Hi Quentin, On Fri, 31 Oct 2025 at 16:23, Quentin Schulz <[email protected]> wrote: > > From: Quentin Schulz <[email protected]> > > Currently, when one wants to use an OpenSSL engine to sign a FIT image, > one needs to pass a keydir (via -k) to mkimage which will then be > prepended to the value of the key-name-hint before being passed as > key_id argument to the OpenSSL Engine API, or pass a keyfile (via -G) to > mkimage. > > My OpenSSL engine only has "slots" which are not mapped like > directories, so using keydir is not proper, though I could simply have > -k '' I guess but this won't work currently with binman anyway. > > Additionally, passing a keyfile when using an engine doesn't make sense > as the key is stored in the engine. > > Let simply allow FIT images be signed if both keydir and keyfile are > missing but an engine is to be used. > > The keyname member is already filled by looking at key-name-hint > property in the FIT and passed verbatim to the engine, which is exactly > what is needed here. > > Signed-off-by: Quentin Schulz <[email protected]> > --- > tools/fit_image.c | 3 ++- > tools/image-host.c | 4 ++-- > 2 files changed, 4 insertions(+), 3 deletions(-) >
Reviewed-by: Simon Glass <[email protected]> but it might be worth creating a static inline function in the header file for the condition, since it is pretty long now. > diff --git a/tools/fit_image.c b/tools/fit_image.c > index 0306333141e..694bb927c7d 100644 > --- a/tools/fit_image.c > +++ b/tools/fit_image.c > @@ -26,7 +26,8 @@ static struct legacy_img_hdr header; > > static int fit_estimate_hash_sig_size(struct image_tool_params *params, const char *fname) > { > - bool signing = IMAGE_ENABLE_SIGN && (params->keydir || params->keyfile); > + bool signing = IMAGE_ENABLE_SIGN && > + (params->keydir || params->keyfile || params->engine_id); > struct stat sbuf; > void *fdt; > int fd; > diff --git a/tools/image-host.c b/tools/image-host.c > index 21dd7f2d922..54df86316ae 100644 > --- a/tools/image-host.c > +++ b/tools/image-host.c > @@ -696,7 +696,7 @@ int fit_image_add_verification_data(const char *keydir, const char *keyfile, > strlen(FIT_HASH_NODENAME))) { > ret = fit_image_process_hash(fit, image_name, noffset, > data, size); > - } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile) && > + } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile || engine_id) && > !strncmp(node_name, FIT_SIG_NODENAME, > strlen(FIT_SIG_NODENAME))) { > ret = fit_image_process_sig(keydir, keyfile, keydest, > @@ -1366,7 +1366,7 @@ int fit_add_verification_data(const char *keydir, const char *keyfile, > } > > /* If there are no keys, we can't sign configurations */ > - if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile)) > + if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile || engine_id)) > return 0; > > /* Find configurations parent node offset */ > > -- > 2.51.0 > Regards, Simon
