binman: DTS: Add dump-signature option for capsules

Mkeficapsule can dump signature for signed capsules. It can be used in test to validate signature i.e. with openssl. Add an entry for device tree node. Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Simon Glass <simon.glass@canonical.com>
2026-06-02 09:46:37 +03:00 · 2026-02-20 10:15:15 +01:00
parent a251d46e68
commit e2c46d33cf
2 changed files with 12 additions and 1 deletions
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -552,6 +552,10 @@ Properties / Entry arguments:
    - public-key-cert: Path to PEM formatted .crt public key certificate
      file. Mandatory property for generating signed capsules.
    - oem-flags - OEM flags to be passed through capsule header.
+    - dump-signature: Optional boolean (default: false). Instruct
+      mkeficapsule to write signature data to a separate file. The
+      filename will be <capsule file>.p7. It might be used to verify
+      capsule authentication with external tools.

 Since this is a subclass of Entry_section, all properties of the parent
 class also apply here. Except for the properties stated as mandatory, the
--- a/tools/binman/etype/efi_capsule.py
+++ b/tools/binman/etype/efi_capsule.py
@@ -53,6 +53,10 @@ class Entry_efi_capsule(Entry_section):
        - public-key-cert: Path to PEM formatted .crt public key certificate
          file. Mandatory property for generating signed capsules.
        - oem-flags - OEM flags to be passed through capsule header.
+        - dump-signature: Optional boolean (default: false). Instruct
+          mkeficapsule to write signature data to a separate file. The
+          filename will be <capsule file>.p7. It might be used to verify
+          capsule authentication with external tools.

    Since this is a subclass of Entry_section, all properties of the parent
    class also apply here. Except for the properties stated as mandatory, the
@@ -101,6 +105,7 @@ class Entry_efi_capsule(Entry_section):
        self.private_key = ''
        self.public_key_cert = ''
        self.auth = 0
+        self.dump_signature = False

    def ReadNode(self):
        super().ReadNode()
@@ -111,6 +116,7 @@ class Entry_efi_capsule(Entry_section):
        self.hardware_instance = fdt_util.GetInt(self._node, 'hardware-instance')
        self.monotonic_count = fdt_util.GetInt(self._node, 'monotonic-count')
        self.oem_flags = fdt_util.GetInt(self._node, 'oem-flags')
+        self.dump_signature = fdt_util.GetBool(self._node, 'dump-signature')

        self.private_key = fdt_util.GetString(self._node, 'private-key')
        self.public_key_cert = fdt_util.GetString(self._node, 'public-key-cert')
@@ -150,7 +156,8 @@ class Entry_efi_capsule(Entry_section):
                                                 public_key_cert,
                                                 self.monotonic_count,
                                                 self.fw_version,
-                                                 self.oem_flags)
+                                                 self.oem_flags,
+                                                 self.dump_signature)
        if ret is not None:
            return tools.read_file(capsule_fname)
        else: