On Mon, Dec 22, 2025 at 10:38, Eddie Kovsky <[email protected]> wrote:
> On 12/11/25, Mattijs Korpershoek wrote: >> Hi Eddie, >> >> Thank you for working on this. It would be really nice if we could build >> U-Boot on more recent Linux distros without bridge packages such as >> openssl-devel-engine. >> >> >> I also don't linke this double negative. >> As you already shared, Linux solved this via: >> >> #if OPENSSL_VERSION_MAJOR >= 3 >> >> Why can't we have something similar? >> See: >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=558bdc45dfb2669e1741384a0c80be9c82fa052c >> > > Hi Mattijs > > Yes, we could also implement it this way with the extra USE_PKCS11_XXX > symbol. Jan's original patch I based my work on does something similar, > and I perhaps oversimplified it. In my experience, when porting things from the Linux kernel into U-Boot, we try to keep the code as similar as possible. This helps reducing maintainance burden. Sometimes, we can't do that. In that case, we should explain why. Do we have a strong reason for *not* reusing OPENSSL_VERSION_MAJOR with USE_PKCS11_XXX ? [...] >> >> >> > >> > It's not the prettiest code. But I'm trying to be very conservative >> > in making these changes so that no one's workflow is disrupted. >> > Developers should be able to build U-Boot with the latest OpenSSL >> > without impacting developers who are in environments utilizing the >> > Engine API. The goal here is to preserve feature parity between the two >> > APIs. Adding support for custom Providers is outside the scope of this >> > change, but could certainly be added later. >> >> I'd be in favor to drop CONFIG_OPENSSL_NO_DEPRECATED all together and >> just use "#if OPENSSL_VERSION_MAJOR >= 3". >> >> Tom, or anyone else, is there a particular` reason for gating this in a >> Kconfig ? >> >> The oldest Ubuntu version that seems supported (22.04) already has >> OpenSSL version 3: >> >> $ podman run -it /bin/bash ubuntu:22.04 >> root@6dc347676b8a:~# apt update && apt install -y openssl >> root@6dc347676b8a:~# openssl version >> OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) >> > > I assumed that we would want this to be an explicit config option, but > logically there is no reason that it has to be. I'd be happy to spin up > a v3 if there's agreement that the Kconfig isn't needed. Tom, do you have an opinion on this? It seems you are listed as maintainer for this (THE REST). > > Eddie
