Hey Quentin, > This adds support for using an OpenSSL engine for signing a FIT image. > To use it, one should set the fit,sign-engine property at the FIT node > level with the engine to use. This will in turn call mkimage with the -N > option.
Just to be aware this should likely be a OpenSSL provider, engines in OpenSSL are deprecated and due to be removed in 4.0. A lot of distros are already dropping support for engines. There's a patch [1] adding support for Providers support to U-Boot, I suspect we shouldn't be adding more deps on the Engine support. OpenSSL 4 is due in March. [1] https://lists.denx.de/pipermail/u-boot/2025-October/601616.html [2] https://openssl-library.org/roadmap/index.html > The key-name-hint property in the signature node will be used verbatim > as key_id in OpenSSL engine API. > > We could somehow still decide to pass some keys_dir to mkimage when > signing with an engine is enabled (mkimage does support that!), > unfortunately binman resolves key paths absolutely. I don't believe an > OpenSSL engine will happen to have the exact same key_id than the path > to the encryption key, so fit,encrypt and fit,sign-engine cannot > cohabit. > > The public key (with .crt extension) is still required if it needs to be > embedded in the SPL DTB for example. > > Signed-off-by: Quentin Schulz <[email protected]> > --- > tools/binman/entries.rst | 22 +++++++++++++++++++--- > tools/binman/etype/fit.py | 41 +++++++++++++++++++++++++++++++++++++---- > 2 files changed, 56 insertions(+), 7 deletions(-) > > diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst > index 8922d6cd070..7b162a3edb8 100644 > --- a/tools/binman/entries.rst > +++ b/tools/binman/entries.rst > @@ -885,9 +885,10 @@ The top-level 'fit' node supports the following special > properties: > > fit,sign > Enable signing FIT images via mkimage as described in > - verified-boot.rst. If the property is found, the private keys path > - is detected among binman include directories and passed to mkimage > - via -k flag. All the keys required for signing FIT must be > + verified-boot.rst. > + If the property is found and fit,sign-engine is not set, the private > + keys path is detected among binman include directories and passed to > + mkimage via -k flag. All the keys required for signing FIT must be > available at time of signing and must be located in single include > directory. > > @@ -898,6 +899,21 @@ The top-level 'fit' node supports the following special > properties: > required for encrypting the FIT must be available at the time of > encrypting and must be located in a single include directory. > > + Incompatible with fit,sign-engine. > + > + fit,sign-engine > + Indicates the OpenSSL engine to use for signing the FIT image. This > + is passed to mkimage via the `-N` flag. Example:: > + > + fit,sign-engine = "my-engine"; > + > + No `-k` argument will be passed to mkimage. The key_id passed to the > + OpenSSL engine API is the verbatim value of the key-name-hint > property. > + > + Depends on fit,sign. > + > + Incompatible with fit,encrypt. > + > Substitutions > ~~~~~~~~~~~~~ > > diff --git a/tools/binman/etype/fit.py b/tools/binman/etype/fit.py > index db40479d30e..df4cc9b749c 100644 > --- a/tools/binman/etype/fit.py > +++ b/tools/binman/etype/fit.py > @@ -104,9 +104,10 @@ class Entry_fit(Entry_section): > > fit,sign > Enable signing FIT images via mkimage as described in > - verified-boot.rst. If the property is found, the private keys > path > - is detected among binman include directories and passed to > mkimage > - via -k flag. All the keys required for signing FIT must be > + verified-boot.rst. > + If the property is found and fit,sign-engine is not set, the > private > + keys path is detected among binman include directories and > passed to > + mkimage via -k flag. All the keys required for signing FIT must > be > available at time of signing and must be located in single > include > directory. > > @@ -117,6 +118,21 @@ class Entry_fit(Entry_section): > required for encrypting the FIT must be available at the time of > encrypting and must be located in a single include directory. > > + Incompatible with fit,sign-engine. > + > + fit,sign-engine > + Indicates the OpenSSL engine to use for signing the FIT image. > This > + is passed to mkimage via the `-N` flag. Example:: > + > + fit,sign-engine = "my-engine"; > + > + No `-k` argument will be passed to mkimage. The key_id passed to > the > + OpenSSL engine API is the verbatim value of the key-name-hint > property. > + > + Depends on fit,sign. > + > + Incompatible with fit,encrypt. > + > Substitutions > ~~~~~~~~~~~~~ > > @@ -620,7 +636,24 @@ class Entry_fit(Entry_section): > args.update({'align': fdt_util.fdt32_to_cpu(align.value)}) > if (self._fit_props.get('fit,sign') is not None or > self._fit_props.get('fit,encrypt') is not None): > - args.update({'keys_dir': self._get_keys_dir(data)}) > + engine = None > + if self._fit_props.get('fit,sign') is not None: > + engine_prop = self._fit_props.get('fit,sign-engine') > + if engine_prop is not None: > + engine = engine_prop.value > + args.update({'engine': engine}) > + # Don't pass a key-dir to mkimage in case an engine is used to > sign > + # as we don't need a private key on storage anyway. > + # Additionally, binman pass an absolute path as keys_dir which is > + # highly unlikely to actually make sense for engines. > + # Because of that limitation, we currently cannot support at the > + # same time fit,encrypt and fit,sign-engine. > + # mkimage will read key-name-hint and pass it verbatim to the > engine > + # as key_id in the OpenSSL engine API instead. > + if engine is None: > + args.update({'keys_dir': self._get_keys_dir(data)}) > + elif self._fit_props.get('fit,encrypt') is not None: > + self.Raise('Cannot have both fit,encrypt and > fit,sign-engine') > if self.mkimage.run(reset_timestamp=True, output_fname=output_fname, > **args) is None: > if not self.GetAllowMissing(): > > -- > 2.51.0 >
