Hi Tom, Peter, Wolfgang,
On 11/17/25 4:38 PM, Tom Rini wrote:
On Mon, Nov 17, 2025 at 03:18:08PM +0000, Peter Robinson wrote:
On Tue, 11 Nov 2025 at 10:14, Wolfgang Wallner
<[email protected]> wrote:
Hi Peter,
This adds support for using an OpenSSL engine for signing a FIT image.
To use it, one should set the fit,sign-engine property at the FIT node
level with the engine to use. This will in turn call mkimage with the -N
option.
Just to be aware this should likely be a OpenSSL provider, engines in
OpenSSL are deprecated and due to be removed in 4.0. A lot of distros
are already dropping support for engines. There's a patch [1] adding
support for Providers support to U-Boot, I suspect we shouldn't be
adding more deps on the Engine support. OpenSSL 4 is due in March.
I'm aware that the engine API is deprecated in OpenSSL, and that the provider
API is the way to go forward.
But the PKI provider of my employer currently only provides a PKCS#11 library
with an engine API, and I'm not aware of any plans yet if/when they will
be supporting the provider API.
So for the transition period it would be nice to keep the engine API around as
such use cases still depend on it.
my comment wasn't so much about removing engine support but rather
having parity with the newer version so that when users upgrade they
don't end up being stuck with broken functionality.
Yes and I think an unfortunate part of the problem here is that it seems
like the hardware signing vendors haven't committed to a strategy yet as
it's multiple reports of "my vendor has no plans yet". So we'll need to
have plans to support both for some time is all.
And considering 3.5 release that still supports engines is LTS until
2030, there's sadly still time before the end of the world for those
vendors :)
I also checked LibreSSL and they got rid of engines and do not support
providers as far as I could tell (which is extrapolated from a grep
through the code base). I do not know the reason. The API still exists
but does nothing (or errors out). c.f.
https://github.com/libressl/portable/blob/000396d2014eb8e961b674000365f0d4e1385022/ChangeLog#L527-L529
Newer OpenSSL (>=3.0.0 as far as I could tell) allow to use engines via
the provider API (at least through CLI) by prefixing the engine with
org.openssl.engine: when passed as "provider" to OpenSSL.
Ideally, what I'm trying to add could be reused verbatim with providers
as well. But I'll need help here because I don't have any actual
provider I could test my code against (except softhsm2 for pkcs11 I
guess, which provides both provider and engines), as opposed to engines
which we use in prod.
I've managed to develop what I believe to be a simple RSA engine to test
FIT signing with it, as well as PKCS11 with SoftHSMv2. I have no
security or crypto background so I have no idea if what I'm doing is
proper or not except that it signs properly. I'm finalizing the patches
for the v2 and will Cc the person who posted patches for supporting
OpenSSL providers.
Cheers,
Quentin
