[PATCH v4] Add support for OpenSSL Provider API
Mattijs Korpershoek
mkorpershoek at kernel.org
Thu Apr 30 09:54:33 CEST 2026
Hi Eddie,
Thank you for the patch.
On Wed, Apr 29, 2026 at 12:02, Eddie Kovsky <ekovsky at redhat.com> wrote:
> The Engine API has been deprecated since the release of OpenSSL 3.0. End
> users have been advised to migrate to the new Provider interface.
> Several distributions have already removed support for engines, which is
> preventing U-Boot from being compiled in those environments.
>
> Add support for the Provider API while continuing to support the existing
> Engine API on distros shipping older releases of OpenSSL.
>
> This is based on similar work contributed by Jan Stancek updating Linux
> to use the Provider interface.
>
> commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> Author: Jan Stancek <jstancek at redhat.com>
> Date: Fri Sep 20 19:52:48 2024 +0300
>
> sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
>
> The changes have been tested with the FIT signature verification vboot
> tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> Engine library installed and with the Provider API.
>
> Tested-by Enric Balletbo i Serra <eballetb at redhat.com>
> Tested-by Mark Kettenis <mark.kettenis at xs4all.nl>
> Signed-off-by: Eddie Kovsky <ekovsky at redhat.com>
Reviewed-by: Mattijs Korpershoek <mkorpershoek at kernel.org>
> ---
More information about the U-Boot
mailing list