On Mon, Nov 17, 2025 at 03:18:08PM +0000, Peter Robinson wrote: > On Tue, 11 Nov 2025 at 10:14, Wolfgang Wallner > <[email protected]> wrote: > > > > Hi Peter, > > > > > > This adds support for using an OpenSSL engine for signing a FIT image. > > > > To use it, one should set the fit,sign-engine property at the FIT node > > > > level with the engine to use. This will in turn call mkimage with the -N > > > > option. > > > > > > Just to be aware this should likely be a OpenSSL provider, engines in > > > OpenSSL are deprecated and due to be removed in 4.0. A lot of distros > > > are already dropping support for engines. There's a patch [1] adding > > > support for Providers support to U-Boot, I suspect we shouldn't be > > > adding more deps on the Engine support. OpenSSL 4 is due in March. > > > > I'm aware that the engine API is deprecated in OpenSSL, and that the > > provider > > API is the way to go forward. > > > > But the PKI provider of my employer currently only provides a PKCS#11 > > library > > with an engine API, and I'm not aware of any plans yet if/when they will > > be supporting the provider API. > > > > So for the transition period it would be nice to keep the engine API around > > as > > such use cases still depend on it. > > my comment wasn't so much about removing engine support but rather > having parity with the newer version so that when users upgrade they > don't end up being stuck with broken functionality.
Yes and I think an unfortunate part of the problem here is that it seems like the hardware signing vendors haven't committed to a strategy yet as it's multiple reports of "my vendor has no plans yet". So we'll need to have plans to support both for some time is all. -- Tom
signature.asc
Description: PGP signature
