[PATCH v3] Add support for OpenSSL Provider API

Mark Kettenis mark.kettenis at xs4all.nl
Tue Feb 24 23:23:58 CET 2026


> From: Enric Balletbo i Serra <eballetbo at kernel.org>
> Date: Tue, 24 Feb 2026 13:08:23 +0100

Hi,

> Hi all,
> 
> Thanks Eddie for the effort on doing this.
> 
> On Thu, Feb 19, 2026 at 6:28 PM Tom Rini <trini at konsulko.com> wrote:
> >
> > On Thu, Feb 19, 2026 at 09:51:05AM -0700, Eddie Kovsky wrote:
> >
> > > On 01/29/26, Mattijs Korpershoek wrote:
> > > > Hi Eddie,
> > > >
> > > > Thank you for the patch.
> > > >
> > >
> > > Hi Mattijs
> > >
> > > Thanks for the review.
> > >
> > > > On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky at redhat.com> wrote:
> > > >
> > > > > The Engine API has been deprecated since the release of OpenSSL 3.0. End
> > > > > users have been advised to migrate to the new Provider interface.
> > > > > Several distributions have already removed support for engines, which is
> > > > > preventing U-Boot from being compiled in those environments.
> > > > >
> > > > > Add support for the Provider API while continuing to support the existing
> > > > > Engine API on distros shipping older releases of OpenSSL.
> > > > >
> > > > > This is based on similar work contributed by Jan Stancek updating Linux
> > > > > to use the Provider interface.
> > > > >
> > > > >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> > > > >     Author: Jan Stancek <jstancek at redhat.com>
> > > > >     Date:   Fri Sep 20 19:52:48 2024 +0300
> > > > >
> > > > >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> > > > >
> > > > > The changes have been tested with the FIT signature verification vboot
> > > > > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> > > > > Engine library installed and with the Provider API.
> > > > >
> > > > > Signed-off-by: Eddie Kovsky <ekovsky at redhat.com>
> > [snip]
> > > Sure, I can update the comment for v4.
> >
> > Since we're talking about v4, can you please make sure that for v4 it:
> > - Passes CI https://docs.u-boot.org/en/latest/develop/ci_testing.html as
> >   that will cover some non-Linux host builds.
> > - See if you can get access to a FreeBSD or OpenBSD host and make sure
> >   the tools build still works there too? I was hoping Mark would have
> >   commented / tested-by v3 because I do want to make sure the libressl
> >   case still builds. At worst case, I have a freebie Oracle VM that's
> >   FreeBSD based, so you can maybe spin one of those up as well?
> >

Sorry, I've been a bit busy the last weeks.  But I threw this on top
of today's master and built a few of my favourite targets.  There
seems to no regressions in the build experience.

> I wanted to provide some context on my testing efforts. I have
> successfully tested these patches on Fedora and CentOS Stream 10,
> where the engine support is already deprecated. These changes are
> quite important because we are currently carrying them as a downstream
> patch for some RPM packages.
> 
> Regarding testing on OpenBSD and FreeBSD ( it uses openssl 3.0 by
> default ), I tried, but I ran into some build issues that I couldn't
> quickly resolve due to my limited experience with those environments.
> Instead, I decided to test with an alpine+libressl container and can
> confirm that the build of the tools does not break with these patches
> applied, which should cover the libressl case you were concerned
> about.
> 
>    # make tools
>    # ldd tools/mkimage
>    /lib/ld-musl-x86_64.so.1 (0x7f12975f5000)
>    libssl.so.60 => /usr/lib/libssl.so.60 (0x7f12973a4000)
>    libcrypto.so.57 => /usr/lib/libcrypto.so.57 (0x7f129722a000)
>    libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f12975f5000)
> 
>    # strings /usr/lib/libcrypto.so.57 | grep -i "libressl"
>    LibreSSL 4.2.1
>    %s/libressl.cnf
> 
> I'm happy to provide my tested-by tag if it helps move the patch
> along. Feel free to include it in v4.
> 
> Tested-by: Enric Balletbo i Serra <eballetbo at kernel.org>
> 
> Thanks,
> 
>    Enric
> 
> > Thanks!
> >
> > --
> > Tom
> 


More information about the U-Boot mailing list