u-boot.git/tools/binman, branch next Unnamed repository; edit this file 'description' to name the repository. global: Update URL for U-Boot project 2026-05-25T15:30:47+00:00 Tom Rini trini@konsulko.com 2026-05-22T23:58:38+00:00 7c419d4b578492e9781d4d7e755809c78c2c3661 Our official domain is now u-boot-project.org, so update all in-tree references to use the correct domain. Reviewed-by: Tony Dinh <mibodhi@gmail.com> Reviewed-by: Peter Robinson <pbrobinson@gmail.com> Signed-off-by: Tom Rini <trini@konsulko.com> 
Our official domain is now u-boot-project.org, so update all in-tree
references to use the correct domain.

Reviewed-by: Tony Dinh <mibodhi@gmail.com>
Reviewed-by: Peter Robinson <pbrobinson@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
binman: Use bintool wrappers for PKCS#11 tools in tests 2026-05-11T18:05:10+00:00 Simon Glass sjg@chromium.org 2026-05-05T18:12:55+00:00 08bcf962c5fe1d2690ac3ff6dd75d3963325476b The PKCS#11 signing tests in ftest.py call tools.run('softhsm2-util', ...) directly (and the equivalent for pkcs11-tool and p11-kit), even though the test setup has already constructed the corresponding Bintool instances. As Quentin Schulz observed on v1, the bintool wrapper for these tools is currently used only as an "is this installed?" probe. Route the eight remaining call sites in ftest.py through <bintool>.run_cmd(...), which the Bintool base class already provides. The change is test-side only; no production binman code calls these tools. Suggested-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Simon Glass <sjg@chromium.org> 
The PKCS#11 signing tests in ftest.py call tools.run('softhsm2-util', ...)
directly (and the equivalent for pkcs11-tool and p11-kit), even though
the test setup has already constructed the corresponding Bintool
instances. As Quentin Schulz observed on v1, the bintool wrapper for
these tools is currently used only as an "is this installed?" probe.

Route the eight remaining call sites in ftest.py through
<bintool>.run_cmd(...), which the Bintool base class already provides.
The change is test-side only; no production binman code calls these
tools.

Suggested-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Simon Glass <sjg@chromium.org>
binman: Flesh out the softhsm2-util bintool docstring 2026-05-11T18:05:10+00:00 Simon Glass sjg@chromium.org 2026-05-05T18:12:54+00:00 44f9ccfdad47deadb1b61896dbbcf004b8c6fa0c The Sphinx-generated bintools.rst currently produces an empty section for this bintool, since its class docstring is only a single line and so the body under the heading is blank. Extend the docstring with a short description of what softhsm2-util does and how binman uses it, so the generated documentation has useful content. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Simon Glass <sjg@chromium.org> 
The Sphinx-generated bintools.rst currently produces an empty section
for this bintool, since its class docstring is only a single line and
so the body under the heading is blank.

Extend the docstring with a short description of what softhsm2-util
does and how binman uses it, so the generated documentation has useful
content.

Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Simon Glass <sjg@chromium.org>
binman: Flesh out the pkcs11-tool bintool docstring 2026-05-11T18:05:10+00:00 Simon Glass sjg@chromium.org 2026-05-05T18:12:53+00:00 40c94fbf62b39a89171402054f0940d08fb05c9d The Sphinx-generated bintools.rst currently produces an empty section for this bintool, since its class docstring is only a single line and so the body under the heading is blank. Extend the docstring with a short description of what pkcs11-tool does and how binman uses it, so the generated documentation has useful content. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Simon Glass <sjg@chromium.org> 
The Sphinx-generated bintools.rst currently produces an empty section
for this bintool, since its class docstring is only a single line and
so the body under the heading is blank.

Extend the docstring with a short description of what pkcs11-tool does
and how binman uses it, so the generated documentation has useful
content.

Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Simon Glass <sjg@chromium.org>
binman: Flesh out the p11-kit bintool docstring 2026-05-11T18:05:10+00:00 Simon Glass sjg@chromium.org 2026-05-05T18:12:52+00:00 4dc8f10edf90cab4d7f6b7106f5e52f6c23099ed The Sphinx-generated bintools.rst currently produces an empty section for this bintool, since its class docstring is only a single line and so the body under the heading is blank. Extend the docstring with a short description of what p11-kit does and how binman uses it, so the generated documentation has useful content. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Simon Glass <sjg@chromium.org> 
The Sphinx-generated bintools.rst currently produces an empty section
for this bintool, since its class docstring is only a single line and
so the body under the heading is blank.

Extend the docstring with a short description of what p11-kit does and
how binman uses it, so the generated documentation has useful content.

Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Simon Glass <sjg@chromium.org>
tools: binman: Test signing an encrypted FIT with a preload header 2026-05-05T16:37:09+00:00 Paul HENRYS paul.henrys_ext@softathome.com 2026-04-17T08:30:50+00:00 b20d69e5f57bee299380bb30112856e51d8f26b0 Add a test to verify the preload header correctly signs an encrypted FIT. This test exercises the case where encryption uses random IVs that would change between mkimage calls. Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
Add a test to verify the preload header correctly signs an encrypted
FIT. This test exercises the case where encryption uses random IVs that
would change between mkimage calls.

Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
binman: collection: Set build_done on referenced entries 2026-05-05T16:37:09+00:00 yan wang yan.wang@softathome.com 2026-04-17T08:30:49+00:00 9ff82a771c44a8cf38bd52b556f685ddbc6f1a55 The collection etype uses phandles in the 'content' property to reference other entries. Mark each referenced entry with build_done to avoid rebuilding the same entry data multiple times. This is important for cases where rebuilding may change the data content, e.g. due to timestamps or random IVs in encryption. Refactor GetContentsByPhandle() to return both the entry object and its data. Signed-off-by: yan wang <yan.wang@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
The collection etype uses phandles in the 'content' property to
reference other entries. Mark each referenced entry with build_done
to avoid rebuilding the same entry data multiple times.

This is important for cases where rebuilding may change the data
content, e.g. due to timestamps or random IVs in encryption.

Refactor GetContentsByPhandle() to return both the entry object and
its data.

Signed-off-by: yan wang <yan.wang@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
binman: Generate preload header and sign data only once 2026-05-05T16:37:09+00:00 Paul HENRYS paul.henrys_ext@softathome.com 2026-04-17T08:30:48+00:00 5006121b44a2d147e7e426c74537b3566407e853 To optimize preload generation, generate the header and signatures only after all data has been collected in ProcessContentsUpdate(). This avoids signing the data multiple times. Since header_size is known upfront (from __init__), create a placeholder in `ObtainContents()` to avoid an extra packing pass when ProcessContentsUpdate() detects a size change. This reduces unnecessary repacking and signing operations. Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
To optimize preload generation, generate the header and signatures only
after all data has been collected in ProcessContentsUpdate(). This
avoids signing the data multiple times.

Since header_size is known upfront (from __init__), create a placeholder
in `ObtainContents()` to avoid an extra packing pass when
ProcessContentsUpdate() detects a size change.

This reduces unnecessary repacking and signing operations.

Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
binman: Remove pre-generated entries.rst and bintools.rst 2026-04-17T05:26:31+00:00 Simon Glass sjg@chromium.org 2026-03-18T13:23:57+00:00 090a7eb9cf36aec08fbe131f0c475ccaa55a8241 These files are now auto-generated by the binman_docs Sphinx extension during the doc build, so the committed copies and their symlinks in doc/develop/package/ are no longer needed. Update binman.rst to reference the Sphinx extension instead of the manual generation commands. Signed-off-by: Simon Glass <sjg@chromium.org> Rebased to apply file deletions cleanly. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
These files are now auto-generated by the binman_docs Sphinx extension
during the doc build, so the committed copies and their symlinks in
doc/develop/package/ are no longer needed.

Update binman.rst to reference the Sphinx extension instead of the
manual generation commands.

Signed-off-by: Simon Glass <sjg@chromium.org>

Rebased to apply file deletions cleanly.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
test: binman: Add test for pkcs11 signed capsule 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:16+00:00 e73443167be055c646dfd7d5a79bc30ac33e31d5 Test pkcs11 URI support for UEFI capsule generation. Both public certificate and private key are used over pkcs11 protocol. Pkcs11-tool has been introduced as softhsm tool doesn't have functionality to import certificates in commonly distributed version (only in the latest). Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Simon Glass <simon.glass@canonical.com> 
Test pkcs11 URI support for UEFI capsule generation. Both
public certificate and private key are used over pkcs11
protocol.
Pkcs11-tool has been introduced as softhsm tool doesn't have
functionality to import certificates in commonly distributed
version (only in the latest).

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>