u-boot.git/tools/mkeficapsule.c, branch master Unnamed repository; edit this file 'description' to name the repository. tools: mkeficapsule: Fix dump signature long option 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:13+00:00 84432436bf564adc5f48ea81672ee8d5b374cb3d Only short option has been present. Also rename dump_sig to dump-sig to match with other parameter names. Fixes: 16abff246b40 ("tools: mkeficapsule: add firmware image signing") Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Only short option has been present. Also rename dump_sig
to dump-sig to match with other parameter names.

Fixes: 16abff246b40 ("tools: mkeficapsule: add firmware image signing")

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tools: mkeficapsule: Add support for pkcs11 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:11+00:00 0c716a157be460006a4b762625de329b5e36dbf9 With pkcs11 support it's now possible to specify keys with URI format. To use this feature the filename must begin "pkcs11:.." and have valid URI pointing to certificate and private key in HSM. The environment variable PKCS11_MODULE_PATH must point to the right pkcs11 provider i.e. with softhsm: export PKCS11_MODULE_PATH=<path>/libsofthsm2.so Example command line: tools/mkeficapsule --monotonic-count 1 \ --private-key "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \ --certificate "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \ --index 1 \ --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \ "capsule-payload" \ "capsule.cap" Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
With pkcs11 support it's now possible to specify keys
with URI format. To use this feature the filename must
begin "pkcs11:.." and have valid URI pointing to certificate
and private key in HSM.

The environment variable PKCS11_MODULE_PATH must point to the
right pkcs11 provider i.e. with softhsm:
export PKCS11_MODULE_PATH=<path>/libsofthsm2.so

Example command line:
tools/mkeficapsule --monotonic-count 1 \
 --private-key "pkcs11:token=EX;object=capsule;type=private;pin-source=pin.txt" \
 --certificate "pkcs11:token=EX;object=capsule;type=cert;pin-source=pin.txt" \
 --index 1 \
 --guid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \
 "capsule-payload" \
 "capsule.cap"

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tools: mkeficapsule: resource leak in read_bin_file() 2025-08-08T06:44:52+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2025-07-26T06:31:23+00:00 e16646c0ade9a62ef118978e27adbb259eb8a360 Free the allocated buffer in case of an error. Fixes: 9e63786e2b4b ("tools: mkeficapsule: rework the code a little bit") Addresses-Coverity-ID: 345917 Resource leak Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
Free the allocated buffer in case of an error.

Fixes: 9e63786e2b4b ("tools: mkeficapsule: rework the code a little bit")
Addresses-Coverity-ID: 345917 Resource leak
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
tools: mkeficapsule: use %zd to print ssize_t. 2024-11-09T08:56:45+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2024-11-03T22:45:05+00:00 ac425307f7cf23345f1c33759fbf34662c112276 For printing a ssize_t variable we must use %zd and not %ld to avoid a -Wformat error on 32-bit systems. Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
For printing a ssize_t variable we must use %zd and not %ld to avoid
a -Wformat error on 32-bit systems.

Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
tools: mkeficapsule: support generating dynamic GUIDs 2024-09-12T15:35:37+00:00 Caleb Connolly caleb.connolly@linaro.org 2024-08-30T12:34:39+00:00 7558385e483c8c89ceaa6c24485827255fcceef8 Add support for generating GUIDs that match those generated internally by U-Boot for capsule update fw_images when using dynamic UUIDs. Dynamic UUIDs in U-Boot work by taking a namespace UUID and hashing it with the board compatible and fw_image name. This feature just provides a way to determine the UUIDs for a particular board without having to actually boot U-Boot on it. Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org> 
Add support for generating GUIDs that match those generated internally
by U-Boot for capsule update fw_images when using dynamic UUIDs.

Dynamic UUIDs in U-Boot work by taking a namespace UUID and hashing it
with the board compatible and fw_image name. This feature just provides
a way to determine the UUIDs for a particular board without having to
actually boot U-Boot on it.

Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
tools: mkeficapsule: use u-boot UUID library 2024-09-12T15:35:37+00:00 Caleb Connolly caleb.connolly@linaro.org 2024-08-30T12:34:38+00:00 f102e0d08d53098dd171de773a5742ab7b66348c Replace the use of libuuid with U-Boot's own UUID library. This prepares us to add support for generating v5 GUIDs. Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org> 
Replace the use of libuuid with U-Boot's own UUID library. This prepares
us to add support for generating v5 GUIDs.

Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
tools/mkeficapsule: correct printf codes 2024-08-24T09:34:05+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2024-08-14T12:33:44+00:00 2a12caf75d282e20363c69707e93eeecbfa39749 uint64_t is defined as unsigned long long on 32-bit ARM. Use PRIX64 for printing uint64_t. This avoid a build failure on 32-bit systems: tools/mkeficapsule.c: In function 'dump_capsule_auth_header': tools/mkeficapsule.c:694:66: warning: format '%lX' expects argument of type 'long unsigned int', but argument 2 has type 'uint64_t' {aka 'long long unsigned int'} [-Wformat=] 694 | printf("EFI_FIRMWARE_IMAGE_AUTH.MONOTONIC_COUNT\t\t: %08lX\n", | ~~~~^ | | | long unsigned int | %08llX Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Mark Kettenis <kettenis@openbsd.org> 
uint64_t is defined as unsigned long long on 32-bit ARM.
Use PRIX64 for printing uint64_t.

This avoid a build failure on 32-bit systems:

    tools/mkeficapsule.c: In function 'dump_capsule_auth_header':
    tools/mkeficapsule.c:694:66: warning: format '%lX' expects argument of
    type 'long unsigned int', but argument 2 has type 'uint64_t'
    {aka 'long long unsigned int'} [-Wformat=]
    694 | printf("EFI_FIRMWARE_IMAGE_AUTH.MONOTONIC_COUNT\t\t: %08lX\n",
        |                                                      ~~~~^
        |                                                          |
        |                                                          long unsigned int
        |                                                      %08llX

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
binman: Return failure when a usage() message is generated 2024-08-05T18:15:29+00:00 Simon Glass sjg@chromium.org 2024-07-31T14:49:03+00:00 ba35f730e817153f07ea88355399ab336319f8a7 The tool must return an error code when invalid arguments are provided, otherwise binman has no way of knowing that anything went wrong. Correct this. Signed-off-by: Simon Glass <sjg@chromium.org> Fixes: fab430be2f4 ("tools: add mkeficapsule command for UEFI...") 
The tool must return an error code when invalid arguments are provided,
otherwise binman has no way of knowing that anything went wrong.

Correct this.

Signed-off-by: Simon Glass <sjg@chromium.org>
Fixes: fab430be2f4 ("tools: add mkeficapsule command for UEFI...")
mkeficapsule: Add a --version argument 2024-08-05T18:15:29+00:00 Simon Glass sjg@chromium.org 2024-07-31T14:49:00+00:00 8436282e24df315a37bb0392fcf6212458239432 Tools should have an option to obtain the version, so add this to the mkeficapsule tool. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Tools should have an option to obtain the version, so add this to the
mkeficapsule tool.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
global: Restrict use of '#include <linux/kconfig.h>' 2023-12-21T13:54:05+00:00 Tom Rini trini@konsulko.com 2023-12-14T12:16:54+00:00 b106961c2e4e7f339485a401ebb06c936fc432ee In general terms, we -include include/linux/kconfig.h and so normal U-Boot code does not need to also #include it. However, for code which is shared with userspace we may need to add it so that either our full config is available or so that macros such as CONFIG_IS_ENABLED() can be evaluated. In this case make sure that we guard these includes with a test for USE_HOSTCC so that it clear as to why we're doing this. Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Tom Rini <trini@konsulko.com> 
In general terms, we -include include/linux/kconfig.h and so normal
U-Boot code does not need to also #include it. However, for code which
is shared with userspace we may need to add it so that either our full
config is available or so that macros such as CONFIG_IS_ENABLED() can be
evaluated. In this case make sure that we guard these includes with a
test for USE_HOSTCC so that it clear as to why we're doing this.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>