[PATCH v2 3/4] tools: binman: fit: add support for OpenSSL engines

Quentin Schulz quentin.schulz at cherry.de
Wed Nov 19 13:50:41 CET 2025 

Hi Wolfgang,

On 11/19/25 1:19 PM, Wolfgang Wallner wrote:
> Hi Quentin,
> 
>> From: Quentin Schulz <quentin.schulz at cherry.de>
>>
>> This adds support for using an OpenSSL engine for signing a FIT image.
>> To use it, one should set the fit,engine property at the FIT node level
>> with the engine to use. This will in turn call mkimage with the -N
>> option.
>>
>> The -k argument to mkimage can be specified via fit,engine-keydir. This
>> is especially useful for pkcs11 engine to specify slots, token label,
>> etc...
> 
> Thanks a lot, v2 of the patch series is really an improvement for the
> PKCS#11 use case. I was not aware that there was already code that
> could automatically prefix 'pkcs11:object=' to the key-name-hint.
> (Yes, I know, it is part of the existing documentation, and I have read
> that, but that just shows how much I miss even when the reading docs ...)
> 
>> The -k argument to mkimage can be specified by setting fit,engine-keydir
>> property, if missing no -k argument will be passed
> 
> Small nitpick: the above two paragraphs seem repetitive, how about the following?
> 
> The -k argument to mkimage can be specified via fit,engine-keydir. If
> fit,engine-keydir is not specified, no -k argument will be passed to mkimage.
> The attribute fit,engine-keydir is especially useful for a pkcs11 engine to
> specify slots, token label, etc...
> 

I think I simply forgot to remove one sentence when rewording the commit 
log when I added support for PKCS#11 :)

[...]

> 
> This description is quite convoluted. I would propose to describe it as a list,

I'm very good at writing convoluted paragraphs, so thanks for suggesting 
something more readable :)

> something like the following:
> 
> When `fit,engine` is set to `pkcs11`, the following cases are distinguished
> regarding the value of `fit,engine-keydir`:
> 
>   - If `fit,engine-keydir` is not present, value of `key-name-hint` is prefixed
>     with `pkcs11:object=`, and then passed as-is to the OpenSSL engine API.
>     
>     PKCS#11 id: `pkcs11:object=<key-name-hint>`

I have no experience with PKCS#11, but shouldn't that rather be a 
"PKCS#11 URI" instead if " PKCS#11 id"? c.f. 
https://www.rfc-editor.org/rfc/rfc7512 Especially since there is 
actually a possible id field, see 
https://www.rfc-editor.org/rfc/rfc7512#section-2.3 pk11-id.

>     
>   - If `fit,engine-keydir` is present, and its value contains either `object=` or
>     `id=`, then the value of `fit,engine-keydir` is passed as-is to theOpenSSL
>     engine API. The value of `fit,engine-keydir` has to start with `pkcs11:`.
>     
>     PKCS#11 id: `<fit,engine-keydir>`
>     
>   - If `fit,engine-keydir` is present, but its value does not contain either
>     `object=` or `id=`, then the value of `fit,engine-keydir` is concatenated
>     with `;object=` and the value of `key-name-hint`, and passed as-is to the
>     OpenSSL engine API. The value of `fit,engine-keydir` has to start with
>     `pkcs11:`.
>   
>     PKCS#11 id: `<fit,engine-keydir>; object=<key-name-hint>`
> 

*Technically*, pkcs11: prefix isn't required as it'll be automatically 
added if it's missing (and you'll be warned about it), c.f. 
https://elixir.bootlin.com/u-boot/v2025.10/source/lib/rsa/rsa-sign.c#L120

But yes, I'll do this rewording in a v3. This is not up for merging 
until 2026.01 is released as it's not a bugfix, so we've time for some 
other feedback/review before I send a v3.

[...]

> 
> Tested-by: Wolfgang Wallner <wolfgang.wallner at br-automation.com>
> 
> I did test the 3 cases listed in the description of fit,engine:
> 
> Test 1: No fit,engine-keydir:
> 
>      fit,sign;
>      fit,engine = "pkcs11";
>      key-name-hint = "<object-id-of-my-key>";
> 
> Test 2: fit,engine-keydir present, and contains the string 'object=':
> 
>      fit,sign;
>      fit,engine = "pkcs11";
>      fit,engine-keydir = "pkcs11:object=<object-id-of-my-key>";
>      key-name-hint = "MyTestKey";
> 
> Test 3: fit,engine-keydir present, but does not contain'object=' of 'id=':
> 
>      fit,sign;
>      fit,engine = "pkcs11";
>      fit,engine-keydir = "pkcs11:serial=<serial-of-my-key>";
>      key-name-hint = "<object-id-of-my-key>";
> 
> I think the suggestions above would improve the clarity, but even if you
> choose to keep the text as is would be fine for me.
> Both code + documentation:
> Reviewed-by: Wolfgang Wallner <wolfgang.wallner at br-automation.com>
> 

Great, thanks!

I was wondering if you had experience with using id= in the pkcs11 URI? 
It'd be nice if I could add a test with SoftHSMv2 for that as well but I 
wasn't able to do that fiddling around.

See 0707f73a8ba2 ("lib/rsa: allow matching pkcs11 path by object id") 
for the commit that added support for it.

Cheers,
Quentin

More information about the U-Boot mailing list