[{"id":3680153,"web_url":"http://patchwork.ozlabs.org/comment/3680153/","msgid":"","list_archive_url":null,"date":"2026-04-22T00:14:48","subject":"Re: [PATCH v2] binman: x509_cert: add PKCS#11/HSM signing support","submitter":{"id":6170,"url":"http://patchwork.ozlabs.org/api/people/6170/","name":"Simon Glass","email":"sjg@chromium.org"},"content":"Hi Sergio,\n\nOn 2026-04-21T13:36:46, Sergio Prado wrote:\n> binman: x509_cert: add PKCS#11/HSM signing support\n>\n> Allow X509 certificates used for K3/TI secure boot to be signed via an\n> HSM using the PKCS#11 standard.\n>\n> Two new make variables are introduced:\n>\n> - BINMAN_PKCS11_URI PKCS#11 URI identifying the signing key on the HSM\n> - BINMAN_PKCS11_MODULE Path to the PKCS#11 shared library (.so)\n>\n> When BINMAN_PKCS11_URI is set, it is passed to binman as the pkcs11-uri\n> entry argument, which overrides the keyfile property at signing time.\n>\n> The openssl bintool gains three helper methods:\n>\n> - _pkcs11_use_provider() detects whether the pkcs11 provider (OpenSSL\n> >= 3.1) or the legacy pkcs11 engine (libp11) is available.\n>\n> - _build_key_args() builds the appropriate -key/-provider/-engine\n> arguments for the openssl command line, appending ?pin-value=\n> [...]\n>\n> Makefile | 2 +\n> tools/binman/binman.rst | 18 +++++++\n> tools/binman/btool/openssl.py | 106 ++++++++++++++++++++++++++++++++++------\n> tools/binman/etype/x509_cert.py | 47 ++++++++++++++++--\n> tools/binman/ftest.py | 96 ++++++++++++++++++++++++++++++++++++\n> 5 files changed, 249 insertions(+), 20 deletions(-)\n\n> diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py\n> @@ -35,18 +36,83 @@ class Bintoolopenssl(bintool.Bintool):\n> + if key_fname.startswith('pkcs11:'):\n> + pin = os.environ.get('PKCS11_PIN')\n> + if pin:\n> + key_fname = f'{key_fname}?pin-value={pin}'\n\nThis assumes the URI has no existing query parameters. It might be\nworth using '&' instead of '?' if the URI already contains '?'\n\n> diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py\n> @@ -35,18 +36,83 @@ class Bintoolopenssl(bintool.Bintool):\n> + def _run_cmd_pkcs11(self, pkcs11_module, *args):\n> + if pkcs11_module:\n> + os.environ['PKCS11_MODULE_PATH'] = pkcs11_module\n> + os.environ['PKCS11_PROVIDER_MODULE'] = pkcs11_module\n> + return self.run_cmd(*args)\n\nSetting os.environ directly pollutes the global environment. This\ncould cause issues if binman signs multiple images with different\nmodule paths in a single run. It would be cleaner to pass the env to\nrun_cmd() explicitly. What do you think?\n\nAlso, the environment variables persist even if pkcs11_module is None\non a subsequent call.\n\n> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py\n> @@ -6884,6 +6884,102 @@ fdt fdtmap Extract the devicetree blob from the fdtmap\n> + def testX509CertPkcs11(self):\n> + \"\"\"Test X509 certificate creation using a PKCS#11 URI instead of a key file\"\"\"\n> + PKCS11_URI = 'pkcs11:token=test;object=mykey;type=private'\n> + PKCS11_MODULE = '/usr/lib/pkcs11/libsofthsm2.so'\n> + original = bintool.Bintool.run_cmd\n> +\n> + def fake_openssl(self_tool, *args, binary=False):\n> + if self_tool.name != 'openssl':\n> + return original(self_tool, *args, binary=binary)\n> + arg_list = list(args)\n> + if arg_list == ['list', '-providers']:\n> + return 'pkcs11 provider'\n> + if '-out' in arg_list:\n> + tools.write_file(arg_list[arg_list.index('-out') + 1],\n> + b'\\x00' * 32)\n> + return ''\n\nThe test only confirms the code path runs without error. You could\nalso add assertions that check the args contain '-provider pkcs11' and\nthat PKCS11_URI is passed as the key argument.\n\nReviewed-by: Simon Glass \n\nRegards,\nSimon","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256\n header.s=google header.b=RghdhoED;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org\n header.b=\"RghdhoED\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=sjg@chromium.org"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0fqy2Y5Dz1yD5\n\tfor ; Wed, 22 Apr 2026 10:15:10 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id BDF1A84178;\n\tWed, 22 Apr 2026 02:15:07 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id AB89984178; Wed, 22 Apr 2026 02:15:06 +0200 (CEST)","from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com\n [IPv6:2a00:1450:4864:20::62a])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 1B5B8805D7\n for ; Wed, 22 Apr 2026 02:15:02 +0200 (CEST)","by mail-ej1-x62a.google.com with SMTP id\n a640c23a62f3a-ba7fd666666so313646766b.3\n for ; Tue, 21 Apr 2026 17:15:02 -0700 (PDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; t=1776816902; cv=none;\n d=google.com; s=arc-20240605;\n b=OYr1ASHroICypBuV6CdUWpRQ24hAhtS2svUxL86B7eak0yMxXD8o1GKIKw+HdZ8jBo\n IidohJ7Y9QFre4hMq1fTphWmmK2XfxqZ7jMqG4ZjmzQUEx59VT4m9gUTgW5vCCcRdKPK\n IfyU7QpN320DoGVZqSYZ321p67epuYf2JRlWeybjqPjG71cDmrYvHhUXBxq6V3XjUkNO\n PJpd3Zjom+zLX1xfDn3fI+TRrDYlF18X7ANlTzhtjVjTJvIlITEW/vnrX1m7lmTV2f4q\n 1uiAPEXBf1vUr9hT4dXDDgILYYlQB4NBu+4oV9y89NZZ8cqBze87aQNAIcbUAXQjzb+L\n iB5w==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:dkim-signature;\n bh=3u1AXF7tcTVhG3Rt8eU0gK4eWEHDYrTXOXppUfh5Kzk=;\n fh=qaRiAPLi2gUZrZGaRoTf6QYCsjzDIsZQoM8Hg7+2j3w=;\n b=J9Pe/g1yJigUJXe1qk3lE2r+Jld5ap07VEDl8N6veRM1Mf1rK4wUs5frA/IZG4tFXn\n ZneCntaePTFM39mh/+4t//9sF75ArYcuDbNcwTap0bft/FD6eIziGrw2p/sZfGztCe43\n WjNLjxlHgBoXRXLasLEnFGyWTCQ8F1Dx8AMlH1GWQuKfSwoaF2XWr0OP21uxsEAjjzNp\n c9waXKWJj7JrMMagGWCdlCc/uxKMKPqF3ZX/ZDMFB7S2kEsdXqPVPyhA9WawNieZmq6q\n vaW/qGUFNsgMW6Pzbrb4R7sQOEqMpuAqekwX/b20tddOrcpeHOZnQYi4Tq8lOo1G8oey\n wEbQ==; darn=lists.denx.de","ARC-Authentication-Results":"i=1; mx.google.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=chromium.org; s=google; t=1776816902; x=1777421702; darn=lists.denx.de;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:from:to:cc:subject:date:message-id:reply-to;\n bh=3u1AXF7tcTVhG3Rt8eU0gK4eWEHDYrTXOXppUfh5Kzk=;\n b=RghdhoEDUEFbiXmujonijkKiQlnl8/Jhe3WnbUZXNmD85IV5J1XP5keuQxUdf2I9XT\n h46GYcAYac21H4U9AiRkJ+JHYOv4vz/6GNL162uLWoPBlhkn/JprLCmkmsXt0hk5FOvu\n 7b+9OrlX2MC87W1x4/sJOZWhwM4tZyH7rHkkE=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776816902; x=1777421702;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=3u1AXF7tcTVhG3Rt8eU0gK4eWEHDYrTXOXppUfh5Kzk=;\n b=pZBO2ERtlUDSGK5su71zFh5dbPjdsUyIFB8QyPni2wbbeSak4+Nw/bweEnICeBkEUx\n ILvYuxZ9vFhxz180ebBDi/WbDMdjgJzYMvoV17rN/LebN94EEVfYe/3NDZImTZD6aqvc\n VhQhAMBQAgIDJP4UV7HnVkNv1XaBLWxrRgpAZXO9gTH4pSrHOzBcBeVtNELe8oVDQ9/c\n ps67tnWiFw2r/jggjvLrZVWKfRV67VlD6QLLKyXdHhadAwXE58JeidtrHBFNhiMP7BP4\n 5ko6VLgZSTzHPy2wOGdKfxDWThmsJbMdwDajpJwSgchPcK8bgZubErunceClrfTs1ZPI\n 0GhQ==","X-Gm-Message-State":"AOJu0YyMjTgBnv6J0GDFAjSI1NUPl7KN7UmQgFFes0/o7vjPUZKGWixc\n 9eMbHFcqibN27yfzE41LriUqF2IimYV6XjX6d45MYamvZobO8+0GR9CTU/2qaTAgTXOfmMlBlBv\n kKSFnwv8Lu23x11R57knkzx0Ni/nTIoLxTYGiK600","X-Gm-Gg":"AeBDieuIotvtv+98ahDkvTeHc7vVmR0jx9Hi4w+hgTFsCx9+VtUnMnsuzSKZiqUr1nW\n Xp3Dbpcd7Jtcy16k1EQOVk79UZbtym056wEMaKYZC8FxQ4CrAMZLlRv+KeJCrwm7Iu75e+4hFgt\n +sJZ2cc3W7lYhPE7bOgT0TILrPVMS02XGR6LhHbDo1ItSpWV2fQ7kuCQbgmWL0iKRqAmb15Ar/j\n LwZg6ONir6LO5moceLcBXIpTuK9jJVtOkYqA5yjE0fHK9uoZz//XFRzQzfD7Zx8oUg6LPwLvOOh\n +/hlVP5kFfteDIVfM5Zu","X-Received":"by 2002:a17:907:928e:b0:ba1:1181:b773 with SMTP id\n a640c23a62f3a-ba418981ae1mr1077311466b.10.1776816901576; Tue, 21 Apr 2026\n 17:15:01 -0700 (PDT)","MIME-Version":"1.0","References":"<20260421133646.2826728-1-sergio.prado@e-labworks.com>","In-Reply-To":"<20260421133646.2826728-1-sergio.prado@e-labworks.com>","From":"Simon Glass ","Date":"Wed, 22 Apr 2026 12:14:48 +1200","X-Gm-Features":"AQROBzBP3dlpsCcSgPYk2whCXlfYH-XqiCZtNqPLT5QFqnhvTNBcZLyjKrD-I2k","Message-ID":"\n ","Subject":"Re: [PATCH v2] binman: x509_cert: add PKCS#11/HSM signing support","To":"sergio.prado@e-labworks.com","Cc":"u-boot@lists.denx.de, trini@konsulko.com, sjg@chromium.org,\n alpernebiyasak@gmail.com, ilias.apalodimas@linaro.org,\n marek.vasut+renesas@mailbox.org, sughosh.ganu@arm.com,\n wolfgang.wallner@at.abb.com, bb@ti.com, y.moog@phytec.de, afd@ti.com","Content-Type":"text/plain; charset=\"UTF-8\"","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]