[PATCH v2 4/4] tools: binman: fit: add tests for signing with an OpenSSL engine

Simon Glass sjg at chromium.org
Wed Nov 19 14:16:22 CET 2025 

On Mon, 17 Nov 2025 at 12:43, Quentin Schulz <foss+uboot at 0leil.net> wrote:
>
> From: Quentin Schulz <quentin.schulz at cherry.de>
>
> This adds a test that signs a FIT and verifies the signature with
> fit_check_sign.
>
> OpenSSL engines are typically for signing with external HW so it's not
> that straight-forward to simulate.
>
> For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA
> 4096 private key is made available. It can be selected by setting the
> OpenSSL engine argument to dummy-rsa-engine. This can only be done if
> the engine is detected by OpenSSL, which works by setting the
> OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine
> is properly implementing what is expected from an RSA engine, but it
> seems to be enough for testing.
>
> For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11
> without specific hardware. The keypairs and tokens are generated on the
> fly. The "prod" token is generated with a different PIN (1234 instead of
> 1111) than the configured value in OpenSSL to force the use of
> fit,engine-keypair.
>
> Binman will not mess with the local SoftHSMv2 setup as it will only use
> tokens from a temporary directory enforced via the temporary
> configuration file set via SOFTHSM2_CONF env variable in the tests.
>
> Once signed, it's checked with fit_check_sign with the associated
> certificate.
>
> Finally, a new softhsm2_util bintool is added so that we can initialize
> the token and import keypairs. On Debian, the package also brings
> libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It
> is not the only package required though, as it also needs p11-kit and
> libengine-pkcs11-openssl (the latter bringing the former, only the
> latter is explicitly installed), which we can detect with openssl engine
> dynamic -c pkcs11. If that fails, we manually install the aforementioned
> library packages within tests.
>
> Signed-off-by: Quentin Schulz <quentin.schulz at cherry.de>
> ---
>  tools/binman/btool/softhsm2_util.py                |  21 +++
>  tools/binman/ftest.py                              | 193 +++++++++++++++++++++
>  tools/binman/test/340_dummy-rsa4096.crt            |  31 ++++
>  tools/binman/test/340_fit_signature_engine.dts     |  99 +++++++++++
>  .../test/340_fit_signature_engine_pkcs11.dts       |  99 +++++++++++
>  .../340_fit_signature_engine_pkcs11_object.dts     | 100 +++++++++++
>  tools/binman/test/340_openssl.conf                 |  10 ++
>  tools/binman/test/340_softhsm2.conf                |  16 ++
>  tools/binman/test/Makefile                         |   6 +-
>  tools/binman/test/dummy-rsa-engine.c               | 149 ++++++++++++++++
>  10 files changed, 723 insertions(+), 1 deletion(-)

Reviewed-by: Simon Glass <sjg at chromium.org>

Looks like a solid test.

More information about the U-Boot mailing list