diff options
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/binman/btool/p11_kit.py | 11 | ||||
| -rw-r--r-- | tools/binman/btool/pkcs11_tool.py | 11 | ||||
| -rw-r--r-- | tools/binman/btool/softhsm2_util.py | 12 | ||||
| -rw-r--r-- | tools/binman/ftest.py | 46 | ||||
| -rw-r--r-- | tools/patman/cser_helper.py | 4 | ||||
| -rw-r--r-- | tools/patman/cseries.py | 6 |
6 files changed, 59 insertions, 31 deletions
diff --git a/tools/binman/btool/p11_kit.py b/tools/binman/btool/p11_kit.py index 9d8d5d848b4..1bbece5bb2b 100644 --- a/tools/binman/btool/p11_kit.py +++ b/tools/binman/btool/p11_kit.py @@ -7,7 +7,16 @@ from binman import bintool class Bintoolp11_kit(bintool.Bintool): - """p11-kit -- support tool for pkcs#11 libraries""" + """p11-kit -- support tool for pkcs#11 libraries + + This bintool wraps the `p11-kit` command, a support tool for PKCS#11 + modules. Binman uses this wrapper only to check that p11-kit is installed + (and to fetch it if missing); any actual PKCS#11 module discovery for + signing FIT images or capsules is done outside binman, by mkimage and the + OpenSSL PKCS#11 engine. + + See https://p11-glue.github.io/p11-glue/p11-kit.html for more details. + """ def __init__(self, name): super().__init__('p11-kit', 'Pkcs11 library modules tool', diff --git a/tools/binman/btool/pkcs11_tool.py b/tools/binman/btool/pkcs11_tool.py index 673c0ea0ac3..ca80943f98c 100644 --- a/tools/binman/btool/pkcs11_tool.py +++ b/tools/binman/btool/pkcs11_tool.py @@ -7,7 +7,16 @@ from binman import bintool class Bintoolpkcs11_tool(bintool.Bintool): - """pkcs11-tool -- support tool for managing pkcs#11 tokens""" + """pkcs11-tool -- support tool for managing pkcs#11 tokens + + This bintool wraps the `pkcs11-tool` command from the OpenSC project for + managing objects stored in PKCS#11 tokens. Binman uses this wrapper only + to check that pkcs11-tool is installed (and to fetch it if missing); any + actual key or token management for signing FIT images or capsules is done + outside binman. + + See https://github.com/OpenSC/OpenSC/wiki for more details. + """ def __init__(self, name): super().__init__('pkcs11-tool', 'PKCS #11 tokens managing tool', diff --git a/tools/binman/btool/softhsm2_util.py b/tools/binman/btool/softhsm2_util.py index 869221d841d..fd2ff2d6473 100644 --- a/tools/binman/btool/softhsm2_util.py +++ b/tools/binman/btool/softhsm2_util.py @@ -7,7 +7,17 @@ from binman import bintool class Bintoolsofthsm2_util(bintool.Bintool): - """SoftHSMv2 -- support tool for libsofthsm2""" + """SoftHSMv2 -- support tool for libsofthsm2 + + This bintool wraps the `softhsm2-util` command shipped with SoftHSMv2 (a + software implementation of a PKCS#11 token). Binman uses this wrapper only + to check that softhsm2-util is installed (and to fetch it if missing); any + actual token initialisation or key import for signing FIT images or + capsules is done outside binman, typically via mkimage and the OpenSSL + PKCS#11 engine. + + See https://www.opendnssec.org/softhsm/ for more details. + """ def __init__(self, name): super().__init__('softhsm2-util', 'SoftHSMv2 support tool for libsofthsm2', diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py index da8325f820a..9a3811c1732 100644 --- a/tools/binman/ftest.py +++ b/tools/binman/ftest.py @@ -7581,7 +7581,7 @@ fdt fdtmap Extract the devicetree blob from the fdtmap self._CheckBintool(p11_kit) p11_kit_config = configparser.ConfigParser() - out = tools.run('p11-kit', 'print-config') + out = p11_kit.run_cmd('print-config') p11_kit_config.read_string(out) softhsm2_lib = p11_kit_config.get('softhsm2', 'module', fallback=None) @@ -7590,16 +7590,16 @@ fdt fdtmap Extract the devicetree blob from the fdtmap with unittest.mock.patch.dict('os.environ', {'SOFTHSM2_CONF': softhsm2_conf, 'PKCS11_MODULE_PATH': softhsm2_lib}): - tools.run('softhsm2-util', '--init-token', '--free', '--label', - 'U-Boot token', '--pin', '1111', '--so-pin', - '222222') - tools.run('pkcs11-tool', '--module', softhsm2_lib, - '--write-object', cert_file, '--pin', '1111', - '--type', 'cert', '--id', '999999', '--label', - 'test_cert', '--login') - tools.run('softhsm2-util', '--import', private_key, '--token', - 'U-Boot token', '--label', 'test_key', '--id', '999999', - '--pin', '1111') + softhsm2_util.run_cmd('--init-token', '--free', '--label', + 'U-Boot token', '--pin', '1111', + '--so-pin', '222222') + pkcs11_tool.run_cmd('--module', softhsm2_lib, + '--write-object', cert_file, '--pin', '1111', + '--type', 'cert', '--id', '999999', '--label', + 'test_cert', '--login') + softhsm2_util.run_cmd('--import', private_key, '--token', + 'U-Boot token', '--label', 'test_key', + '--id', '999999', '--pin', '1111') data = self._DoReadFile('capsule/signed_pkcs11.dts') self._CheckCapsule(data, signed_capsule=True) @@ -8251,12 +8251,12 @@ fdt fdtmap Extract the devicetree blob from the fdtmap with unittest.mock.patch.dict('os.environ', {'SOFTHSM2_CONF': softhsm2_conf}): - tools.run('softhsm2-util', '--init-token', '--free', '--label', - 'U-Boot token', '--pin', '1111', '--so-pin', - '222222') - tools.run('softhsm2-util', '--import', private_key, '--token', - 'U-Boot token', '--label', 'test_key', '--id', '999999', - '--pin', '1111') + softhsm2_util.run_cmd('--init-token', '--free', '--label', + 'U-Boot token', '--pin', '1111', + '--so-pin', '222222') + softhsm2_util.run_cmd('--import', private_key, '--token', + 'U-Boot token', '--label', 'test_key', + '--id', '999999', '--pin', '1111') # Make sure the private key can only be accessed through the engine os.remove(private_key) @@ -8326,12 +8326,12 @@ fdt fdtmap Extract the devicetree blob from the fdtmap with unittest.mock.patch.dict('os.environ', {'SOFTHSM2_CONF': softhsm2_conf}): - tools.run('softhsm2-util', '--init-token', '--free', '--label', - 'U-Boot prod token', '--pin', '1234', '--so-pin', - '222222') - tools.run('softhsm2-util', '--import', private_key, '--token', - 'U-Boot prod token', '--label', 'prod', '--id', '999999', - '--pin', '1234') + softhsm2_util.run_cmd('--init-token', '--free', '--label', + 'U-Boot prod token', '--pin', '1234', + '--so-pin', '222222') + softhsm2_util.run_cmd('--import', private_key, '--token', + 'U-Boot prod token', '--label', 'prod', + '--id', '999999', '--pin', '1234') # Make sure the private key can only be accessed through the engine os.remove(private_key) diff --git a/tools/patman/cser_helper.py b/tools/patman/cser_helper.py index 2841fcd9c20..81ad212daee 100644 --- a/tools/patman/cser_helper.py +++ b/tools/patman/cser_helper.py @@ -309,7 +309,7 @@ class CseriesHelper: self._copy_db_fields_to(series, ser) msg = None if end: - repo = pygit2.init_repository(self.gitdir) + repo = pygit2.Repository(self.gitdir) target = repo.revparse_single(end) first_line = target.message.splitlines()[0] msg = f'Ending before {oid(target.id)} {first_line}' @@ -725,7 +725,7 @@ class CseriesHelper: raise ValueError( f"Modified files exist: use 'git status' to check: " f'{dirty[:5]}') - repo = pygit2.init_repository(self.gitdir) + repo = pygit2.Repository(self.gitdir) commit = None upstream_name = None diff --git a/tools/patman/cseries.py b/tools/patman/cseries.py index bcbc4963cea..0844b5f0257 100644 --- a/tools/patman/cseries.py +++ b/tools/patman/cseries.py @@ -119,7 +119,7 @@ class Cseries(cser_helper.CseriesHelper): new_max = max_vers - 1 - repo = pygit2.init_repository(self.gitdir) + repo = pygit2.Repository(self.gitdir) if not dry_run: name = self._get_branch_name(ser.name, new_max) branch = repo.lookup_branch(name) @@ -859,7 +859,7 @@ class Cseries(cser_helper.CseriesHelper): tag_info[svi.version] = [svi.idnum, name, f'{name}-{now_str}'] # Create the tags - repo = pygit2.init_repository(self.gitdir) + repo = pygit2.Repository(self.gitdir) for _, (idnum, name, tag_name) in tag_info.items(): commit = repo.revparse_single(name) repo.create_tag(tag_name, commit.hex, @@ -896,7 +896,7 @@ class Cseries(cser_helper.CseriesHelper): svlist = self.db.ser_ver_get_for_series(ser.idnum) # Collect the tags - repo = pygit2.init_repository(self.gitdir) + repo = pygit2.Repository(self.gitdir) tag_info = {} for svi in svlist: name = self._get_branch_name(ser.name, svi.version) |