[PATCH v2] Add support for OpenSSL Provider API

Tue Jan 6 01:33:47 CET 2026

On Mon, Jan 05, 2026 at 10:36:04AM +0100, Mattijs Korpershoek wrote:
> On Mon, Dec 22, 2025 at 10:38, Eddie Kovsky <ekovsky at redhat.com> wrote:
> 
> > On 12/11/25, Mattijs Korpershoek wrote:
> >> Hi Eddie,
> >> 
> >> Thank you for working on this. It would be really nice if we could build
> >> U-Boot on more recent Linux distros without bridge packages such as
> >> openssl-devel-engine.
> >> 
> >> 
> >> I also don't linke this double negative.
> >> As you already shared, Linux solved this via:
> >> 
> >> #if OPENSSL_VERSION_MAJOR >= 3
> >> 
> >> Why can't we have something similar?
> >> See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=558bdc45dfb2669e1741384a0c80be9c82fa052c
> >> 
> >
> > Hi Mattijs
> >
> > Yes, we could also implement it this way with the extra USE_PKCS11_XXX
> > symbol. Jan's original patch I based my work on does something similar,
> > and I perhaps oversimplified it.
> 
> In my experience, when porting things from the Linux kernel into U-Boot,
> we try to keep the code as similar as possible. This helps reducing
> maintainance burden.
> 
> Sometimes, we can't do that. In that case, we should explain why.
> 
> Do we have a strong reason for *not* reusing OPENSSL_VERSION_MAJOR with
> USE_PKCS11_XXX ?
> 
> [...]
> 
> >> >> 
> >> >
> >> > It's not the prettiest code. But I'm trying to be very conservative
> >> > in making these changes so that no one's workflow is disrupted.
> >> > Developers should be able to build U-Boot with the latest OpenSSL
> >> > without impacting developers who are in environments utilizing the
> >> > Engine API. The goal here is to preserve feature parity between the two
> >> > APIs. Adding support for custom Providers is outside the scope of this
> >> > change, but could certainly be added later.
> >> 
> >> I'd be in favor to drop CONFIG_OPENSSL_NO_DEPRECATED all together and
> >> just use "#if OPENSSL_VERSION_MAJOR >= 3".
> >> 
> >> Tom, or anyone else, is there a particular` reason for gating this in a
> >> Kconfig ?
> >> 
> >> The oldest Ubuntu version that seems supported (22.04) already has
> >> OpenSSL version 3:
> >> 
> >> $ podman run -it /bin/bash ubuntu:22.04
> >> root at 6dc347676b8a:~# apt update && apt install -y openssl
> >> root at 6dc347676b8a:~# openssl version
> >> OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
> >> 
> >
> > I assumed that we would want this to be an explicit config option, but
> > logically there is no reason that it has to be. I'd be happy to spin up
> > a v3 if there's agreement that the Kconfig isn't needed.
> 
> Tom, do you have an opinion on this? It seems you are listed as
> maintainer for this (THE REST).

Yes, sorry, I think part of the question here is how it plays out with
LibreSSL and other alternatives to openssl, which ends up being a Mark
question.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260105/2170d7c0/attachment-0001.sig>