From: Quentin Schulz Date: Fri, 21 Nov 2025 17:14:57 +0000 (+0100) Subject: fit: support signing with only an engine_id X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5207e1ff20ff26e0f3969b13701bb38610183c6a;p=thirdparty%2Fu-boot.git fit: support signing with only an engine_id Currently, when one wants to use an OpenSSL engine to sign a FIT image, one needs to pass a keydir (via -k) to mkimage which will then be prepended to the value of the key-name-hint before being passed as key_id argument to the OpenSSL Engine API, or pass a keyfile (via -G) to mkimage. My OpenSSL engine only has "slots" which are not mapped like directories, so using keydir is not proper, though I could simply have -k '' I guess but this won't work currently with binman anyway. Additionally, passing a keyfile (-G) when using an engine doesn't make sense as the key is stored in the engine. Let simply allow FIT images be signed if both keydir and keyfile are missing but an engine is to be used. The keyname member is already filled by looking at key-name-hint property in the FIT and passed to the engine, which is exactly what is needed here. Reviewed-by: Wolfgang Wallner Reviewed-by: Simon Glass Signed-off-by: Quentin Schulz --- diff --git a/tools/fit_image.c b/tools/fit_image.c index 0306333141e..694bb927c7d 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -26,7 +26,8 @@ static struct legacy_img_hdr header; static int fit_estimate_hash_sig_size(struct image_tool_params *params, const char *fname) { - bool signing = IMAGE_ENABLE_SIGN && (params->keydir || params->keyfile); + bool signing = IMAGE_ENABLE_SIGN && + (params->keydir || params->keyfile || params->engine_id); struct stat sbuf; void *fdt; int fd; diff --git a/tools/image-host.c b/tools/image-host.c index 21dd7f2d922..54df86316ae 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -696,7 +696,7 @@ int fit_image_add_verification_data(const char *keydir, const char *keyfile, strlen(FIT_HASH_NODENAME))) { ret = fit_image_process_hash(fit, image_name, noffset, data, size); - } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile) && + } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile || engine_id) && !strncmp(node_name, FIT_SIG_NODENAME, strlen(FIT_SIG_NODENAME))) { ret = fit_image_process_sig(keydir, keyfile, keydest, @@ -1366,7 +1366,7 @@ int fit_add_verification_data(const char *keydir, const char *keyfile, } /* If there are no keys, we can't sign configurations */ - if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile)) + if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile || engine_id)) return 0; /* Find configurations parent node offset */