[PATCH 3/3] tools: binman: fit: add support for OpenSSL engines

Mon Nov 17 17:09:21 CET 2025

Hi Tom, Peter, Wolfgang,

On 11/17/25 4:38 PM, Tom Rini wrote:
> On Mon, Nov 17, 2025 at 03:18:08PM +0000, Peter Robinson wrote:
>> On Tue, 11 Nov 2025 at 10:14, Wolfgang Wallner
>> <wolfgang.wallner at br-automation.com> wrote:
>>>
>>> Hi Peter,
>>>
>>>>> This adds support for using an OpenSSL engine for signing a FIT image.
>>>>> To use it, one should set the fit,sign-engine property at the FIT node
>>>>> level with the engine to use. This will in turn call mkimage with the -N
>>>>> option.
>>>>
>>>> Just to be aware this should likely be a OpenSSL provider, engines in
>>>> OpenSSL are deprecated and due to be removed in 4.0. A lot of distros
>>>> are already dropping support for engines. There's a patch [1] adding
>>>> support for Providers support to U-Boot, I suspect we shouldn't be
>>>> adding more deps on the Engine support. OpenSSL 4 is due in March.
>>>
>>> I'm aware that the engine API is deprecated in OpenSSL, and that the provider
>>> API is the way to go forward.
>>>
>>> But the PKI provider of my employer currently only provides a PKCS#11 library
>>> with an engine API, and I'm not aware of any plans yet if/when they will
>>> be supporting the provider API.
>>>
>>> So for the transition period it would be nice to keep the engine API around as
>>> such use cases still depend on it.
>>
>> my comment wasn't so much about removing engine support but rather
>> having parity with the newer version so that when users upgrade they
>> don't end up being stuck with broken functionality.
> 
> Yes and I think an unfortunate part of the problem here is that it seems
> like the hardware signing vendors haven't committed to a strategy yet as
> it's multiple reports of "my vendor has no plans yet". So we'll need to
> have plans to support both for some time is all.
> 

And considering 3.5 release that still supports engines is LTS until 
2030, there's sadly still time before the end of the world for those 
vendors :)

I also checked LibreSSL and they got rid of engines and do not support 
providers as far as I could tell (which is extrapolated from a grep 
through the code base). I do not know the reason. The API still exists 
but does nothing (or errors out). c.f. 
https://github.com/libressl/portable/blob/000396d2014eb8e961b674000365f0d4e1385022/ChangeLog#L527-L529

Newer OpenSSL (>=3.0.0 as far as I could tell) allow to use engines via 
the provider API (at least through CLI) by prefixing the engine with 
org.openssl.engine: when passed as "provider" to OpenSSL.

Ideally, what I'm trying to add could be reused verbatim with providers 
as well. But I'll need help here because I don't have any actual 
provider I could test my code against (except softhsm2 for pkcs11 I 
guess, which provides both provider and engines), as opposed to engines 
which we use in prod.

I've managed to develop what I believe to be a simple RSA engine to test 
FIT signing with it, as well as PKCS11 with SoftHSMv2. I have no 
security or crypto background so I have no idea if what I'm doing is 
proper or not except that it signs properly. I'm finalizing the patches 
for the v2 and will Cc the person who posted patches for supporting 
OpenSSL providers.

Cheers,
Quentin