Hi Peter,
On 11/3/25 5:21 PM, Peter Robinson wrote:
Hey Quentin,
This adds support for using an OpenSSL engine for signing a FIT image.
To use it, one should set the fit,sign-engine property at the FIT node
level with the engine to use. This will in turn call mkimage with the -N
option.
Just to be aware this should likely be a OpenSSL provider, engines in
OpenSSL are deprecated and due to be removed in 4.0. A lot of distros
are already dropping support for engines. There's a patch [1] adding
support for Providers support to U-Boot, I suspect we shouldn't be
adding more deps on the Engine support. OpenSSL 4 is due in March.
There is no plan (yet?) migrating my employer's engine to a provider, so
I have no interest in doing that.
Additionally, Tom said[1] that LibreSSL isn't going the OpenSSL route so
engines probably are here to stay?
Also, OpenSSL 3.5 (LTS) is supported until mid-2030.
Cheers,
Quentin
[1]
https://lore.kernel.org/u-boot/[email protected]/T/#m8002ea155864cf8d1ab2b8bb16b997089f4fac0e
