[{"id":3678724,"web_url":"http://patchwork.ozlabs.org/comment/3678724/","msgid":"","list_archive_url":null,"date":"2026-04-17T12:45:13","subject":"Re: [PATCH] binman: x509_cert: add PKCS#11/HSM signing support","submitter":{"id":67358,"url":"http://patchwork.ozlabs.org/api/people/67358/","name":"Sergio Prado","email":"sergio.prado@e-labworks.com"},"content":"Hi Simon,\n\n> For some reason I cannot see this in patchwork.\nIt seems my email is waiting for moderator approval. I received this email:\n\"Your message to U-Boot awaits moderator approval. The reason it is being\nheld: Post to moderated list\".\n\n> In any case, please can you add tests and check that the coverage is\nstill 100% ?\nGood point. I will work on the test cases, validate test coverage and\nsubmit v2.\n\nBest regards,\n\nSergio Prado\n\nEm qui., 16 de abr. de 2026 às 18:35, Simon Glass \nescreveu:\n\n> Hi Sergio,\n>\n> On Fri, 17 Apr 2026 at 02:53, Sergio Prado \n> wrote:\n> >\n> > Allow X509 certificates used for K3/TI secure boot to be signed via an\n> > HSM using the PKCS#11 standard.\n> >\n> > Two new make variables are introduced:\n> >\n> > BINMAN_PKCS11_URI PKCS#11 URI identifying the signing key on the HSM\n> > BINMAN_PKCS11_MODULE Path to the PKCS#11 shared library (.so)\n> >\n> > When BINMAN_PKCS11_URI is set, it is passed to binman as the pkcs11-uri\n> > entry argument, which overrides the keyfile property at signing time.\n> >\n> > The openssl bintool gains three helper methods:\n> >\n> > _pkcs11_use_provider() detects whether the pkcs11 provider (OpenSSL\n> > >= 3.1) or the legacy pkcs11 engine (libp11) is available.\n> >\n> > _build_key_args() builds the appropriate -key/-provider/-engine\n> > arguments for the openssl command line, appending ?pin-value=\n> > from the PKCS11_PIN environment variable when set.\n> >\n> > _run_cmd_pkcs11() exports PKCS11_MODULE_PATH and PKCS11_PROVIDER_MODULE\n> > before invoking openssl when a module path is provided.\n> >\n> > Existing behavior is unchanged when neither BINMAN_PKCS11_URI nor\n> > BINMAN_PKCS11_MODULE is set.\n> >\n> > Tested with SoftHSM2 and a Yubikey using the verdin-am62_a53_defconfig\n> > configuration.\n> >\n> > Signed-off-by: Sergio Prado \n> > ---\n> > Makefile | 2 +\n> > tools/binman/binman.rst | 18 ++++++\n> > tools/binman/btool/openssl.py | 106 +++++++++++++++++++++++++++-----\n> > tools/binman/etype/x509_cert.py | 47 ++++++++++++--\n> > 4 files changed, 153 insertions(+), 20 deletions(-)\n>\n> For some reason I cannot see this in patchwork.\n>\n> In any case, please can you add tests and check that the coverage is\n> still 100% ?\n>\n> Regards,\n> Simon\n>","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=e-labworks-com.20251104.gappssmtp.com\n header.i=@e-labworks-com.20251104.gappssmtp.com header.a=rsa-sha256\n header.s=20251104 header.b=ORsCzqy/;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=fail (p=none dis=none) header.from=e-labworks.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=e-labworks-com.20251104.gappssmtp.com\n header.i=@e-labworks-com.20251104.gappssmtp.com header.b=\"ORsCzqy/\";\n\tdkim-atps=neutral","phobos.denx.de; dmarc=fail (p=none dis=none)\n header.from=e-labworks.com","phobos.denx.de;\n spf=none smtp.mailfrom=sergio.prado@e-labworks.com"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxw8J42Xsz1yCv\n\tfor ; Fri, 17 Apr 2026 23:04:48 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 0EBAA84286;\n\tFri, 17 Apr 2026 15:04:33 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id A337B842E0; Fri, 17 Apr 2026 14:45:34 +0200 (CEST)","from mail-dy1-x1335.google.com (mail-dy1-x1335.google.com\n [IPv6:2607:f8b0:4864:20::1335])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 4394084246\n for ; Fri, 17 Apr 2026 14:45:32 +0200 (CEST)","by mail-dy1-x1335.google.com with SMTP id\n 5a478bee46e88-2b6b0500e06so1108832eec.1\n for ; Fri, 17 Apr 2026 05:45:32 -0700 (PDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE\n autolearn=ham autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; t=1776429931; cv=none;\n d=google.com; s=arc-20240605;\n b=A8QB3Eb2thCYiY73DJ+vHOVySvbg3Dj6TZETGAoU3dThPXe1rwzlLcg3HwQ9Oz46fU\n Y5tN23653NRZ+zlp0Dp/kaYnEySiBE7bzNfZpNbwOglgUQ+nRcceX5saesJpttsJdSKJ\n NgEaZ7YzNRmMFy6q0XL/lMzfaC4RikmNqDJ9/0g+Nv7pfaEeRxeJ90cIFpDJ9JqbwG2C\n AuSIS+PCiNjhOmsSk80MEehHS3EkcFIPrK9BvQaaqpFbj8XiFmaeGupeLNuvMm980YBx\n 8LnPN/Ekvxu5HZ3SHL9XZYwPyICjNYM2zQbHVoc1gdhlBec1jTFiUD5N3lB5zSjZ80Xw\n pvrg==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:dkim-signature;\n bh=H5rsciFe75g/4QXkvDJ2h8EZX6K6ebhL7WSFtUzfj7Y=;\n fh=McFpimHY6bIsIE5qOYgv8xLs+kIZjYvKN90K+mlCE3I=;\n b=T87/fvMv2dPx4BXryOlHVPWzzVSeDJlMmWVKBhzrM0n8WQqEykaZpEA8/5GlbIvmm6\n mQLvtoLK6KMfdsooJMhGj4dosTTBtfvG3Xjo5vswZ5D+9soVre0aDiYvRu2QCgsvJ3Co\n 9kZzk5a4UTjwn7QCF2QXHqDPuKIxTbkTAqpXTyMgRy0bA0Z+2N+UsJWBStjT7V43XYco\n ng3wuep7kIdzcBz0EBWwawUafjF7Dp2E++QfuPgU+52plq3TPB2FWvbYhfeKcbjGLOjH\n JltxmRay71vsBYwiGfN2Q2Q2C22KaYe3nh3rtty+IZ+jzghb3gywe49VyKOssQhIx58h\n ZEpg==; darn=lists.denx.de","ARC-Authentication-Results":"i=1; mx.google.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=e-labworks-com.20251104.gappssmtp.com; s=20251104; t=1776429931;\n x=1777034731;\n darn=lists.denx.de;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:from:to:cc:subject:date:message-id:reply-to;\n bh=H5rsciFe75g/4QXkvDJ2h8EZX6K6ebhL7WSFtUzfj7Y=;\n b=ORsCzqy/iKcpgO4R7Dax/42MFOUTEYuSZhNiv6VqsWCkF4Cp9mc+S9WMZf0L/ErJ8K\n E5Pwe5teee+UduKgljyTOOam9RY3onGGp+3GebbW9tU7JwNhNKcprsBxi3tO1KVwn07C\n Ukfxm8iXYh/3UyVQMcyrYdTYCbmiHEYeoytS6VWtjPdahts1bLmjuhorLh1B3wmLA5P+\n 5pN7U1vvYmBPoVvgU9CSM8NK2YFae6JrD6nPXla4GNCAibNW16SA35dHvUml3Voaoze0\n i4LqItXmeKMYaUHho5IBM/SdS03AoEJSxi35t4YCNrRyEwXq57uYKnfUZ0MzUvhtEYak\n rqxA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776429931; x=1777034731;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=H5rsciFe75g/4QXkvDJ2h8EZX6K6ebhL7WSFtUzfj7Y=;\n b=hGNiByNw/57kzQNp4RqRoohwmQ4gBjxrMljWvwTX/6i+wrsHOc0grJ2XTYmwf1kE6b\n QOVY9+LEx9L5ljcHZYPabNOrCWp6Emchllb/Lc6qVR/T4rhcPYkoaT8yz824hho2I6gE\n EUcmojSMjuvgS7DNA82I8hNmrjfRlXKhfXbVovsNUVOOfP1N9yd7gHtACxOC9gfO1qML\n OrWzPUnJcAaIUBWpv5kYc1WiiZ3cyCxIqmH84JsLMnWvqGA3UyU8w1HKpgz4Fnl5gA9p\n T5SHpijo4zFq2d+hvLuy2MNaAYMOFUAAcrDhyTRzI1FB34psd4f/puU4Zqup0gWpVgCg\n xBEg==","X-Gm-Message-State":"AOJu0YwakWWq8jKAQu7ELTxOP1AFWqWTsoB3usqwmCmUdpEjfsXCG83B\n yH3ANTn4JcMCQGS+Hc1rXhi8lp4iDVfUWuESxgEZ8y/RrXdlsZ1V6JQXQJTjp9z2Zu33fHZcBKT\n 4sWQca7IZq8NNcu3XCFq2gLEd4v8vWHgdZLloPj3kMw==","X-Gm-Gg":"AeBDieuq4bgCmfrM9BvbO8NQgsDWGTuNwbBV/yuZD2cSPcsZqTeUhFT96tyjFFwkqyB\n 8ZZu+zOU06zWlyt1rMLLAgqtZfKLve8M2+mXxpNAokitDdj5NEY8MIcCV/DR3WHFjW61e5S4fez\n JPGjvR+7Nuw2BLJSVquSCBduWdLj71OCA/VZWAjKNW/W6h8KEhAAL4bMjf2Q8Y+44LWFW6GPKLy\n BkBSa1nLKhSlGObdN1cOCk0gI0u/4JY6EwQYhbcTtgh4ncp8+SxOouXOopu2GM/zYraq3eqfxqI\n mjNKjdcp7QWFNrQp140=","X-Received":"by 2002:a05:7300:5728:b0:2cf:28e8:d784 with SMTP id\n 5a478bee46e88-2e478a3314cmr1149080eec.19.1776429930476; Fri, 17 Apr 2026\n 05:45:30 -0700 (PDT)","MIME-Version":"1.0","References":"<20260416145259.2985564-1-sergio.prado@e-labworks.com>\n ","In-Reply-To":"\n ","From":"Sergio Prado ","Date":"Fri, 17 Apr 2026 09:45:13 -0300","X-Gm-Features":"AQROBzB2i2uDVNW9XD2nNIwXnxCf3P_1O-WEjH4rqC2p2h4b2n4AaPbZ1mAVrWg","Message-ID":"\n ","Subject":"Re: [PATCH] binman: x509_cert: add PKCS#11/HSM signing support","To":"Simon Glass ","Cc":"u-boot@lists.denx.de, trini@konsulko.com, alpernebiyasak@gmail.com,\n ilias.apalodimas@linaro.org, marek.vasut+renesas@mailbox.org,\n sughosh.ganu@arm.com, wolfgang.wallner@at.abb.com, bb@ti.com,\n y.moog@phytec.de, afd@ti.com","X-Mailman-Approved-At":"Fri, 17 Apr 2026 15:04:32 +0200","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable","X-Content-Filtered-By":"Mailman/MimeDel 2.1.39","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]