[PATCH 3/3] tools: binman: fit: add support for OpenSSL engines
Quentin Schulz
quentin.schulz at cherry.de
Mon Nov 3 17:47:50 CET 2025
Hi Peter,
On 11/3/25 5:21 PM, Peter Robinson wrote:
> Hey Quentin,
>
>> This adds support for using an OpenSSL engine for signing a FIT image.
>> To use it, one should set the fit,sign-engine property at the FIT node
>> level with the engine to use. This will in turn call mkimage with the -N
>> option.
>
> Just to be aware this should likely be a OpenSSL provider, engines in
> OpenSSL are deprecated and due to be removed in 4.0. A lot of distros
> are already dropping support for engines. There's a patch [1] adding
> support for Providers support to U-Boot, I suspect we shouldn't be
> adding more deps on the Engine support. OpenSSL 4 is due in March.
>
There is no plan (yet?) migrating my employer's engine to a provider, so
I have no interest in doing that.
Additionally, Tom said[1] that LibreSSL isn't going the OpenSSL route so
engines probably are here to stay?
Also, OpenSSL 3.5 (LTS) is supported until mid-2030.
Cheers,
Quentin
[1]
https://lore.kernel.org/u-boot/20251031-binman-engine-v1-0-c13c1b5dac43@cherry.de/T/#m8002ea155864cf8d1ab2b8bb16b997089f4fac0e
More information about the U-Boot
mailing list