[PATCH 3/3] tools: binman: fit: add support for OpenSSL engines
Peter Robinson
pbrobinson at gmail.com
Mon Nov 17 16:18:08 CET 2025
On Tue, 11 Nov 2025 at 10:14, Wolfgang Wallner
<wolfgang.wallner at br-automation.com> wrote:
>
> Hi Peter,
>
> > > This adds support for using an OpenSSL engine for signing a FIT image.
> > > To use it, one should set the fit,sign-engine property at the FIT node
> > > level with the engine to use. This will in turn call mkimage with the -N
> > > option.
> >
> > Just to be aware this should likely be a OpenSSL provider, engines in
> > OpenSSL are deprecated and due to be removed in 4.0. A lot of distros
> > are already dropping support for engines. There's a patch [1] adding
> > support for Providers support to U-Boot, I suspect we shouldn't be
> > adding more deps on the Engine support. OpenSSL 4 is due in March.
>
> I'm aware that the engine API is deprecated in OpenSSL, and that the provider
> API is the way to go forward.
>
> But the PKI provider of my employer currently only provides a PKCS#11 library
> with an engine API, and I'm not aware of any plans yet if/when they will
> be supporting the provider API.
>
> So for the transition period it would be nice to keep the engine API around as
> such use cases still depend on it.
my comment wasn't so much about removing engine support but rather
having parity with the newer version so that when users upgrade they
don't end up being stuck with broken functionality.
More information about the U-Boot
mailing list