diff mbox series

tools: mkeficapsule: Add disable pkcs11 menu option

Message ID 20260409074710.1322519-1-Wojciech.Dubowik@mt.com
State Under Review
Headers show
Series tools: mkeficapsule: Add disable pkcs11 menu option | expand

Commit Message

Wojciech Dubowik April 9, 2026, 7:47 a.m. UTC 
Some distros are using gnutls library without pkcs11 support
and linking of mkeficapsule will fail. Add disable pkcs11
option with default set to no so distros can control this
feature with config option.

Suggested-by: Tom Rini <trini@konsulko.com>
Cc: Franz Schnyder <fra.schnyder@gmail.com>
Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
---
 tools/Kconfig        |  8 ++++++++
 tools/Makefile       |  3 +++
 tools/mkeficapsule.c | 14 ++++++++++++++
 3 files changed, 25 insertions(+)
diff mbox series

Patch

diff --git a/tools/Kconfig b/tools/Kconfig
index ef33295b8ecd..ccc878595d3b 100644
--- a/tools/Kconfig
+++ b/tools/Kconfig
@@ -114,6 +114,14 @@  config TOOLS_MKEFICAPSULE
 	  optionally sign that file. If you want to enable UEFI capsule
 	  update feature on your target, you certainly need this.
 
+config MKEFICAPSULE_DISABLE_PKCS11
+	bool "Disable pkcs11 support"
+	depends on TOOLS_MKEFICAPSULE
+	default n
+	help
+	  Disable pkcs11 support. Can be used in cases when host GnuTLS
+	  library doesn't support it.
+
 menuconfig FSPI_CONF_HEADER
 	bool "FlexSPI Header Configuration"
 	help
diff --git a/tools/Makefile b/tools/Makefile
index 1a5f425ecdaa..60e84bfbf20d 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -271,6 +271,9 @@  mkeficapsule-objs := generated/lib/uuid.o \
 	$(LIBFDT_OBJS) \
 	mkeficapsule.o
 hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
+ifeq ($(CONFIG_MKEFICAPSULE_DISABLE_PKCS11),y)
+HOSTCFLAGS_mkeficapsule.o += -DCONFIG_MKEFICAPSULE_DISABLE_PKCS11
+endif
 
 include tools/fwumdata_src/fwumdata.mk
 
diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
index ec640c57e8a5..ad1c46f0e909 100644
--- a/tools/mkeficapsule.c
+++ b/tools/mkeficapsule.c
@@ -229,9 +229,11 @@  static int create_auth_data(struct auth_context *ctx)
 	gnutls_pkcs7_t pkcs7;
 	gnutls_datum_t data;
 	gnutls_datum_t signature;
+#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
 	gnutls_pkcs11_obj_t *obj_list;
 	unsigned int obj_list_size = 0;
 	const char *lib;
+#endif
 	int ret;
 	bool pkcs11_cert = false;
 	bool pkcs11_key = false;
@@ -242,6 +244,7 @@  static int create_auth_data(struct auth_context *ctx)
 	if (!strncmp(ctx->key_file, "pkcs11:", strlen("pkcs11:")))
 		pkcs11_key = true;
 
+#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
 	if (pkcs11_cert || pkcs11_key) {
 		lib = getenv("PKCS11_MODULE_PATH");
 		if (!lib) {
@@ -259,6 +262,7 @@  static int create_auth_data(struct auth_context *ctx)
 			return -1;
 		}
 	}
+#endif
 
 	if (!pkcs11_cert) {
 		ret = read_bin_file(ctx->cert_file, &cert.data, &file_size);
@@ -301,6 +305,7 @@  static int create_auth_data(struct auth_context *ctx)
 
 	/* load x509 certificate */
 	if (pkcs11_cert) {
+#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
 		ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,
 							 ctx->cert_file, 0);
 		if (ret < 0 || obj_list_size == 0) {
@@ -309,6 +314,10 @@  static int create_auth_data(struct auth_context *ctx)
 		}
 
 		gnutls_x509_crt_import_pkcs11(x509, obj_list[0]);
+#else
+		fprintf(stdout, "Pkcs11 support is disabled\n");
+		return -1;
+#endif
 	} else {
 		ret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM);
 		if (ret < 0) {
@@ -320,12 +329,17 @@  static int create_auth_data(struct auth_context *ctx)
 
 	/* load a private key */
 	if (pkcs11_key) {
+#ifndef CONFIG_MKEFICAPSULE_DISABLE_PKCS11
 		ret = gnutls_privkey_import_pkcs11_url(pkey, ctx->key_file);
 		if (ret < 0) {
 			fprintf(stderr, "error in %d: %s\n", __LINE__,
 				gnutls_strerror(ret));
 			return -1;
 		}
+#else
+		fprintf(stdout, "Pkcs11 support is disabled\n");
+		return -1;
+#endif
 	} else {
 		ret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM,
 						     0, 0);