[PATCH 1/3] fit: support signing with only an engine_id
Wolfgang Wallner
wolfgang.wallner at br-automation.com
Tue Nov 11 11:10:45 CET 2025
Hi Quentin,
From: Quentin Schulz <quentin.schulz at cherry.de>
> Currently, when one wants to use an OpenSSL engine to sign a FIT image,
> one needs to pass a keydir (via -k) to mkimage which will then be
> prepended to the value of the key-name-hint before being passed as
> key_id argument to the OpenSSL Engine API, or pass a keyfile (via -G) to
> mkimage.
>
> My OpenSSL engine only has "slots" which are not mapped like
> directories, so using keydir is not proper, though I could simply have
> -k '' I guess but this won't work currently with binman anyway.
>
> Additionally, passing a keyfile when using an engine doesn't make sense
> as the key is stored in the engine.
>
> Let simply allow FIT images be signed if both keydir and keyfile are
> missing but an engine is to be used.
>
> The keyname member is already filled by looking at key-name-hint
> property in the FIT and passed verbatim to the engine, which is exactly
> what is needed here.
>
> Signed-off-by: Quentin Schulz <quentin.schulz at cherry.de>
> ---
> tools/fit_image.c | 3 ++-
> tools/image-host.c | 4 ++--
> 2 files changed, 4 insertions(+), 3 deletions(-)
Reviewed-by: Wolfgang Wallner <wolfgang.wallner at br-automation.com>
Regards, Wolfgang
More information about the U-Boot
mailing list