilh2ZUAdTi5usmRfoXj28Eaauj1pK3ta0Ycg29vPW+AAnGC1Zwce9SpjyY9nFGVyadmn+TYJWkJxcKTL0X/YG8GGknHXAL3zm8C8/3CeOflQwdHpvipS2FIwG102q39ZFP3TCUj975spOcfuc0g5/RD19wDXEarDP70lQJHH0GJtTtkhYgIGgH3Z9f4GkeCk95yc9ocueBhyG/mpNSY8CQmzI+RsBpppmkZDjFq5h6550hh4pikYm7C6g3GgUF1UGhabJkY1q9G7KEBXQ1NmjmwHk4JbAIBGQU2KgvruJac4TDcufky5ozYvwFKW/dXgM5n03b2f6wCojL2sgib/r1+1T40v0ZVzsY2FSstXxEZPZNlHBeJhFldvD5mRIlr6snss4gtlLu7QGrbCIz1/BWMTXxpTk6VnmPyy8c4FaHdGCFOavBsWtyVkP3/qF80es94dsX5wvn8irTIn+/3lkTZ4EaQUaQoLBREHOKzUQegctbRD+je9epwQE6CPYklMMPVX8YHzwivuz6vXrn/JeeVDkMENaoP8qruB/1f2U8EaDfQ0jHlc7zmqXFo/lnTce0X7QDxq4wAfo81TP0+CRotHX6gCOPCQmTKvwQHmmvNmB7uZ0sEelDTuW4BeVRHxRB3UdffPe9l5Wynaa5c6J+lL+3ueNG1HVzgAMnUJ7Eqp4K+pOhLdpNZ+IyLE7+2sxN1ey4kbdEd9SKtbsTR06wPHS4/J2TZQeDcIFo/GaFeURH78wA==","X-OriginatorOrg":"mt.com","X-MS-Exchange-CrossTenant-Network-Message-Id":"\n c7fa49e5-de61-4411-b810-08de9eb4e78d","X-MS-Exchange-CrossTenant-AuthSource":"DB9PR03MB7180.eurprd03.prod.outlook.com","X-MS-Exchange-CrossTenant-AuthAs":"Internal","X-MS-Exchange-CrossTenant-OriginalArrivalTime":"20 Apr 2026 08:14:55.2544 (UTC)","X-MS-Exchange-CrossTenant-FromEntityHeader":"Hosted","X-MS-Exchange-CrossTenant-Id":"fb4c0aee-6cd2-482f-a1a5-717e7c02496b","X-MS-Exchange-CrossTenant-MailboxType":"HOSTED","X-MS-Exchange-CrossTenant-UserPrincipalName":"\n hwdsgJ78H/eFBhcCYrKREOQ2SgJua45+nuTgYpjmRPfL5LXMhAi9dDMj7B2a3aC4zPlKGOgdT+J2CN7fNNE1rg==","X-MS-Exchange-Transport-CrossTenantHeadersStamped":"DU4PR03MB10744","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}},{"id":3679282,"web_url":"http://patchwork.ozlabs.org/comment/3679282/","msgid":"","list_archive_url":null,"date":"2026-04-20T08:17:22","subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","submitter":{"id":90988,"url":"http://patchwork.ozlabs.org/api/people/90988/","name":"Wojciech Dubowik","email":"Wojciech.Dubowik@mt.com"},"content":"On Mon, Apr 20, 2026 at 04:27:03PM +1200, Simon Glass wrote:\nHello Simon,\n\n> Hi Wojciech,\n> \n> On 2026-04-09T07:47:07, Wojciech Dubowik wrote:\n> > tools: mkeficapsule: Add disable pkcs11 menu option\n> >\n> > Some distros are using gnutls library without pkcs11 support\n> > and linking of mkeficapsule will fail. Add disable pkcs11\n> > option with default set to no so distros can control this\n> > feature with config option.\n> >\n> > Suggested-by: Tom Rini \n> > Cc: Franz Schnyder \n> > Signed-off-by: Wojciech Dubowik \n> >\n> > tools/Kconfig | 8 ++++++++\n> > tools/Makefile | 3 +++\n> > tools/mkeficapsule.c | 14 ++++++++++++++\n> > 3 files changed, 25 insertions(+)\n> \n> > diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c\n> > @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)\n> > +#else\n> > + fprintf(stdout, \"Pkcs11 support is disabled\\n\");\n> > + return -1;\n> \n> Please can you use stderr here for consistency with surrounding error handling.\n> \n> > diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c\n> > @@ -301,6 +305,7 @@ static int create_auth_data(struct auth_context *ctx)\n> \n> The cleanup code at lines 420-423 calls gnutls_pkcs11_deinit() when\n> pkcs11_cert || pkcs11_key is true. When\n> CONFIG_MKEFICAPSULE_DISABLE_PKCS11 is defined, these can still be set\n> if the user provides a \"pkcs11:\" URL, but gnutls_pkcs11_deinit() will\n> not be available. Please can you wrap that cleanup block with #ifndef\n> CONFIG_MKEFICAPSULE_DISABLE_PKCS11 as well, or ensure the function\n> returns before reaching that code path.\n\nWill do it and send V2.\n\nRegards,\nWojtek\n\n> \n> Regards,\n> Simon","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=mt.com header.i=@mt.com header.a=rsa-sha256\n header.s=selector2 header.b=QUt+1fzN;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=mt.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=mt.com header.i=@mt.com header.b=\"QUt+1fzN\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=mt.com","phobos.denx.de;\n spf=fail smtp.mailfrom=Wojciech.Dubowik@mt.com","dkim=none (message not signed)\n header.d=none;dmarc=none action=none header.from=mt.com;"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzddb6f43z1yCv\n\tfor ; Mon, 20 Apr 2026 18:17:39 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 4FAE8839D5;\n\tMon, 20 Apr 2026 10:17:31 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 86D0B83693; Mon, 20 Apr 2026 10:17:29 +0200 (CEST)","from AM0PR02CU008.outbound.protection.outlook.com\n (mail-westeuropeazlp170130006.outbound.protection.outlook.com\n [IPv6:2a01:111:f403:c201::6])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 5327F83693\n for ; Mon, 20 Apr 2026 10:17:27 +0200 (CEST)","from DB9PR03MB7180.eurprd03.prod.outlook.com (2603:10a6:10:22d::13)\n by AM7PR03MB6545.eurprd03.prod.outlook.com (2603:10a6:20b:1bd::22)\n with Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.32; Mon, 20 Apr\n 2026 08:17:25 +0000","from DB9PR03MB7180.eurprd03.prod.outlook.com\n ([fe80::6fd2:12a9:4423:8ddc]) by DB9PR03MB7180.eurprd03.prod.outlook.com\n ([fe80::6fd2:12a9:4423:8ddc%6]) with mapi id 15.20.9818.032; Mon, 20 Apr 2026\n 08:17:24 +0000"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;\n b=upBNGvcptHK4CitOeIdlNd+PZF54HsJnssSozoPBIupDuZ1h8+z/ACk4UGayZmGuceJ9lp7nJE5FpEmi2PN5WXlURbsMT6HhlnEhctdGsSEPAGJwzTvWyVs/DNZLSt33vQX8FGWmnT3v/Jo/wqNDvJ8EZF4QZ7RYPDNqn9rf+5vJeYlQ24cxTSU1TPAdRK3y+urReONbjJG0K3uLY4mlwMH9/Oc10U6o8CLN2TKgMcTgN989x2/2RXrCMRlvuSginsa7Gk0kbkEH+ziIrR3Lu+SPlVu0CVrzhAaPHXQdTXRW13g0YHp5bZ9heAR9E31XpeaqoCP0ExFwtBpJiuAx6Q==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;\n s=arcselector10001;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;\n bh=sN++0PK0Anvf2nlcMP75ffG0iwfmJTq0eo/rp6uj7es=;\n b=jhWXa9bHVGjpS8hkYEoL2rgraIa6+wYyJjQezrO2pUlMAEsr3SPopyTA74RCIgKTjek8Bi8sXLzEHXbHa14nsgpWfWztsyICd591KZ6XIOfEM/qncs14MEcsOYBe/No3/G9j2HvSOTaL8uAa6tB+xehT8yGEInRrL7zKJOpXawIYlqDD58hnv2rk7xDuDq2j0q71raOte302iZsEPxY1s/vzTPoupdjyk2eZqKo4lfwnbulGB0AbyIKDfekEQXU91gnd2vTg1PqNPTOl3gr1dilN5f1KbIZGHVsbwJSAfwMj4I11gmtOLEgrONyY+wKqqfa+2381hZdU5XiOazWS+Q==","ARC-Authentication-Results":"i=1; mx.microsoft.com 1; spf=pass\n smtp.mailfrom=mt.com; dmarc=pass action=none header.from=mt.com; dkim=pass\n header.d=mt.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=mt.com; s=selector2;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;\n bh=sN++0PK0Anvf2nlcMP75ffG0iwfmJTq0eo/rp6uj7es=;\n b=QUt+1fzNK24UgKw3vQ6ZkKfEdiSRoqGS3QegVBY2Oz7OCJyiSWt8V09FQDFaPiSupCagRfnHACuEQNlbBJA+1uyHqhFn3RNFRhDPi00+TuKHne5IgyighLzm8HO6pI5ZC9iG/oNY7OhrVDmpA1wcUMPas7hXX12UTbHBn7UiDqlkVn4Sjpj7W0sUJnc0UjfKRSMY/TlBBsbRPjSpUadZi2k+zNX4l/gzgB4mVoYrGF7jQojiRaqyPOCiSBsJsSql5j3NJVXWh3SWCjtMjNQd1Augidjw2OsFpj4FdZeC/P/V+TXTW+kZ9NOxllpKn8/FIuI8FI6fo4WhpBNAe+0AWA==","Date":"Mon, 20 Apr 2026 10:17:22 +0200","From":"Wojciech Dubowik ","To":"Simon Glass ","Cc":"u-boot@lists.denx.de, Franz Schnyder ,\n trini@konsulko.com, \"openembedded-core @ lists . openembedded . org\"\n ,\n Francesco Dolcini ","Subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","Message-ID":"","References":"<20260409074710.1322519-1-Wojciech.Dubowik@mt.com>\n ","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"\n ","X-ClientProxiedBy":"ZR0P278CA0017.CHEP278.PROD.OUTLOOK.COM\n (2603:10a6:910:16::27) To DB9PR03MB7180.eurprd03.prod.outlook.com\n (2603:10a6:10:22d::13)","MIME-Version":"1.0","X-MS-PublicTrafficType":"Email","X-MS-TrafficTypeDiagnostic":"DB9PR03MB7180:EE_|AM7PR03MB6545:EE_","X-MS-Office365-Filtering-Correlation-Id":"6829f3ec-cf6f-4d1e-aeda-08de9eb540dd","X-MS-Exchange-SenderADCheck":"1","X-MS-Exchange-AntiSpam-Relay":"0","X-Microsoft-Antispam":"BCL:0;\n ARA:13230040|52116014|366016|1800799024|376014|19092799006|38350700014|56012099003|18002099003|22082099003;","X-Microsoft-Antispam-Message-Info":"\n Jt5HNuwjeMJZ2ksZTQAoOp9TCjQneVQGGdH+43nmDW4X9zzaqxAn0U3uwbOG3EJxLL+Q2pmhhfWQEkIns4VYNMSOXBp1BWyzftcCN+D9PHBBTZSW8AUlKBkxPPrecDPRVtqboHK2RgyjD6P3Owkr6AXuhX0evJr3jLnKQq9oXLe1Nn1yfSFN75kPoj8IxwjLugbi5HFnaX6CzGgYuv1NuHo/RjigzBijvOyd+4Zvp0hQ3BFmq9CkytDVeGYJ+Et9Klw+ZPonidxOzytmHD6OO5wpBygfSAUP+ItZFffc2fQKaHIdD0OOo4R6VUtqpEBxclkMzjKL1b+bSum1dVPUFs6hIGrH2CCaG3j0Nwij1CxXBxLwtPJzcNe7wb25T32m9rNyMhj+weJ2EZm/OtzvjY1foItBFuCW8o/KgmF0/QquyOFHvgv+nEh8txf6UU9Ni840EHe0UURHmTFhiTbSrrwl0UD96EKX3JfKa9lp1i/1MLQqdbULLDrQkrr13+MzAIVfPt+0js697JfSfICLMv+9/rHYsHbhhG7IiIO0f0VhIcnTbDcb7/XyLNae66tRrJBhoYe3ViPqd9WmaZVV1sn58m++MHt5lKgJfXFHR9fQrxDVvCijJm2WamB/tyXLPCRrEGAeLcsdEH+Ou43qVAHgz72FoDU/QbG25YmJATyhct/9iNFyaUqUUtKKWJDqbqZtG2KpYh8pQrnP7Gl2dn9MNLox5NUI307fSdaNDoExPKYu+4tkYvQ1Q8KTfqVSYTDC6KQXexyEBMltLKUhTTAalszAJDkRWYLQG8MtCKM=","X-Forefront-Antispam-Report":"CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;\n IPV:NLI; SFV:NSPM; H:DB9PR03MB7180.eurprd03.prod.outlook.com; PTR:; CAT:NONE;\n SFS:(13230040)(52116014)(366016)(1800799024)(376014)(19092799006)(38350700014)(56012099003)(18002099003)(22082099003);\n DIR:OUT; SFP:1101;","X-MS-Exchange-AntiSpam-MessageData-ChunkCount":"1","X-MS-Exchange-AntiSpam-MessageData-0":"\n ykWBcUSwOHwWt8ecBB9OuXRQ5vhEh2/47y3OT6hCoqqC8nKXuwtSa5UyWoveqjZjC593lf4d/i22kzmrCLX3Yze2En12atltUuk9bjbIzazzB51JSjFxuEkD8Bj1IXw7bNXWxyaJ4FDE+Cexr4SXlE7Z110cfU7NVy5VuozuR4ljQDnSSOiheUElIs1M+f4edKvMJrQvvKKrkEfmptAiOonkikiVdw4cAe11ZVHDLHfgPIs9k5d7QIHtwG425V0Oe5Tdcxzl1n9ss03w3sVScOKYw9XR642OBejN751QrYnOQrpNPZCVSHM1DKNS0c8+mSZtXI49v9gGfFyzZ61DLWJipsIffoccGG/UkKXtX+6FXBRVAepYgvWL5+zOwHKHlYlZTxd+meU9HMCQCoZtH/PcN5gwo4MyDN5hY77oMd0o2GbVDnj/11Ib15Jotzt7TRRAnFyBNKpNXN7rzeMSRKg8EcJYjV4iZiw38QRvg83mriZX0ZvVHvqBPppwXL3UoqAvzmCdtR+brEZuJkFBIuR38TReRr7Wt3XiVja5hdmAsSm/a21sE4oQMjmUBtsrg7NDH55yiICZe4wmiC6c8ka8tUZ+Mvf5ehywEtEGJDgE3wrHAo3FdVtewNe9wNfRBmilqjy3qKauUNsyCgTTOAaiPKj3x8qbSUihJ5IIhOwztRDeTGaWVJfxBO+gxLvrUlS7dOBQSyljnNPptjM/GQo0OGexjz7QSse1aIlKcMe7y+ecSL/CKj88fhsXEUTgVBe0EAAS8UBqvUyVgtvtAyVGLKGLySzcaqSGNjJaRpft9l7/4eGDTipxBHpxH/FCIaU+Len69x9zAQ3TQXKKVQsk8E4Io7aQSsWs3W9KvrgSU+P45Ai6/knbuwkAcYWwmUzMtHjoyOVqDM9RtoiDT8Ib7hO921S7NzL599Pnmt1UJxmOaVtMDOHQwlOhKD48HHZ9FiigFB1s4twEp17PY8FGmwKVVbUpxkf4KxAWP3qRgdDh2g3VZ7sQaJWfd500ZAnFxiZ6zMwiNyqC3Mo+fWoE5GrPzT+zvATNxHCPMnAsW5Zi0whtMoawVF+Yfz2Thp9s+4hLyIOM8y03MchL7QTJzeKBDHHK7EP8lhI0e46cHEY1PPk+6LEuVi670FonZjJ+6NSp0w65nCsuIXOrIHW1ZKaTRSGvFGm7PAuKY6BiKzDuPrJ0itQ1ojFkbz5ZYti7s84WsMppl7V2ndtl3vPWFCw40Kju5so33/Sluz5FllbPuxP5NLSflpQa2/OE/F/DXVLfWtFFOJgdb0EwE3OpfM4myBa5mT3+g2ELx9M4XJDI/ZuT/T1uwGVzARqnrod81IMVLULe+lYFA+NN1St/WRuC8cdC8SoTr7QjJgBplrEAguGRKxknNTUG3enMnWy56tBDyjo+VHtLuLlsLPo84/kmgtnNipCJwf/6blXLbBBXRRgLSzFxHZm7LGNi7h6v7NNtkeS5KJp1aaxPaPUvKp3jxSIjvY4upA0o+Vqa7XVfsOcpW2c4BPaGAMqORhm2jUAy8FQMlpo553XvT4G9SJP3hC28nEmihZQJIMiPlmq5kE+M+aK9dpDdekUyE+5C+yvkf/z5XcIbUYROlCcatPmUzTECOvYRJpnS965nR84QMPsLXXiXajrfFyBWGoGDXAe39frtzowrXm2/gP0Wx7wbhuSz8fVeQ3E5/7SuwIIFyYjTtFBqLky7BqUDu8bvHI6UkjkWVKLH5M+EGw==","X-OriginatorOrg":"mt.com","X-MS-Exchange-CrossTenant-Network-Message-Id":"\n 6829f3ec-cf6f-4d1e-aeda-08de9eb540dd","X-MS-Exchange-CrossTenant-AuthSource":"DB9PR03MB7180.eurprd03.prod.outlook.com","X-MS-Exchange-CrossTenant-AuthAs":"Internal","X-MS-Exchange-CrossTenant-OriginalArrivalTime":"20 Apr 2026 08:17:24.9092 (UTC)","X-MS-Exchange-CrossTenant-FromEntityHeader":"Hosted","X-MS-Exchange-CrossTenant-Id":"fb4c0aee-6cd2-482f-a1a5-717e7c02496b","X-MS-Exchange-CrossTenant-MailboxType":"HOSTED","X-MS-Exchange-CrossTenant-UserPrincipalName":"\n r+ToT9IrR0EX3pIEFDMuBTCcBNVuA6Vp5G0doih2HBu9M25M35KcCr3haU1GUee/bQq6xqIxRRD7oXpNNqsxHg==","X-MS-Exchange-Transport-CrossTenantHeadersStamped":"AM7PR03MB6545","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}},{"id":3679295,"web_url":"http://patchwork.ozlabs.org/comment/3679295/","msgid":"<20260420085001.GA47182@francesco-nb>","list_archive_url":null,"date":"2026-04-20T08:50:16","subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","submitter":{"id":84779,"url":"http://patchwork.ozlabs.org/api/people/84779/","name":"Francesco Dolcini","email":"francesco@dolcini.it"},"content":"+ Paul Barker\n\nHello all,\n\nOn Mon, Apr 20, 2026 at 10:14:46AM +0200, Wojciech Dubowik wrote:\n> On Thu, Apr 16, 2026 at 05:51:13PM +0200, Franz Schnyder wrote:\n> > On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:\n> > > Some distros are using gnutls library without pkcs11 support\n> > > and linking of mkeficapsule will fail. Add disable pkcs11\n> > > option with default set to no so distros can control this\n> > > feature with config option.\n> > Shouldn't it be the other way around? Use of pkcs11 should be disabled \n> > by default and enabled if required. As it is now, it would still depend\n> > on the the gnutls library having pkcs11 support and therefore still \n> > would break our OE builds with mainline u-boot if we don't change our\n> > modules defconfig.\n> \n> As far as I understand, gnutls is built by default with pkcs11 support. So for\n> most of the distribution it should be ok. Security by default.\n> I don't have yn strong opinion for this but default enabled has been suggested\n> by the maintainer.\n\nWe are in the very unfortunate situation in which we are not able to run\nany test at the moment in our CI and automated test infrastructure (not\nin U-Boot, not in OE), and the reason is that we have pcks11 enabled in\nU-Boot, and OE core is not picking up the patch to enable it [1].\n\nAny advise to have a way forward?\n\nFrancesco\n\n[1] https://lore.kernel.org/all/20260408130553.819420-1-fra.schnyder@gmail.com/","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=dolcini.it header.i=@dolcini.it header.a=rsa-sha256\n header.s=default header.b=jQQTq2S6;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=dolcini.it","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=dolcini.it header.i=@dolcini.it header.b=\"jQQTq2S6\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=dolcini.it","phobos.denx.de;\n spf=pass smtp.mailfrom=francesco@dolcini.it"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzfMX6Mpfz1yCv\n\tfor ; Mon, 20 Apr 2026 18:50:32 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id DFA02842D2;\n\tMon, 20 Apr 2026 10:50:24 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 8360A842E0; Mon, 20 Apr 2026 10:50:23 +0200 (CEST)","from mail11.truemail.it (mail11.truemail.it [217.194.8.81])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 1AFFA842B7\n for ; Mon, 20 Apr 2026 10:50:21 +0200 (CEST)","from francesco-nb (xcpe-178-82-120-96.dyn.res.sunrise.net\n [178.82.120.96])\n by mail11.truemail.it (Postfix) with ESMTPA id 1D0D51F951;\n Mon, 20 Apr 2026 10:50:20 +0200 (CEST)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=dolcini.it;\n s=default; t=1776675020;\n bh=ZL1HvcUy/MlgeMJhI+efhxBSDqBz7QZb7v8EpHkePtc=; h=From:To:Subject;\n b=jQQTq2S60KLvKtcb44WTFLARMnmY1KOHumbqbdrrI9+5+2UKknqvpbl5ZVX6LAtIo\n juDajXnForE7ZEt9BVLfSXX48ouw/ziGTjfeWlJCbzkp9GN28fW/refwrtPCNwq15b\n DSvuz/H50phh2T1f7l140/vd4LZOiy71c2S/B0elDJHS1OBde2k3GyQv9agrM5+y5Q\n yCt458poqath+zcFgimCojuyaoEcxD3OoBJ8ucwR+YUdX/NcVabUehqy1cmLd82ZdI\n cR8GDiBcROpHDcQKdujyJO9j8uOEd9cptPaApzra9O9MhhwWM1hco6GezOFOIY3p84\n K0sinhB4wZuCw==","Date":"Mon, 20 Apr 2026 10:50:16 +0200","From":"Francesco Dolcini ","To":"Wojciech Dubowik , trini@konsulko.com,\n openembedded-core@lists.openembedded.org, Paul Barker ","Cc":"Franz Schnyder , u-boot@lists.denx.de,\n Francesco Dolcini ","Subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","Message-ID":"<20260420085001.GA47182@francesco-nb>","References":"<20260409074710.1322519-1-Wojciech.Dubowik@mt.com>\n <7xe72m3tkzultqh3hw4cubfognfryjk5ababajoe6w6zt7jx4c@aaxa2kehv635>\n ","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}},{"id":3679788,"web_url":"http://patchwork.ozlabs.org/comment/3679788/","msgid":"","list_archive_url":null,"date":"2026-04-21T10:07:21","subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","submitter":{"id":90937,"url":"http://patchwork.ozlabs.org/api/people/90937/","name":"Paul Barker","email":"paul@pbarker.dev"},"content":"On Mon, 2026-04-20 at 10:50 +0200, Francesco Dolcini wrote:\n> + Paul Barker\n> \n> Hello all,\n> \n> On Mon, Apr 20, 2026 at 10:14:46AM +0200, Wojciech Dubowik wrote:\n> > On Thu, Apr 16, 2026 at 05:51:13PM +0200, Franz Schnyder wrote:\n> > > On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:\n> > > > Some distros are using gnutls library without pkcs11 support\n> > > > and linking of mkeficapsule will fail. Add disable pkcs11\n> > > > option with default set to no so distros can control this\n> > > > feature with config option.\n> > > Shouldn't it be the other way around? Use of pkcs11 should be disabled \n> > > by default and enabled if required. As it is now, it would still depend\n> > > on the the gnutls library having pkcs11 support and therefore still \n> > > would break our OE builds with mainline u-boot if we don't change our\n> > > modules defconfig.\n> > \n> > As far as I understand, gnutls is built by default with pkcs11 support. So for\n> > most of the distribution it should be ok. Security by default.\n> > I don't have yn strong opinion for this but default enabled has been suggested\n> > by the maintainer.\n> \n> We are in the very unfortunate situation in which we are not able to run\n> any test at the moment in our CI and automated test infrastructure (not\n> in U-Boot, not in OE), and the reason is that we have pcks11 enabled in\n> U-Boot, and OE core is not picking up the patch to enable it [1].\n> \n> Any advise to have a way forward?\n> \n> Francesco\n> \n> [1] https://lore.kernel.org/all/20260408130553.819420-1-fra.schnyder@gmail.com/\n\nHi Francesco,\n\nWhich versions of U-Boot and openembedded-core are you trying to build?\n\nThanks,","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=pbarker.dev header.i=@pbarker.dev header.a=rsa-sha256\n header.s=fm1 header.b=TpQoPXlP;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=messagingengine.com header.i=@messagingengine.com\n header.a=rsa-sha256 header.s=fm2 header.b=TvgZE3+w;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=none (p=none dis=none) header.from=pbarker.dev","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=pbarker.dev header.i=@pbarker.dev header.b=\"TpQoPXlP\";\n\tdkim=pass (2048-bit key;\n unprotected) header.d=messagingengine.com header.i=@messagingengine.com\n header.b=\"TvgZE3+w\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=none (p=none dis=none) header.from=pbarker.dev","phobos.denx.de;\n spf=pass smtp.mailfrom=paul@pbarker.dev"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0J1y6W5Hz1yCv\n\tfor ; Tue, 21 Apr 2026 20:07:34 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 01233843C0;\n\tTue, 21 Apr 2026 12:07:32 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 21B16843D0; Tue, 21 Apr 2026 12:07:30 +0200 (CEST)","from fhigh-a3-smtp.messagingengine.com\n (fhigh-a3-smtp.messagingengine.com [103.168.172.154])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 040B78439E\n for ; Tue, 21 Apr 2026 12:07:26 +0200 (CEST)","from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42])\n by mailfhigh.phl.internal (Postfix) with ESMTP id C377D140006D;\n Tue, 21 Apr 2026 06:07:25 -0400 (EDT)","from phl-frontend-03 ([10.202.2.162])\n by phl-compute-02.internal (MEProxy); Tue, 21 Apr 2026 06:07:25 -0400","by mail.messagingengine.com (Postfix) with ESMTPA; Tue,\n 21 Apr 2026 06:07:24 -0400 (EDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=pbarker.dev; h=\n cc:cc:content-type:content-type:date:date:from:from:in-reply-to\n :in-reply-to:message-id:mime-version:references:reply-to:subject\n :subject:to:to; s=fm1; t=1776766045; x=1776852445; bh=aS/zom2hXG\n 1e2LI+iTVcHBrLXhOGje5t85hibC3JSg4=; b=TpQoPXlP5bqt7H1FqaDIo1I0R8\n DhZDU+Xya/wi1kjuiq/dI8BJVT/TcbzAARToY3byCM9XnqMZrDT/3MNOKUcUu/B4\n M3VDPhwS0QP6eaRh51L5FWPyPXGioKLmgoKRXMKUR8iwpEYBQS2jkE3omEqMwYW2\n 2YDQdTB0RqBlq1HnuxY/CSQMmBkr2blhf3Jy0w+Mn70GVs950c66mSn3zbMdlpO5\n Bt5sckHqwME5Y4j9bNnfRNeM9DqgCeMi923hQeYV+4X1unH18FQleCE3kkF/c6BA\n 639KaEbDnImH7cIVMczosy4YHsO+4RXygimhXSPEQ8hWDqI5pTWCir+UheMA==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=\n messagingengine.com; h=cc:cc:content-type:content-type:date:date\n :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to\n :message-id:mime-version:references:reply-to:subject:subject:to\n :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=\n 1776766045; x=1776852445; bh=aS/zom2hXG1e2LI+iTVcHBrLXhOGje5t85h\n ibC3JSg4=; b=TvgZE3+wkTPetNVUcIuNU8NR1qE0QoNgXMuu3fh5/jFtHltKrlO\n DLZD0tnwRjhFZ+Ib34h+Sn7O2PhhS9HuqWToAAIjw7xQa/fXlFFZhPM9jltz3LhB\n baPQzL7OatM0gKgi/oTIRo8FaHrCCDPGRJST4CA7+9WHk4d37dmETlay8yJn+uvl\n ICfAnuDhSRgA7rHecuCxVhmYZlZUaCA390djLu5+Wm3fcTMMBR9hx2T+lNROjoV1\n T/IjmJ6UZnkWTxhKjn8ZQsgPEorC80VMlkksRNd9kPRTQqAFgwlDlyJL9ChvsVDl\n iZKjNkJtr/Yyd3hnmdPg4bwYHaTg/lsW9qw=="],"X-ME-Sender":"\n ","X-ME-Received":"\n ","X-ME-Proxy-Cause":"\n gggruggvucftvghtrhhoucdtuddrgeefhedrtddtgdeiudduudcutefuodetggdotefrod\n ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr\n ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug\n hrpefkuffhvfevffgjfhgtfgggsehgtderredtreejnecuhfhrohhmpefrrghulhcuuegr\n rhhkvghruceophgruhhlsehpsggrrhhkvghrrdguvghvqeenucggtffrrghtthgvrhhnpe\n eljeehuefhffeuffduhefhgfdtgedtvefggeektdfhteetvdduieefleegteduueenucff\n ohhmrghinhepkhgvrhhnvghlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrg\n hrrghmpehmrghilhhfrhhomhepphgruhhlsehpsggrrhhkvghrrdguvghvpdhnsggprhgt\n phhtthhopeeipdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehfrhgrnhgtvghstg\n hoseguohhltghinhhirdhithdprhgtphhtthhopeifohhjtghivggthhdrughusghofihi\n khesmhhtrdgtohhmpdhrtghpthhtohepthhrihhniheskhhonhhsuhhlkhhordgtohhmpd\n hrtghpthhtohepohhpvghnvghmsggvugguvgguqdgtohhrvgeslhhishhtshdrohhpvghn\n vghmsggvugguvggurdhorhhgpdhrtghpthhtohepfhhrrgdrshgthhhnhiguvghrsehgmh\n grihhlrdgtohhmpdhrtghpthhtohepuhdqsghoohhtsehlihhsthhsrdguvghngidruggv","X-ME-Proxy":"\n \n \n \n ","Feedback-ID":"i51494658:Fastmail","Message-ID":"","Subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","From":"Paul Barker ","To":"Francesco Dolcini , Wojciech Dubowik\n , trini@konsulko.com,\n openembedded-core@lists.openembedded.org","Cc":"Franz Schnyder , u-boot@lists.denx.de","Date":"Tue, 21 Apr 2026 11:07:21 +0100","In-Reply-To":"<20260420085001.GA47182@francesco-nb>","References":"<20260409074710.1322519-1-Wojciech.Dubowik@mt.com>\n <7xe72m3tkzultqh3hw4cubfognfryjk5ababajoe6w6zt7jx4c@aaxa2kehv635>\n <20260420085001.GA47182@francesco-nb>","Autocrypt":"addr=paul@pbarker.dev; prefer-encrypt=mutual;\n keydata=mQINBGC756sBEADXL6cawsZRrDvICz9Y1SG0/lW1me4xpq36obh7a0IGAzp3ywNRb/4MO\n DTqP4+DD0cIFuDY41/N17g0sNlp8z+/k/IIDmNPtYQOTVmAkrkdDU4BP8dD3Cp1PUw6nrbInfujAJ\n NrVM0IVDkwKTbL2Nu1P+xns4MIpF9Kj4XN5celYJ9vEJ2n0Bo0nO5T5vg46dihIaDl+24iNIHSsHq\n YyEdMBfY8kY2RulpaAyFOuaaHdIeDkejVvO5xLSiYLjB5qrRhgH134lJXsuLOsFQ64ybGECuOasnb\n auevsPBAaroQW0pqVb9FneGrWHxMCLlQHJRqQJRdVa6bsUdp6NWra8/0msPawSrFwGQdfJBTA3aXJ\n C2CG1JxEgj6QQjEQA49DSjgzdhInbiIK8Vbp/zedM4aVue7qJnwPMTFQM9lYx63b7wLN4Tu8B9YZ0\n UFdSwMCJuqmYGsYRUYdwM3ArjS0VO6WpU+HBKvzLK5GQfUTSM8KaZ5eA2Uo2ain8SSZb+WptUYKpx\n F9jbtCPbjpZKzGuX4iHFl9eT75TM9iXJNGAjB5xigkADLwVfPoJ5E53S+KdNVuOWHugyLMPNAQHOw\n pw5Rey+0zxyzPd4wphutc93UIU5g/029ngAc7DuKCq12jl7fhkjqFlFtYPIc1k7nd+RSezmH/qRes\n bMErHSX1MBSZQARAQABtB5QYXVsIEJhcmtlciA8cGF1bEBwYmFya2VyLmRldj6JAlcEEwEIAEECGw\n EFCwkIBwIGFQoJCAsCBBYCAwECHgECF4ACGQEWIQSYsqrBAKw/grtdVGd0l1yBt+ZrrAUCaWoNAgU\n JCxiQFgAKCRB0l1yBt+ZrrLhdD/sH+qTaxCDUg47eW329yJWCDZmO+iuYzNSyHMs1x0DHKNIQQ8zN\n pA2S/de4jElQuPHjw/IS8B3VmM62Wuq5vHuxNlFv9IMwrwqi6zhCDui8+nCN/AQGGXousJI/SeZjm\n Y5gS9cqh4vNY+huqEEfdTFXIfTBRkmnvYozSO2uDB3EMuiWgBlw2uLrtmkvPLn/m/GvEouLNox6wv\n tcJcIbL59a0+3jv/m7pnWoZXOkWmKQnfFWikqjuKCISNU0gzBSL4UOj8gtQ2z+vu7ffi29b6SV5IL\n m1yzdbkigEn4HL44lz3N+oHZ3wWsRqqeyGSX5fCfx3tGWg6scZQrpsjT5yq+LiffiXVNpjeJ9KzQw\n 0cbAZ/9uhk1sWBroP+/gMhsWjlbFYXVlRvkNKGPI22eZtOEz4jF6OrOONyOoY3i26niJUyIgdBpca\n H0hKUSVQ8VnG7qVTNrQk9BbeoSszqRwViN7lfyVtK9b1TCFuGewOETGn0TPvSzruYCtD3CLm7mjuX\n AMBpIGoRUiCFVmF1hlOgqDyH4F6zRTHhKLpfmNzfQcg+Uo147Q2IHpoh0mJsL4FEZEI8hFyecX1Pq\n 7HqnvxGD2OhCof1Z6LDxptX0wbgocnYFNxN5S1owcXZUQOFnzYLlLugrcEjlGCm4Gn7k4SiFERSBj\n UFsQgIhw/7lVVn4o4rQjUGF1bCBCYXJrZXIgPHBhdWxAcGF1bGJhcmtlci5tZS51az6JAlQEEwEIA\n D4CGwEFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQSYsqrBAKw/grtdVGd0l1yBt+ZrrAUCaWoNAw\n UJCxiQFgAKCRB0l1yBt+ZrrHy+EADNMt+ewz8H7BUKpEMMhpaA1VxyXO5IqlKXS0gElMgHYXl7L7C\n 0/qLfRH96vwVD33zM+f0Vl9aWWkom/k8s42tLyPvX7D5zTrj3r5muJ+d9dXWGwBFXxXlE9YjSP26K\n bYfRusmRHbbEPlLPSnrr9KYS2FGVD6ViRNhhVguflgPv2i18+fNBE3YyByfNCiQgO/SgaSdh172Ql\n tuYE1Chk6FD45tCUv3dI9lO2PlVwrciiVYvIv/jiTDEwZOISOClTE/Ha18pxDJfLhS8QQnLWuBNX6\n HUkLi78fVmVYbcWIkTuSHjfNoGTMaFijMg9Wl6poFrY++Pl0S40681zEIrwZhW5pKoqXoaElt29Yf\n OwVo6BIsSOLEqKiWsdP7PJTaJYU1ovnshBcOmuXMgc13AjQ4AhEGqI1TaEJ/E1jEDDyTQFeWgrfew\n YaWdqpgiDmRMTj/tIGVj9iy7qZQICUUtlfm0QK6w6M7qq0GdO2o+S3uVF6y2AxQo8l9LSHiW9O35I\n juR37zeqv72puYyOteVYJsJaw999HUmhXc/X/J9FQFw8twxPKDLLu+w8MqDo9bhllzR93Zy/OShuG\n yGybcX3DKO2R+AQ90tXLbxKmHLtrnG/zyDPhLv/LGD480v5hEoT+IS0u9wPD2vP5q36a5DtzqXA/7\n t9PCamLoCvZLleg7GY7QbUGF1bCBCYXJrZXIgPHBhdWxAcGJya3IudWs+iQJeBDABCgBIFiEEmLKq\n wQCsP4K7XVRndJdcgbfma6wFAmlqDRwqHSBwYnJrci51ayBkb21haW4gd2lsbCBiZSBhbGxvd2VkI\n HRvIGxhcHNlAAoJEHSXXIG35muspk0P/1G08N6zGSdw2p8+8f/1HhaYEb9KdQHT1JmQfZUrIHIpD2\n ELNb91Z6Pz197d/igGpox1dzYOwE0WolWo44ZHX2yw+p9V+HJAUKRe0SPc1iNLkTzaAZ7oYJ1DnFh\n aaqZi4VtKKabKeorJjcDvl2apMwT0agRuDklU97n++ZUuXIEo1Z9uRqEvXz0iTSY7wPxwfoVOQsgf\n dN1cBLd9OpoOtJRdDJzQUYqjNoQi+5M6KRfBxPLZkmYb4uCGlp1H4AV50eC61j84LBg1ItvU2u+Fx\n X2JB7lHTswubprD2ZsSwp1VziU6pUj3vtslMWKpBGslpLtnaO561dihGyElayMd4VFg7VR/TsglJv\n A10EDs2DMhoYPfRQWvwlr5+jPP6s9H8KSTCGFvQt438rP/gk0lcEZUJK0iE2/yq5gQfaCNI5FLN7C\n q8LVr00oS4doXfmFFxMq6z1rs5SXZorWssjG7v5DILnPxLqYloQK/ebM5Ixbzm0Lq/8vWL7sw7yOH\n JVYCHCApGzKNii6rYyHdi0K8UwvpD++GCWLyvbgP/H3l5FqL63gAN0Rw1CO5r22+SmG7aOmekJH3N\n ChZPI3NMLnKZPJC8ZQZ4S8yb5oA3rqTA2DMODvsrEVlaB2cQ6IWHSa/mvBwA8Ias3771cp4fZS7W7\n LUewj8JVy0aJsGTwI4invl","Content-Type":"multipart/signed; micalg=\"pgp-sha512\";\n protocol=\"application/pgp-signature\"; boundary=\"=-FSIrMXyddQJwQz8lGCqU\"","User-Agent":"Evolution 3.52.3-0ubuntu1.1 ","MIME-Version":"1.0","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}},{"id":3679795,"web_url":"http://patchwork.ozlabs.org/comment/3679795/","msgid":"<20260421101655.GD23508@francesco-nb>","list_archive_url":null,"date":"2026-04-21T10:16:55","subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","submitter":{"id":84779,"url":"http://patchwork.ozlabs.org/api/people/84779/","name":"Francesco Dolcini","email":"francesco@dolcini.it"},"content":"On Tue, Apr 21, 2026 at 11:07:21AM +0100, Paul Barker wrote:\n> On Mon, 2026-04-20 at 10:50 +0200, Francesco Dolcini wrote:\n> > + Paul Barker\n> > \n> > Hello all,\n> > \n> > On Mon, Apr 20, 2026 at 10:14:46AM +0200, Wojciech Dubowik wrote:\n> > > On Thu, Apr 16, 2026 at 05:51:13PM +0200, Franz Schnyder wrote:\n> > > > On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:\n> > > > > Some distros are using gnutls library without pkcs11 support\n> > > > > and linking of mkeficapsule will fail. Add disable pkcs11\n> > > > > option with default set to no so distros can control this\n> > > > > feature with config option.\n> > > > Shouldn't it be the other way around? Use of pkcs11 should be disabled \n> > > > by default and enabled if required. As it is now, it would still depend\n> > > > on the the gnutls library having pkcs11 support and therefore still \n> > > > would break our OE builds with mainline u-boot if we don't change our\n> > > > modules defconfig.\n> > > \n> > > As far as I understand, gnutls is built by default with pkcs11 support. So for\n> > > most of the distribution it should be ok. Security by default.\n> > > I don't have yn strong opinion for this but default enabled has been suggested\n> > > by the maintainer.\n> > \n> > We are in the very unfortunate situation in which we are not able to run\n> > any test at the moment in our CI and automated test infrastructure (not\n> > in U-Boot, not in OE), and the reason is that we have pcks11 enabled in\n> > U-Boot, and OE core is not picking up the patch to enable it [1].\n> > \n> > Any advise to have a way forward?\n> > \n> > Francesco\n> > \n> > [1] https://lore.kernel.org/all/20260408130553.819420-1-fra.schnyder@gmail.com/\n> \n> Which versions of U-Boot and openembedded-core are you trying to build?\n\nU-Boot master + openembedded-core master.\n\nFrancesco","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=dolcini.it header.i=@dolcini.it header.a=rsa-sha256\n header.s=default header.b=UKrg31Jr;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=dolcini.it","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=dolcini.it header.i=@dolcini.it header.b=\"UKrg31Jr\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=dolcini.it","phobos.denx.de;\n spf=pass smtp.mailfrom=francesco@dolcini.it"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0JDw5svHz1yJG\n\tfor ; Tue, 21 Apr 2026 20:17:04 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id D443E843C0;\n\tTue, 21 Apr 2026 12:17:00 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 09E2E8447F; Tue, 21 Apr 2026 12:17:00 +0200 (CEST)","from mail11.truemail.it (mail11.truemail.it [217.194.8.81])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id A911D8439E\n for ; Tue, 21 Apr 2026 12:16:57 +0200 (CEST)","from francesco-nb\n (248.201.173.83.static.wline.lns.sme.cust.swisscom.ch [83.173.201.248])\n by mail11.truemail.it (Postfix) with ESMTPA id 7A86F22206;\n Tue, 21 Apr 2026 12:16:56 +0200 (CEST)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=dolcini.it;\n s=default; t=1776766616;\n bh=LO401cXQTyl2fNoJvrgXyTNP79OZdeu15mYZxYDu/7g=; h=From:To:Subject;\n b=UKrg31Jru3yd680YDML5diZ5nI+zNkDmlPYzv3JoBfFSQ4OpDpzo4kY172I1ScLEb\n HAbm6GurjnJpGhXwCd1iCNvXkE6r/gQVTpyGAeGT2XYrhvuoyrCSLwENJkP3yg+zBa\n /XtgdrdcZynhe4NJ9EPsyKc1rsf8VNDynsp2diUt00sGoFNYNApJZ/Ow1qLzCRY2z5\n w8Wm3sQxZyEgwxCtH1CZctXttblA9uYf0HQZBPjUnUmU8TRCRJ3/U0HVLUpOj4cZZ4\n e1mQu0325l4GtmdvwiQFZglyOE2hM+otMVTM+hB1Qdrpit6c+kjTqwFpHm7ODshdvJ\n xO/UtPemZJohg==","Date":"Tue, 21 Apr 2026 12:16:55 +0200","From":"Francesco Dolcini ","To":"Paul Barker ","Cc":"Francesco Dolcini ,\n Wojciech Dubowik , trini@konsulko.com,\n openembedded-core@lists.openembedded.org,\n Franz Schnyder , u-boot@lists.denx.de","Subject":"Re: [PATCH] tools: mkeficapsule: Add disable pkcs11 menu option","Message-ID":"<20260421101655.GD23508@francesco-nb>","References":"<20260409074710.1322519-1-Wojciech.Dubowik@mt.com>\n <7xe72m3tkzultqh3hw4cubfognfryjk5ababajoe6w6zt7jx4c@aaxa2kehv635>\n <20260420085001.GA47182@francesco-nb>\n ","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}},{"id":3679797,"web_url":"http://patchwork.ozlabs.org/comment/3679797/","msgid":"","list_archive_url":null,"date":"2026-04-21T10:22:02","subject":"Re: [OE-core] [PATCH] tools: mkeficapsule: Add disable pkcs11 menu\n option","submitter":{"id":88462,"url":"http://patchwork.ozlabs.org/api/people/88462/","name":"Quentin Schulz","email":"quentin.schulz@cherry.de"},"content":"On 4/21/26 12:16 PM, Francesco Dolcini via lists.openembedded.org wrote:\n> [You don't often get email from francesco=dolcini.it@lists.openembedded.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]\n> \n> On Tue, Apr 21, 2026 at 11:07:21AM +0100, Paul Barker wrote:\n>> On Mon, 2026-04-20 at 10:50 +0200, Francesco Dolcini wrote:\n>>> + Paul Barker\n>>>\n>>> Hello all,\n>>>\n>>> On Mon, Apr 20, 2026 at 10:14:46AM +0200, Wojciech Dubowik wrote:\n>>>> On Thu, Apr 16, 2026 at 05:51:13PM +0200, Franz Schnyder wrote:\n>>>>> On Thu, Apr 09, 2026 at 09:47:07AM +0200, Wojciech Dubowik wrote:\n>>>>>> Some distros are using gnutls library without pkcs11 support\n>>>>>> and linking of mkeficapsule will fail. Add disable pkcs11\n>>>>>> option with default set to no so distros can control this\n>>>>>> feature with config option.\n>>>>> Shouldn't it be the other way around? Use of pkcs11 should be disabled\n>>>>> by default and enabled if required. As it is now, it would still depend\n>>>>> on the the gnutls library having pkcs11 support and therefore still\n>>>>> would break our OE builds with mainline u-boot if we don't change our\n>>>>> modules defconfig.\n>>>>\n>>>> As far as I understand, gnutls is built by default with pkcs11 support. So for\n>>>> most of the distribution it should be ok. Security by default.\n>>>> I don't have yn strong opinion for this but default enabled has been suggested\n>>>> by the maintainer.\n>>>\n>>> We are in the very unfortunate situation in which we are not able to run\n>>> any test at the moment in our CI and automated test infrastructure (not\n>>> in U-Boot, not in OE), and the reason is that we have pcks11 enabled in\n>>> U-Boot, and OE core is not picking up the patch to enable it [1].\n>>>\n>>> Any advise to have a way forward?\n>>>\n>>> Francesco\n>>>\n>>> [1] https://lore.kernel.org/all/20260408130553.819420-1-fra.schnyder@gmail.com/\n>>\n>> Which versions of U-Boot and openembedded-core are you trying to build?\n> \n> U-Boot master + openembedded-core master.\n> \n\nI'm assuming something along the lines of:\n\nyour-layer/recipes-support/gnutls/gnutls_3.8.12.bbappend\n\nPACKAGECONFIG:append:class-native = \" p11-kit\"\n\nuntil the patch gets picked up in OE-Core. Even if we fix this in \nU-Boot, enabling pkcs11 support in U-Boot (a target recipe) would \nrequire enabling pkcs11 support in gnutls-native according to the patch \nsent by Franz to the OE ML. This kind of dependency is pretty bad as you \ngenerally do not want to have to modify a native recipe for a specific \ntarget machine or configuration. So, I think OE should take that patch.\n\nCheers,\nQuentin","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=cherry.de header.i=@cherry.de header.a=rsa-sha256\n header.s=selector1 header.b=T/qD/wX4;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=quarantine dis=none) header.from=cherry.de","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=cherry.de header.i=@cherry.de header.b=\"T/qD/wX4\";\n\tdkim-atps=neutral","phobos.denx.de; dmarc=pass (p=quarantine dis=none)\n header.from=cherry.de","phobos.denx.de;\n spf=pass smtp.mailfrom=quentin.schulz@cherry.de","dkim=none (message not signed)\n header.d=none;dmarc=none action=none header.from=cherry.de;"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0JLz4mJDz1yCv\n\tfor ; Tue, 21 Apr 2026 20:22:19 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 86D5383C51;\n\tTue, 21 Apr 2026 12:22:11 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 496F7843D0; Tue, 21 Apr 2026 12:22:10 +0200 (CEST)","from DUZPR83CU001.outbound.protection.outlook.com\n (mail-northeuropeazlp170120005.outbound.protection.outlook.com\n [IPv6:2a01:111:f403:c200::5])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id BF8E28439E\n for ; Tue, 21 Apr 2026 12:22:06 +0200 (CEST)","from DBBPR04MB7737.eurprd04.prod.outlook.com (2603:10a6:10:1e5::22)\n by FRWPR04MB11222.eurprd04.prod.outlook.com (2603:10a6:d10:171::13)\n with Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.33; Tue, 21 Apr\n 2026 10:22:04 +0000","from DBBPR04MB7737.eurprd04.prod.outlook.com\n ([fe80::5960:fb4b:9313:2b00]) by DBBPR04MB7737.eurprd04.prod.outlook.com\n ([fe80::5960:fb4b:9313:2b00%4]) with mapi id 15.20.9818.033; Tue, 21 Apr 2026\n 10:22:03 +0000"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;\n b=W2C5ZWf3yyD5rmELRayJg5iNmsCwmw0vrX3qtFVn422bWJTbO5Vw7ZMq7y9Rt/KACXBLMALVCCx+FdY2qD5al6HO3nJprpQbO/anMCjyxGgmn9+CIaZSSCwMeo3b2KmhDgHVPzSw7ADd+VJspNZ98YUDsMtmfoqYC91ubjRGB6VAiCLursJ3uzaWQn+Cx9mdxOg1FhsPa6RHxukvBQK28GP0ApGh7+RVDwGiGWNBFby3cIuOGvWXhs1B9WT28/yXnfGvKFbopjd1VBz8I7JB8lQTTPPO5mh287T/c6D4ptPmsdXkMXnuHt7ULv41P0/Az3PSA2D/oq35QJtiQm8PMQ==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;\n s=arcselector10001;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;\n bh=jgZ12/LLzIrAe+qkRDiVpp+ZmcuyEjQGinRkjBnWmIs=;\n b=Q9kFGKSp3iEenxVGtn77/WUzMGssSvTYI/qkbQtQvEVQnpjgomXfU/eqKQv8a6othCkk0uYVR5lbKJi8VCoG6AokMuCthVsGAJ0aB4ZAGSpye6QEMJwbQjbL4zkoydDf8YZRCTjtFokyEqJBcpG+TjlXV2W3CpeHM6it/q2INZn8oPcg/MoeSMtuMlwb41Tt+HFWFho6xqeseFna9LYyMaivv41L6ISXJUTZe+9QlB4+eKKcxbGA8nHiLP5vN+jUFCrfERL3BZAdyOF19A2/UBGgI1Qp4Mz8kZCjs3KYu+j3bo1h7Z+/Q/1q96Y4AZ20bDzcZPEiwDX0HqUsXa1afg==","ARC-Authentication-Results":"i=1; mx.microsoft.com 1; spf=pass\n smtp.mailfrom=cherry.de; dmarc=pass action=none header.from=cherry.de;\n dkim=pass header.d=cherry.de; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=cherry.de;\n s=selector1;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;\n bh=jgZ12/LLzIrAe+qkRDiVpp+ZmcuyEjQGinRkjBnWmIs=;\n b=T/qD/wX4XG4MpRxGKuiHCOSrMeZlwckcdyN70f0ZwBWMZsIITB6GtS0Oub3z2oYvBoLlaYJamzNgqkN21JQyCPDDYm18X+zi/ZcncdouS4L/wEp7hbrI5kvbHEFEJT+K9z9NTk9nckc24ICNZ5+aLSGaL6lTys5qgojVN4d4oBI=","Message-ID":"","Date":"Tue, 21 Apr 2026 12:22:02 +0200","User-Agent":"Mozilla Thunderbird","Subject":"Re: [OE-core] [PATCH] tools: mkeficapsule: Add disable pkcs11 menu\n option","To":"francesco@dolcini.it, Paul Barker ","Cc":"Wojciech Dubowik , trini@konsulko.com,\n openembedded-core@lists.openembedded.org,\n Franz Schnyder , u-boot@lists.denx.de","References":"<20260409074710.1322519-1-Wojciech.Dubowik@mt.com>\n <7xe72m3tkzultqh3hw4cubfognfryjk5ababajoe6w6zt7jx4c@aaxa2kehv635>\n <20260420085001.GA47182@francesco-nb>\n \n <20260421101655.GD23508@francesco-nb>","Content-Language":"en-US","From":"Quentin Schulz ","In-Reply-To":"<20260421101655.GD23508@francesco-nb>","Content-Type":"text/plain; charset=UTF-8; format=flowed","X-ClientProxiedBy":"VI1PR04CA0084.eurprd04.prod.outlook.com\n (2603:10a6:803:64::19) To DBBPR04MB7737.eurprd04.prod.outlook.com\n (2603:10a6:10:1e5::22)","MIME-Version":"1.0","X-MS-PublicTrafficType":"Email","X-MS-TrafficTypeDiagnostic":"DBBPR04MB7737:EE_|FRWPR04MB11222:EE_","X-MS-Office365-Filtering-Correlation-Id":"b8ff69c8-77c7-4f5e-c0ce-08de9f8fd516","X-MS-Exchange-SenderADCheck":"1","X-MS-Exchange-AntiSpam-Relay":"0","X-Microsoft-Antispam":"BCL:0;\n ARA:13230040|10070799003|376014|1800799024|366016|18002099003|56012099003|22082099003;","X-Microsoft-Antispam-Message-Info":"\n 2aBnlZ327pFFrnlszKC584yRHoLT1wX/mRz7wGt/yNlwrFUSIoJrMtnTsSVwrpGzjeO422F5kpfEx6ptIw2OOVuRt6YwjNQMz2VfOzcGHDdrXSdVfbM1fr1GhayHfoXHQei06vcfNocrEuMeZXX3qWMOdYJUx5e8UEg00hrXmUTOgCgc9WL1z2GSEs7N1YxXT2b5WuHL6hsUC7iNHO8B5qWkBS0lh7CnL3uoHE3YxaZxtnG1BfAGFcDNZzeGyICcSEf0L5k7BMx1KbYLggcNgQwvvJ3bt/zuc5BUY3Iec0ATRqVyld11St+N3B3/4yh9amhV2JMr9KId/vcjMNVm0MTcZONz7i2Zhm/o0aqymfEe3w8ELBkAV/SkinBiLV36nP1DSC7370jateRy5VCi5EnaZSIvB49V9FbYNNVKTVdckj+LeKaZaQbTbDU7FpJEedFGofeFRbfAnC2TLYUr0DikFAkJUqi96XYm/fTcEtOAO297HnX2mofE1gwHyRnRG1bMibh2hzIpckMnr7W/pptftySvz5DaSQShzM6aWynl0cQeSL89RtIbIHOTxoeWphk+1CjkzLFmz/1uP+j2m3LxDXvB/IpTOcZQvzromGH6ivXLj/wYXRGQRDG/Z7n+DhEZBUipHVFoTr01zbqyuRiZ8RQEvRoy9YfVhIY6Kb4+rO/4bjgx9He/djBsugtgXapmqmyv6Pi5xQ1p3G+srzmnMqYXN3SjB+OfJ8cpJbk=","X-Forefront-Antispam-Report":"CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;\n IPV:NLI; SFV:NSPM; H:DBBPR04MB7737.eurprd04.prod.outlook.com; PTR:; CAT:NONE;\n SFS:(13230040)(10070799003)(376014)(1800799024)(366016)(18002099003)(56012099003)(22082099003);\n DIR:OUT; SFP:1101;","X-MS-Exchange-AntiSpam-MessageData-ChunkCount":"1","X-MS-Exchange-AntiSpam-MessageData-0":"=?utf-8?q?XU6bqJCFkGC5PXMhGG395vKvYNl0?=\n\t=?utf-8?q?rwTAqLM3d5box5aX5a4MofdXEcZifimc0EeFfX2OyrkNizl2yEJkjn1pwM9aGnGof?=\n\t=?utf-8?q?JptESZ2mgElUTVYfn5+Hqeo9/SMZtGITzQGkMF5sgO/dPUGKIqgEWcUte5sLGKiYv?=\n\t=?utf-8?q?LLNTdsKY4aAbulWezlRWccTmz5d7AFCLh2yTXe5mT2LSL4R5M1Wjvjak9fdTCsvaR?=\n\t=?utf-8?q?LOICI2e3qzwv/PvhBUYsl17ipD9Zba2tCxUOzvL75nukedFrb0fqlx126PEwm5aM5?=\n\t=?utf-8?q?cQtnf+i+G42/TtwOuHU9JWt2NdabMy30sFtzE2WwcDPfKwJagszyg2XTCtIru5KYt?=\n\t=?utf-8?q?3FcaKG2zJUFqhFEPACUDhGdIV5F9ZeHLXjMnYAjEbI0SBf/BaIpKcrNLpXP/l6Ado?=\n\t=?utf-8?q?PbeVWbNProw+n1xT9hGuCpqHXQM92HJ/6f7X04Iilk6SUIsiONwd74NCuPTlXd1Aj?=\n\t=?utf-8?q?ycn/l1Ub2+EwL+XPbWGSl4dO6SRiJL4eSNRIcqNTtKbMBpMsYd8dprXhc5qpfec8n?=\n\t=?utf-8?q?W6EOtue3xpKUJpYAU+L7VuYEN9buBPjbqhPhX4Gy4kGwl919hyFgX9d7YXdKGMcQb?=\n\t=?utf-8?q?xwz2YxpGTEk9Ag5ugHI6fytn0FAo4+x5KmVaIUCD9mZWpfzu6TZx4F5hBDcteP1fd?=\n\t=?utf-8?q?EzHLaAMeaBZ8+h+led6hd86s6CGPr+MvU310v34gSgF+s09kGlmadqCDKKziH4thg?=\n\t=?utf-8?q?yb7pWD3PUDbFT0AXJttwSxZEPw4kq0s3rIHafPHLT94LYOJNulV/P0GwObQw2LFlQ?=\n\t=?utf-8?q?03T0VrdzKJpABeKnQPtyLMB9EgGzgKZgumNHJrG3a90bakQjxClwQaQ95EvdqJvnj?=\n\t=?utf-8?q?m4n7FoKjT8HXAEkNXbjAfXgnxU6sbsBPKJeG2OI+ptlXLfwA+UjHQnQcCJa1T5Qvm?=\n\t=?utf-8?q?BleTR0Pxp9O4X0KKGGJCZSDQTbSCmHGiMaAazIIs1y4R8NFhqTKBDn7vT2Qy2x4Y/?=\n\t=?utf-8?q?mJ1YTNnoZfZJ/lesnNP8SYFLxWeCU0xaWx8zQrCDGDyTQUoB3NVMsxHENBCqG+z6O?=\n\t=?utf-8?q?dqHwegL6xpJfHilO0xV7FaLi1938jvd5Q2i8Bs359IqEq+vNV6SFzVHLI9dXmBN1U?=\n\t=?utf-8?q?GirLRB6A6SgtFTX1gqRtLgwZDfxIpUDo6ypsY3HqhmX1wtfciyWw4bIlJEBtXGcse?=\n\t=?utf-8?q?2s1ls31HLYn07eg0NYzR2SIHCH+eUnITMUIp/HjT0NetBP9Ija/n5SFtAn4/jpt3D?=\n\t=?utf-8?q?VM+rJaBdY0bBelmhMXKYMKj7PkfaRB4jXR4X1e34G8VS9kFDNO1B+WV05kVuwWVLL?=\n\t=?utf-8?q?FK/M14pcTApNqGgK4UURw7PMO6YfAK5Z7ar1fUIw1SBwashEaFNLr48SJ10OFN2cB?=\n\t=?utf-8?q?7Bo79EyhyCeINRwQiVl97fPMT7gOL8DBiMcW/NYubcLE6HOFBnjdNGCdObmD3i5X7?=\n\t=?utf-8?q?cYxTbcLzJR88sl9x6Ddyfbr3OQLmN+ZoT5fnOAJgkmgs26mSPLCfiTyCzQIqPi52B?=\n\t=?utf-8?q?gOKl4pgPKVCfObZ5HFLpBlE8qjOTu0mYgnIWH0VDdRppLVz7N+I9m8TyUvsZDe4L5?=\n\t=?utf-8?q?KLLOxS/B9OcMSAzHmG7q91gPJ4KRBtJokqbXFGW+6NJvcWKu7j6IwQVYzvK1sutzF?=\n\t=?utf-8?q?XCI6Oeu99e5SCaJEtEA8F0L507QMRchVv+DthXtxqJIv0s2NJ1F4WSkSuHhvP+lmF?=\n\t=?utf-8?q?tRbK6eZgstG3PFD+6r4QCjPelwUhpJeuYzhfCF9aefmG/5zOFrgHurcHpiwahaMsi?=\n\t=?utf-8?q?kC7HJLfuG?=","X-OriginatorOrg":"cherry.de","X-MS-Exchange-CrossTenant-Network-Message-Id":"\n b8ff69c8-77c7-4f5e-c0ce-08de9f8fd516","X-MS-Exchange-CrossTenant-AuthSource":"DBBPR04MB7737.eurprd04.prod.outlook.com","X-MS-Exchange-CrossTenant-AuthAs":"Internal","X-MS-Exchange-CrossTenant-OriginalArrivalTime":"21 Apr 2026 10:22:03.8841 (UTC)","X-MS-Exchange-CrossTenant-FromEntityHeader":"Hosted","X-MS-Exchange-CrossTenant-Id":"5e0e1b52-21b5-4e7b-83bb-514ec460677e","X-MS-Exchange-CrossTenant-MailboxType":"HOSTED","X-MS-Exchange-CrossTenant-UserPrincipalName":"\n 5bUpVU9tLsLiIt9l2fIy/lhTbNXDB2csqbUcRWpmFrrdfHPXEslJh/UIUNIb7+2PacIBlf/vnQa4AiXk0F3bB60BdOm/+XF6IwwpmLk/pZY=","X-MS-Exchange-Transport-CrossTenantHeadersStamped":"FRWPR04MB11222","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]