[PATCH 3/3] tools: binman: fit: add support for OpenSSL engines
Tom Rini
trini at konsulko.com
Mon Nov 17 16:38:34 CET 2025
On Mon, Nov 17, 2025 at 03:18:08PM +0000, Peter Robinson wrote:
> On Tue, 11 Nov 2025 at 10:14, Wolfgang Wallner
> <wolfgang.wallner at br-automation.com> wrote:
> >
> > Hi Peter,
> >
> > > > This adds support for using an OpenSSL engine for signing a FIT image.
> > > > To use it, one should set the fit,sign-engine property at the FIT node
> > > > level with the engine to use. This will in turn call mkimage with the -N
> > > > option.
> > >
> > > Just to be aware this should likely be a OpenSSL provider, engines in
> > > OpenSSL are deprecated and due to be removed in 4.0. A lot of distros
> > > are already dropping support for engines. There's a patch [1] adding
> > > support for Providers support to U-Boot, I suspect we shouldn't be
> > > adding more deps on the Engine support. OpenSSL 4 is due in March.
> >
> > I'm aware that the engine API is deprecated in OpenSSL, and that the provider
> > API is the way to go forward.
> >
> > But the PKI provider of my employer currently only provides a PKCS#11 library
> > with an engine API, and I'm not aware of any plans yet if/when they will
> > be supporting the provider API.
> >
> > So for the transition period it would be nice to keep the engine API around as
> > such use cases still depend on it.
>
> my comment wasn't so much about removing engine support but rather
> having parity with the newer version so that when users upgrade they
> don't end up being stuck with broken functionality.
Yes and I think an unfortunate part of the problem here is that it seems
like the hardware signing vendors haven't committed to a strategy yet as
it's multiple reports of "my vendor has no plans yet". So we'll need to
have plans to support both for some time is all.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20251117/a204a86e/attachment.sig>
More information about the U-Boot
mailing list