[PATCH 1/3] fit: support signing with only an engine_id

Sun Nov 2 20:53:53 CET 2025

Hi Quentin,

On Fri, 31 Oct 2025 at 16:23, Quentin Schulz <foss+uboot at 0leil.net> wrote:
>
> From: Quentin Schulz <quentin.schulz at cherry.de>
>
> Currently, when one wants to use an OpenSSL engine to sign a FIT image,
> one needs to pass a keydir (via -k) to mkimage which will then be
> prepended to the value of the key-name-hint before being passed as
> key_id argument to the OpenSSL Engine API, or pass a keyfile (via -G) to
> mkimage.
>
> My OpenSSL engine only has "slots" which are not mapped like
> directories, so using keydir is not proper, though I could simply have
> -k '' I guess but this won't work currently with binman anyway.
>
> Additionally, passing a keyfile when using an engine doesn't make sense
> as the key is stored in the engine.
>
> Let simply allow FIT images be signed if both keydir and keyfile are
> missing but an engine is to be used.
>
> The keyname member is already filled by looking at key-name-hint
> property in the FIT and passed verbatim to the engine, which is exactly
> what is needed here.
>
> Signed-off-by: Quentin Schulz <quentin.schulz at cherry.de>
> ---
>  tools/fit_image.c  | 3 ++-
>  tools/image-host.c | 4 ++--
>  2 files changed, 4 insertions(+), 3 deletions(-)
>

Reviewed-by: Simon Glass <sjg at chromium.org>

but it might be worth creating a static inline function in the header file
for the condition, since it is pretty long now.

> diff --git a/tools/fit_image.c b/tools/fit_image.c
> index 0306333141e..694bb927c7d 100644
> --- a/tools/fit_image.c
> +++ b/tools/fit_image.c
> @@ -26,7 +26,8 @@ static struct legacy_img_hdr header;
>
>  static int fit_estimate_hash_sig_size(struct image_tool_params *params,
const char *fname)
>  {
> -       bool signing = IMAGE_ENABLE_SIGN && (params->keydir ||
params->keyfile);
> +       bool signing = IMAGE_ENABLE_SIGN &&
> +               (params->keydir || params->keyfile || params->engine_id);
>         struct stat sbuf;
>         void *fdt;
>         int fd;
> diff --git a/tools/image-host.c b/tools/image-host.c
> index 21dd7f2d922..54df86316ae 100644
> --- a/tools/image-host.c
> +++ b/tools/image-host.c
> @@ -696,7 +696,7 @@ int fit_image_add_verification_data(const char
*keydir, const char *keyfile,
>                              strlen(FIT_HASH_NODENAME))) {
>                         ret = fit_image_process_hash(fit, image_name,
noffset,
>                                                 data, size);
> -               } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile) &&
> +               } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile ||
engine_id) &&
>                            !strncmp(node_name, FIT_SIG_NODENAME,
>                                 strlen(FIT_SIG_NODENAME))) {
>                         ret = fit_image_process_sig(keydir, keyfile,
keydest,
> @@ -1366,7 +1366,7 @@ int fit_add_verification_data(const char *keydir,
const char *keyfile,
>         }
>
>         /* If there are no keys, we can't sign configurations */
> -       if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile))
> +       if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile || engine_id))
>                 return 0;
>
>         /* Find configurations parent node offset */
>
> --
> 2.51.0
>

Regards,
Simon