[PATCH v3 2/2] binman: x509_cert: add PKCS#11/HSM signing support
Sergio Prado
sergio.prado at e-labworks.com
Thu May 7 22:09:54 CEST 2026
Hi Quentin,
> > Good point. I’ll scope this more precisely to X.509 usage. Would
> > BINMAN_X509_PKCS11_URI be appropriate, or do you have a preferred naming
> > convention here?
> >
>
> Is this really PKCS11-specific? Is there no other way to get an x509
> than by PKCS11 or plaintext file? Trying to think about potentially
> having other providers needing something similar and then setting
> BINMAN_X509_PKCS11_URI for that would be confusing.
Hmmm, good point. What if we rename the variable to BINMAN_X509_KEY_URI and
the entry argument to key-uri?
> > From my testing with SoftHSM2:
> >
> > - Provider-based flow: configuring openssl.cnf is sufficient. OpenSSL
> > dispatches "pkcs11:" URIs via the STORE API without additional CLI
> > arguments.
> > - Engine-based flow: configuring the engine in openssl.cnf alone is not
> > sufficient; "-engine pkcs11 -keyform engine" must still be passed
> > explicitly.
> >
>
> Being curious now, I'm wondering if setting the -key to
> org.openssl.engine:pkcs11:<key> would be enough on OpenSSL 3.x? C.f.
> https://docs.openssl.org/3.0/man1/openssl/#engine-options
Good catch! It does work.
$ OPENSSL_CONF=test_engine.cnf openssl req -new -x509 -key \
"org.openssl.engine:pkcs11:${PKCS11_URI}" -nodes -outform DER \
-out cert_engine_unified.der -subj "/CN=test-unified-engine" \
-sha512 && echo "exit: $?"
exit: 0
With this, the implementation transparently supports both flows on OpenSSL
3.x - the user picks the URI form to match their setup. I'll document both
URI forms in the binman documentation.
> I'm tempted to say "another person's problem". I was already not happy
> to contribute support for OpenSSL engines in FIT signing because it's
> been deprecated for years at that point but I needed it (could have kept
> it downstream though). We just need to make sure it's not impossible to
> support if someone really wants it (and it needs to work with OpenSSL
> 1.x I believe, even though it's official EoL you can still buy
> commercial support for it).
Understood.
Regards,
Sergio Prado
More information about the U-Boot
mailing list