[PATCH v3 0/4] fit: allow signing with an OpenSSL engine
Tom Rini
trini at konsulko.com
Sun Dec 7 15:04:28 CET 2025
On Fri, 21 Nov 2025 18:14:56 +0100, Quentin Schulz wrote:
> I have a couple of products whose U-Boot FIT is signed via a proprietary
> OpenSSL engine which only expects the name of a "slot" to select the key
> to sign data with.
>
> Currently mkimage fit support expects either a key-dir (-k) or a
> key-file (-G) as a toggle for signing, however this doesn't apply to our
> usecase because we use an OpenSSL engine (so no key-file to provide)
> which doesn't mimic a directory layout like key-dir implies. Moreover,
> binman really expects private keys (.key extension) to be available in
> this key-dir directory, which we of course cannot provide.
>
> [...]
Applied to u-boot/next, thanks!
[1/4] fit: support signing with only an engine_id
commit: 5207e1ff20ff26e0f3969b13701bb38610183c6a
[2/4] tools: binman: mkimage: add support for passing the engine
commit: 9f9de386c1e54e6b009e5510ff335ab339a89a62
[3/4] tools: binman: fit: add support for OpenSSL engines
commit: fc75d216f0162d4a85b60fefa9938b8690480e27
[4/4] tools: binman: fit: add tests for signing with an OpenSSL engine
commit: 564c6682fa9689e408e6b795cc8c8c40e5e60e81
--
Tom
More information about the U-Boot
mailing list