[PATCH v3] Add support for OpenSSL Provider API

Tom Rini trini at konsulko.com
Mon Apr 13 20:12:58 CEST 2026 

On Fri, Apr 10, 2026 at 07:02:57PM -0600, Eddie Kovsky wrote:
> --->8
> > > I finally got to the bottom of this. Debian/Ubuntu ship OpenSSL backends
> > > separately. The CI environment is missing the 'pkcs11-provider'
> > > package, which is causing the binman tests to fail.
> > > 
> > >     $ apt show pkcs11-provider
> > >     Package: pkcs11-provider
> > >     Version: 1.0-3
> > >     Priority: optional
> > >     Section: libs
> > >     Maintainer: Luca Boccassi <bluca at debian.org>
> > >     Installed-Size: 410 kB
> > >     Depends: libc6 (>= 2.34), libssl3t64 (>= 3.0.7~)
> > >     Homepage: https://github.com/latchset/pkcs11-provider
> > >     Download-Size: 125 kB
> > >     APT-Manual-Installed: yes
> > >     APT-Sources: http://ftp.debian.org/debian stable/main amd64 Packages
> > >     Description: OpenSSL 3 provider for PKCS11
> > >     With this provider for OpenSSL you can use the OpenSSL library
> > >     (version 3) and command line tools with any PKCS11 implementation as
> > >     backend for the crypto operations.
> > > 
> > > With this package installed the SSL errors logged on Azure are no longer reproducible.
> > > 
> > > The results from the first pipeline expired while I was investigating
> > > this. I reran the CI job so you can see the error messages.
> > > 
> > >     https://dev.azure.com/u-boot/u-boot/_build/results?buildId=13035&view=logs&j=c59aff74-743b-5f08-f408-4a608a489153&t=f2ea3536-b291-5a39-ad92-0220c9b8101a
> > > 
> > > I have looked into the .azure-pipelines.yml file, but it's not clear to
> > > me how to configure the CI to install extra packages.
> > 
> > Ah, OK. So the package needs to be added to tools/docker/Dockerfile (and
> > doc/build/gcc.rst). For testing changes out, you can then modify
> > .azure-pipelines.yml to point at your image, rather than the default
> > image. Or hack in a "sudo apt-get update && sudo apt-get install ..." to
> > the job.
> > 
> > -- 
> > Tom
> 
> Hi Tom
> 
> Updating the dockerfile and documentation was easy enough, but I was
> still seeing the Azure pipeline fail with the same errors. It seems to
> be ignoring the updated dockerfile.
> 
> After digging through the pipeline logs I noticed that Azure is using
> the Windows Subsystem for Linux with Arch Linux to set up the test
> environment. The package name 'pkcs11-provider' is even the same on
> Arch, so I added that to .azure-pipelines.yml.
> 
>     https://archlinux.org/packages/extra/x86_64/pkcs11-provider/
> 
> And the Azure pipeline now fails because it reports the package doesn't
> exist.
> 
>     https://dev.azure.com/u-boot/u-boot/_build/results?buildId=13066&view=logs&j=8222cf02-b5ce-5040-5def-6173bf341f71&t=5f6e674b-07e4-5ce5-77ac-ecaae7331dd8
> 
> I am not an expert in these CI systems, so I'm not sure what else can be
> done to change the test environment.

So, I see two problems. One is the failure on Windows hosts. Perhaps
https://www.msys2.org/docs/package-management/ has some hints on how to
find out where it's looking for packages and if that's packaged in turn?
The other is that the binman test suites are still failing, on Linux.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260413/b048b261/attachment.sig>

More information about the U-Boot mailing list