u-boot.git/tools/binman/btool, branch master Unnamed repository; edit this file 'description' to name the repository. test: binman: Add test for pkcs11 signed capsule 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:16+00:00 e73443167be055c646dfd7d5a79bc30ac33e31d5 Test pkcs11 URI support for UEFI capsule generation. Both public certificate and private key are used over pkcs11 protocol. Pkcs11-tool has been introduced as softhsm tool doesn't have functionality to import certificates in commonly distributed version (only in the latest). Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Simon Glass <simon.glass@canonical.com> 
Test pkcs11 URI support for UEFI capsule generation. Both
public certificate and private key are used over pkcs11
protocol.
Pkcs11-tool has been introduced as softhsm tool doesn't have
functionality to import certificates in commonly distributed
version (only in the latest).

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
binman: Add dump signature option to mkeficapsule 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:14+00:00 a251d46e68470706d0585711943e8d36cd432675 It will be used to capsule signature verification. Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Simon Glass <simon.glass@canonical.com> 
It will be used to capsule signature verification.

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
tools: mkeficapsule: Fix dump signature long option 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:13+00:00 84432436bf564adc5f48ea81672ee8d5b374cb3d Only short option has been present. Also rename dump_sig to dump-sig to match with other parameter names. Fixes: 16abff246b40 ("tools: mkeficapsule: add firmware image signing") Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Only short option has been present. Also rename dump_sig
to dump-sig to match with other parameter names.

Fixes: 16abff246b40 ("tools: mkeficapsule: add firmware image signing")

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tools: binman: fit: add tests for signing with an OpenSSL engine 2025-12-06T17:43:08+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-11-21T17:15:00+00:00 564c6682fa9689e408e6b795cc8c8c40e5e60e81 This adds a test that signs a FIT and verifies the signature with fit_check_sign. OpenSSL engines are typically for signing with external HW so it's not that straight-forward to simulate. For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA 4096 private key is made available. It can be selected by setting the OpenSSL engine argument to dummy-rsa-engine. This can only be done if the engine is detected by OpenSSL, which works by setting the OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine is properly implementing what is expected from an RSA engine, but it seems to be enough for testing. For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11 without specific hardware. The keypairs and tokens are generated on the fly. The "prod" token is generated with a different PIN (1234 instead of 1111) to also test MKIMAGE_SIGN_PIN env variable while we're at it. Binman will not mess with the local SoftHSMv2 setup as it will only use tokens from a per-test temporary directory enforced via the temporary configuration file set via SOFTHSM2_CONF env variable in the tests. The files created in the input dir should NOT be named the same as it is shared between all tests in the same process (which is all tests when running binman with -P 1 or with -T). Once signed, it's checked with fit_check_sign with the associated certificate. Finally, a new softhsm2_util bintool is added so that we can initialize the token and import keypairs. On Debian, the package also brings libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It is not the only package required though, as it also needs p11-kit and libengine-pkcs11-openssl (the latter bringing the former). We can detect if it's properly installed by running openssl engine dynamic -c pkcs11. If that fails, we simply skip the test. The package is installed in the CI container by default. Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
This adds a test that signs a FIT and verifies the signature with
fit_check_sign.

OpenSSL engines are typically for signing with external HW so it's not
that straight-forward to simulate.

For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA
4096 private key is made available. It can be selected by setting the
OpenSSL engine argument to dummy-rsa-engine. This can only be done if
the engine is detected by OpenSSL, which works by setting the
OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine
is properly implementing what is expected from an RSA engine, but it
seems to be enough for testing.

For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11
without specific hardware. The keypairs and tokens are generated on the
fly. The "prod" token is generated with a different PIN (1234 instead of
1111) to also test MKIMAGE_SIGN_PIN env variable while we're at it.

Binman will not mess with the local SoftHSMv2 setup as it will only use
tokens from a per-test temporary directory enforced via the temporary
configuration file set via SOFTHSM2_CONF env variable in the tests. The
files created in the input dir should NOT be named the same as it is
shared between all tests in the same process (which is all tests when
running binman with -P 1 or with -T).

Once signed, it's checked with fit_check_sign with the associated
certificate.

Finally, a new softhsm2_util bintool is added so that we can initialize
the token and import keypairs. On Debian, the package also brings
libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It
is not the only package required though, as it also needs p11-kit and
libengine-pkcs11-openssl (the latter bringing the former). We can detect
if it's properly installed by running openssl engine dynamic -c pkcs11.
If that fails, we simply skip the test.
The package is installed in the CI container by default.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
tools: binman: mkimage: add support for passing the engine 2025-12-06T17:43:08+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-11-21T17:14:58+00:00 9f9de386c1e54e6b009e5510ff335ab339a89a62 mkimage has support for OpenSSL engines but binman currently doesn't for direct callers of mkimage (e.g. the fit etype). This prepares for adding support for OpenSSL engines for signing elements of a FIT image, which will done in the next commit. Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com> Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
mkimage has support for OpenSSL engines but binman currently doesn't for
direct callers of mkimage (e.g. the fit etype). This prepares for adding
support for OpenSSL engines for signing elements of a FIT image, which
will done in the next commit.

Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
binman: btool: mkimage: fix Bintoolmkimage.run() method docstring 2025-11-02T18:15:23+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-10-29T11:30:36+00:00 07436b5778fc7b920d9c93f8aa4c14987b17a443 Commit 65e2c14d5a5a ("binman: btool: mkimage: use Bintool.version") removed the version argument from the run method but forgot to remove it from the method docstring, so let's fix this oversight. Fixes: 65e2c14d5a5a ("binman: btool: mkimage: use Bintool.version") Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Kever Yang <kever.yang@rock-chips.com> 
Commit 65e2c14d5a5a ("binman: btool: mkimage: use Bintool.version")
removed the version argument from the run method but forgot to remove it
from the method docstring, so let's fix this oversight.

Fixes: 65e2c14d5a5a ("binman: btool: mkimage: use Bintool.version")
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
binman: openssl: disable JTAG access by default 2025-06-25T19:43:34+00:00 Bryan Brattlof bb@ti.com 2025-06-02T21:56:52+00:00 e18472f1dee609b2ee8a492985bf77a5012e4d01 Typically boards operating in production environments will not be monitored and so will not need JTAG access unlocked. Disable the debug extension by default (set debugType = 0) unless we add the 'debug' property in the binman configs. Acked-by: Andrew Davis <afd@ti.com> Signed-off-by: Bryan Brattlof <bb@ti.com> 
Typically boards operating in production environments will not be
monitored and so will not need JTAG access unlocked. Disable the debug
extension by default (set debugType = 0) unless we add the 'debug'
property in the binman configs.

Acked-by: Andrew Davis <afd@ti.com>
Signed-off-by: Bryan Brattlof <bb@ti.com>
binman: cst: Build from source 2025-03-12T16:25:25+00:00 Leonard Anderweit l.anderweit@phytec.de 2025-02-26T21:05:01+00:00 326b7ea9823a74a83b3a7ef6ee3f4927eb36987e Build the imx code singing tool from source instead of relying on the distro to provide the tool. Use the debian/unstable branch because the default branch is outdated. The binary is supposed to be build with docker, work around that by selecting the correct Makefile directly. Also append the description and add a link to documentation. Signed-off-by: Leonard Anderweit <l.anderweit@phytec.de> Reviewed-by: Simon Glass <sjg@chromium.org> 
Build the imx code singing tool from source instead of relying on the
distro to provide the tool.
Use the debian/unstable branch because the default branch is outdated.
The binary is supposed to be build with docker, work around that by selecting
the correct Makefile directly.
Also append the description and add a link to documentation.

Signed-off-by: Leonard Anderweit <l.anderweit@phytec.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
tools: binman: add 'fit, encrypt' property to pass keys directory to mkimage 2024-12-19T15:10:34+00:00 Paul HENRYS paul.henrys_ext@softathome.com 2024-11-25T17:47:16+00:00 e2cc9b4fc10f521fac098ab5e324446125e6a85d mkimage can be used for both signing the FIT or encrypt its content and the option '-k' can be used to pass a directory where both signing and encryption keys can be retrieved. Adding 'fit,encrypt' property to the 'fit' node, leads to try to find keys directory among binman include directories. _get_priv_keys_dir() is renamed as _get_keys_dir() and adapted to support both signing and encryption nodes in the FIT. Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
mkimage can be used for both signing the FIT or encrypt its content and the
option '-k' can be used to pass a directory where both signing and encryption
keys can be retrieved. Adding 'fit,encrypt' property to the 'fit' node, leads to
try to find keys directory among binman include directories.
_get_priv_keys_dir() is renamed as _get_keys_dir() and adapted to support both
signing and encryption nodes in the FIT.

Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
binman: implement signing FIT images during image build 2024-10-18T20:10:22+00:00 Alexander Kochetkov al.kochet@gmail.com 2024-09-16T08:24:46+00:00 133c000ca334743fda3a4d77f7638da1a807e40e The patch implement new property 'fit,sign' that can be declared at the top-level 'fit' node. If that option is declared, fit tryies to detect private keys directory among binman include directories. That directory than passed to mkimage using '-k' flag and that enable signing of FIT. Signed-off-by: Alexander Kochetkov <al.kochet@gmail.com> Reviewed-by: Simon Glass <sjg@chromium.org> Renumbered files, moved new tests to end: Signed-off-by: Simon Glass <sjg@chromium.org> 
The patch implement new property 'fit,sign' that can be declared
at the top-level 'fit' node. If that option is declared, fit tryies
to detect private keys directory among binman include directories.
That directory than passed to mkimage using '-k' flag and that enable
signing of FIT.

Signed-off-by: Alexander Kochetkov <al.kochet@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Renumbered files, moved new tests to end:
Signed-off-by: Simon Glass <sjg@chromium.org>