[PATCH 0/3] fit: allow signing with only an engine_id
Wolfgang Wallner
wolfgang.wallner at br-automation.com
Tue Nov 11 11:10:31 CET 2025
Hi Quentin,
> This series allows to sign a FIT image with mkimage (and binman) with
> only an OpenSSL engine and no key-dir. mkimage will read the
> key-name-hint property and pass that verbatim to the OpenSSL engine API
> via the key_id argument.
Thanks for implementing this!
I was already looking for a way to implement this myself when I saw your
implementation on the mailing list.
I have tested your patch series in our environment with our PKI provider.
Our PKI provider supports the OpenSSL engine API with a PKCS#11 library.
Signing and verification with your patch series works fine in our use case.
I only stumbled over a small issue, but that has nothing to with your patch
series:
Initially I used the same key-name-hint in the FIT description for
U-Boot proper (which is then used by mkimage for signing) and in the
description for U-Boot SPL (within an u-boot-spl-pubkey-dtb entry).
In my case key-name-hint contains a colon and several equation signs, it looks
something like this:
key-name-hint = "pkcs11:model=xxx;manufacturer=xxx;serial=1234;token=xxx;id=xxx;object=xxx";
But when I do this, I cannot decompile the final SPL devicetree any more.
Decompiling with dtc gives me a "Bad character '=' in node name" error then.
As a workaround, I use a different key-name-hint in the SPL description now.
But as mentioned above, this is just something I found while testing your
patches, nothing caused by them.
This series is useful for us, and I'm happy to assist with further testing and
review. I'm not sure if I can help with creating tests, but I will have a look
at the things Simon listed.
Kind regards,
Wolfgang
More information about the U-Boot
mailing list