[PATCH 3/3] tools: binman: fit: add support for OpenSSL engines
Wolfgang Wallner
wolfgang.wallner at br-automation.com
Tue Nov 11 11:12:01 CET 2025
Hi Quentin,
From: Quentin Schulz <quentin.schulz at cherry.de>
> This adds support for using an OpenSSL engine for signing a FIT image.
> To use it, one should set the fit,sign-engine property at the FIT node
> level with the engine to use. This will in turn call mkimage with the -N
> option.
>
> The key-name-hint property in the signature node will be used verbatim
> as key_id in OpenSSL engine API.
>
> We could somehow still decide to pass some keys_dir to mkimage when
> signing with an engine is enabled (mkimage does support that!),
> unfortunately binman resolves key paths absolutely. I don't believe an
> OpenSSL engine will happen to have the exact same key_id than the path
> to the encryption key, so fit,encrypt and fit,sign-engine cannot
> cohabit.
>
> The public key (with .crt extension) is still required if it needs to be
> embedded in the SPL DTB for example.
>
> Signed-off-by: Quentin Schulz <quentin.schulz at cherry.de>
> ---
> tools/binman/entries.rst | 22 +++++++++++++++++++---
> tools/binman/etype/fit.py | 41 +++++++++++++++++++++++++++++++++++++----
> 2 files changed, 56 insertions(+), 7 deletions(-)
Reviewed-by: Wolfgang Wallner <wolfgang.wallner at br-automation.com>
Tested-by: Wolfgang Wallner <wolfgang.wallner at br-automation.com>
Test case: Signed FIT image with U-Boot Proper booted from SPL
sha256,rsa2048, openSSL with a PKCS11 library using the engine API
fit,sign-engine = "pkcs11";
key-name-hint = "pkcs11:<pkcs11-id>
Regards, Wolfgang
More information about the U-Boot
mailing list