[PATCH 3/3] tools: binman: fit: add support for OpenSSL engines
Simon Glass
sjg at chromium.org
Sun Nov 2 20:53:59 CET 2025
Hi Quentin,
On Fri, 31 Oct 2025 at 16:23, Quentin Schulz <foss+uboot at 0leil.net> wrote:
>
> From: Quentin Schulz <quentin.schulz at cherry.de>
>
> This adds support for using an OpenSSL engine for signing a FIT image.
> To use it, one should set the fit,sign-engine property at the FIT node
> level with the engine to use. This will in turn call mkimage with the -N
> option.
>
> The key-name-hint property in the signature node will be used verbatim
> as key_id in OpenSSL engine API.
>
> We could somehow still decide to pass some keys_dir to mkimage when
> signing with an engine is enabled (mkimage does support that!),
> unfortunately binman resolves key paths absolutely. I don't believe an
> OpenSSL engine will happen to have the exact same key_id than the path
> to the encryption key, so fit,encrypt and fit,sign-engine cannot
> cohabit.
>
> The public key (with .crt extension) is still required if it needs to be
> embedded in the SPL DTB for example.
>
> Signed-off-by: Quentin Schulz <quentin.schulz at cherry.de>
> ---
> tools/binman/entries.rst | 22 +++++++++++++++++++---
> tools/binman/etype/fit.py | 41 +++++++++++++++++++++++++++++++++++++----
> 2 files changed, 56 insertions(+), 7 deletions(-)
>
This will need a test.
> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
> index 8922d6cd070..7b162a3edb8 100644
> --- a/tools/binman/entries.rst
> +++ b/tools/binman/entries.rst
> @@ -885,9 +885,10 @@ The top-level 'fit' node supports the following
special properties:
>
> fit,sign
> Enable signing FIT images via mkimage as described in
> - verified-boot.rst. If the property is found, the private keys
path
> - is detected among binman include directories and passed to
mkimage
> - via -k flag. All the keys required for signing FIT must be
> + verified-boot.rst.
> + If the property is found and fit,sign-engine is not set, the
private
> + keys path is detected among binman include directories and
passed to
> + mkimage via -k flag. All the keys required for signing FIT must
be
> available at time of signing and must be located in single
include
> directory.
>
> @@ -898,6 +899,21 @@ The top-level 'fit' node supports the following
special properties:
> required for encrypting the FIT must be available at the time of
> encrypting and must be located in a single include directory.
>
> + Incompatible with fit,sign-engine.
> +
> + fit,sign-engine
> + Indicates the OpenSSL engine to use for signing the FIT image.
This
> + is passed to mkimage via the `-N` flag. Example::
> +
> + fit,sign-engine = "my-engine";
> +
> + No `-k` argument will be passed to mkimage. The key_id passed to
the
> + OpenSSL engine API is the verbatim value of the key-name-hint
property.
> +
> + Depends on fit,sign.
> +
> + Incompatible with fit,encrypt.
> +
> Substitutions
> ~~~~~~~~~~~~~
>
> diff --git a/tools/binman/etype/fit.py b/tools/binman/etype/fit.py
> index db40479d30e..df4cc9b749c 100644
> --- a/tools/binman/etype/fit.py
> +++ b/tools/binman/etype/fit.py
> @@ -104,9 +104,10 @@ class Entry_fit(Entry_section):
>
> fit,sign
> Enable signing FIT images via mkimage as described in
> - verified-boot.rst. If the property is found, the private
keys path
> - is detected among binman include directories and passed to
mkimage
> - via -k flag. All the keys required for signing FIT must be
> + verified-boot.rst.
> + If the property is found and fit,sign-engine is not set, the
private
> + keys path is detected among binman include directories and
passed to
> + mkimage via -k flag. All the keys required for signing FIT
must be
> available at time of signing and must be located in single
include
> directory.
>
> @@ -117,6 +118,21 @@ class Entry_fit(Entry_section):
> required for encrypting the FIT must be available at the
time of
> encrypting and must be located in a single include directory.
>
> + Incompatible with fit,sign-engine.
> +
> + fit,sign-engine
> + Indicates the OpenSSL engine to use for signing the FIT
image. This
> + is passed to mkimage via the `-N` flag. Example::
> +
> + fit,sign-engine = "my-engine";
> +
> + No `-k` argument will be passed to mkimage. The key_id
passed to the
> + OpenSSL engine API is the verbatim value of the
key-name-hint property.
> +
> + Depends on fit,sign.
> +
> + Incompatible with fit,encrypt.
> +
> Substitutions
> ~~~~~~~~~~~~~
>
> @@ -620,7 +636,24 @@ class Entry_fit(Entry_section):
> args.update({'align': fdt_util.fdt32_to_cpu(align.value)})
> if (self._fit_props.get('fit,sign') is not None or
> self._fit_props.get('fit,encrypt') is not None):
> - args.update({'keys_dir': self._get_keys_dir(data)})
> + engine = None
> + if self._fit_props.get('fit,sign') is not None:
> + engine_prop = self._fit_props.get('fit,sign-engine')
> + if engine_prop is not None:
> + engine = engine_prop.value
> + args.update({'engine': engine})
> + # Don't pass a key-dir to mkimage in case an engine is used
to sign
> + # as we don't need a private key on storage anyway.
> + # Additionally, binman pass an absolute path as keys_dir
which is
> + # highly unlikely to actually make sense for engines.
> + # Because of that limitation, we currently cannot support at
the
> + # same time fit,encrypt and fit,sign-engine.
> + # mkimage will read key-name-hint and pass it verbatim to
the engine
> + # as key_id in the OpenSSL engine API instead.
> + if engine is None:
> + args.update({'keys_dir': self._get_keys_dir(data)})
> + elif self._fit_props.get('fit,encrypt') is not None:
> + self.Raise('Cannot have both fit,encrypt and
fit,sign-engine')
Put all that in a function? Then your comment could be in the function
comment.
> if self.mkimage.run(reset_timestamp=True,
output_fname=output_fname,
> **args) is None:
> if not self.GetAllowMissing():
>
> --
> 2.51.0
>
Regards,
Simon
More information about the U-Boot
mailing list