u-boot.git/tools/binman/btool, branch master Unnamed repository; edit this file 'description' to name the repository. binman: Flesh out the softhsm2-util bintool docstring 2026-05-11T18:05:10+00:00 Simon Glass sjg@chromium.org 2026-05-05T18:12:54+00:00 44f9ccfdad47deadb1b61896dbbcf004b8c6fa0c The Sphinx-generated bintools.rst currently produces an empty section for this bintool, since its class docstring is only a single line and so the body under the heading is blank. Extend the docstring with a short description of what softhsm2-util does and how binman uses it, so the generated documentation has useful content. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Simon Glass <sjg@chromium.org> 
The Sphinx-generated bintools.rst currently produces an empty section
for this bintool, since its class docstring is only a single line and
so the body under the heading is blank.

Extend the docstring with a short description of what softhsm2-util
does and how binman uses it, so the generated documentation has useful
content.

Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Simon Glass <sjg@chromium.org>
binman: Flesh out the pkcs11-tool bintool docstring 2026-05-11T18:05:10+00:00 Simon Glass sjg@chromium.org 2026-05-05T18:12:53+00:00 40c94fbf62b39a89171402054f0940d08fb05c9d The Sphinx-generated bintools.rst currently produces an empty section for this bintool, since its class docstring is only a single line and so the body under the heading is blank. Extend the docstring with a short description of what pkcs11-tool does and how binman uses it, so the generated documentation has useful content. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Simon Glass <sjg@chromium.org> 
The Sphinx-generated bintools.rst currently produces an empty section
for this bintool, since its class docstring is only a single line and
so the body under the heading is blank.

Extend the docstring with a short description of what pkcs11-tool does
and how binman uses it, so the generated documentation has useful
content.

Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Simon Glass <sjg@chromium.org>
binman: Flesh out the p11-kit bintool docstring 2026-05-11T18:05:10+00:00 Simon Glass sjg@chromium.org 2026-05-05T18:12:52+00:00 4dc8f10edf90cab4d7f6b7106f5e52f6c23099ed The Sphinx-generated bintools.rst currently produces an empty section for this bintool, since its class docstring is only a single line and so the body under the heading is blank. Extend the docstring with a short description of what p11-kit does and how binman uses it, so the generated documentation has useful content. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Simon Glass <sjg@chromium.org> 
The Sphinx-generated bintools.rst currently produces an empty section
for this bintool, since its class docstring is only a single line and
so the body under the heading is blank.

Extend the docstring with a short description of what p11-kit does and
how binman uses it, so the generated documentation has useful content.

Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Simon Glass <sjg@chromium.org>
test: binman: Add test for pkcs11 signed capsule 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:16+00:00 e73443167be055c646dfd7d5a79bc30ac33e31d5 Test pkcs11 URI support for UEFI capsule generation. Both public certificate and private key are used over pkcs11 protocol. Pkcs11-tool has been introduced as softhsm tool doesn't have functionality to import certificates in commonly distributed version (only in the latest). Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Simon Glass <simon.glass@canonical.com> 
Test pkcs11 URI support for UEFI capsule generation. Both
public certificate and private key are used over pkcs11
protocol.
Pkcs11-tool has been introduced as softhsm tool doesn't have
functionality to import certificates in commonly distributed
version (only in the latest).

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
binman: Add dump signature option to mkeficapsule 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:14+00:00 a251d46e68470706d0585711943e8d36cd432675 It will be used to capsule signature verification. Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Simon Glass <simon.glass@canonical.com> 
It will be used to capsule signature verification.

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
tools: mkeficapsule: Fix dump signature long option 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:13+00:00 84432436bf564adc5f48ea81672ee8d5b374cb3d Only short option has been present. Also rename dump_sig to dump-sig to match with other parameter names. Fixes: 16abff246b40 ("tools: mkeficapsule: add firmware image signing") Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Only short option has been present. Also rename dump_sig
to dump-sig to match with other parameter names.

Fixes: 16abff246b40 ("tools: mkeficapsule: add firmware image signing")

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tools: binman: fit: add tests for signing with an OpenSSL engine 2025-12-06T17:43:08+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-11-21T17:15:00+00:00 564c6682fa9689e408e6b795cc8c8c40e5e60e81 This adds a test that signs a FIT and verifies the signature with fit_check_sign. OpenSSL engines are typically for signing with external HW so it's not that straight-forward to simulate. For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA 4096 private key is made available. It can be selected by setting the OpenSSL engine argument to dummy-rsa-engine. This can only be done if the engine is detected by OpenSSL, which works by setting the OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine is properly implementing what is expected from an RSA engine, but it seems to be enough for testing. For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11 without specific hardware. The keypairs and tokens are generated on the fly. The "prod" token is generated with a different PIN (1234 instead of 1111) to also test MKIMAGE_SIGN_PIN env variable while we're at it. Binman will not mess with the local SoftHSMv2 setup as it will only use tokens from a per-test temporary directory enforced via the temporary configuration file set via SOFTHSM2_CONF env variable in the tests. The files created in the input dir should NOT be named the same as it is shared between all tests in the same process (which is all tests when running binman with -P 1 or with -T). Once signed, it's checked with fit_check_sign with the associated certificate. Finally, a new softhsm2_util bintool is added so that we can initialize the token and import keypairs. On Debian, the package also brings libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It is not the only package required though, as it also needs p11-kit and libengine-pkcs11-openssl (the latter bringing the former). We can detect if it's properly installed by running openssl engine dynamic -c pkcs11. If that fails, we simply skip the test. The package is installed in the CI container by default. Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
This adds a test that signs a FIT and verifies the signature with
fit_check_sign.

OpenSSL engines are typically for signing with external HW so it's not
that straight-forward to simulate.

For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA
4096 private key is made available. It can be selected by setting the
OpenSSL engine argument to dummy-rsa-engine. This can only be done if
the engine is detected by OpenSSL, which works by setting the
OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine
is properly implementing what is expected from an RSA engine, but it
seems to be enough for testing.

For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11
without specific hardware. The keypairs and tokens are generated on the
fly. The "prod" token is generated with a different PIN (1234 instead of
1111) to also test MKIMAGE_SIGN_PIN env variable while we're at it.

Binman will not mess with the local SoftHSMv2 setup as it will only use
tokens from a per-test temporary directory enforced via the temporary
configuration file set via SOFTHSM2_CONF env variable in the tests. The
files created in the input dir should NOT be named the same as it is
shared between all tests in the same process (which is all tests when
running binman with -P 1 or with -T).

Once signed, it's checked with fit_check_sign with the associated
certificate.

Finally, a new softhsm2_util bintool is added so that we can initialize
the token and import keypairs. On Debian, the package also brings
libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It
is not the only package required though, as it also needs p11-kit and
libengine-pkcs11-openssl (the latter bringing the former). We can detect
if it's properly installed by running openssl engine dynamic -c pkcs11.
If that fails, we simply skip the test.
The package is installed in the CI container by default.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
tools: binman: mkimage: add support for passing the engine 2025-12-06T17:43:08+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-11-21T17:14:58+00:00 9f9de386c1e54e6b009e5510ff335ab339a89a62 mkimage has support for OpenSSL engines but binman currently doesn't for direct callers of mkimage (e.g. the fit etype). This prepares for adding support for OpenSSL engines for signing elements of a FIT image, which will done in the next commit. Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com> Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
mkimage has support for OpenSSL engines but binman currently doesn't for
direct callers of mkimage (e.g. the fit etype). This prepares for adding
support for OpenSSL engines for signing elements of a FIT image, which
will done in the next commit.

Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
binman: btool: mkimage: fix Bintoolmkimage.run() method docstring 2025-11-02T18:15:23+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-10-29T11:30:36+00:00 07436b5778fc7b920d9c93f8aa4c14987b17a443 Commit 65e2c14d5a5a ("binman: btool: mkimage: use Bintool.version") removed the version argument from the run method but forgot to remove it from the method docstring, so let's fix this oversight. Fixes: 65e2c14d5a5a ("binman: btool: mkimage: use Bintool.version") Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Kever Yang <kever.yang@rock-chips.com> 
Commit 65e2c14d5a5a ("binman: btool: mkimage: use Bintool.version")
removed the version argument from the run method but forgot to remove it
from the method docstring, so let's fix this oversight.

Fixes: 65e2c14d5a5a ("binman: btool: mkimage: use Bintool.version")
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
binman: openssl: disable JTAG access by default 2025-06-25T19:43:34+00:00 Bryan Brattlof bb@ti.com 2025-06-02T21:56:52+00:00 e18472f1dee609b2ee8a492985bf77a5012e4d01 Typically boards operating in production environments will not be monitored and so will not need JTAG access unlocked. Disable the debug extension by default (set debugType = 0) unless we add the 'debug' property in the binman configs. Acked-by: Andrew Davis <afd@ti.com> Signed-off-by: Bryan Brattlof <bb@ti.com> 
Typically boards operating in production environments will not be
monitored and so will not need JTAG access unlocked. Disable the debug
extension by default (set debugType = 0) unless we add the 'debug'
property in the binman configs.

Acked-by: Andrew Davis <afd@ti.com>
Signed-off-by: Bryan Brattlof <bb@ti.com>