From: Tom Rini Date: Sat, 6 Dec 2025 17:44:56 +0000 (-0600) Subject: Merge patch series "fit: allow signing with an OpenSSL engine" X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f053fc40ae6e3c96758b4f3a7dbe702fc2bde65;p=thirdparty%2Fu-boot.git Merge patch series "fit: allow signing with an OpenSSL engine" Quentin Schulz says: I have a couple of products whose U-Boot FIT is signed via a proprietary OpenSSL engine which only expects the name of a "slot" to select the key to sign data with. Currently mkimage fit support expects either a key-dir (-k) or a key-file (-G) as a toggle for signing, however this doesn't apply to our usecase because we use an OpenSSL engine (so no key-file to provide) which doesn't mimic a directory layout like key-dir implies. Moreover, binman really expects private keys (.key extension) to be available in this key-dir directory, which we of course cannot provide. This series allows to sign a FIT image with mkimage (and binman) with an OpenSSL engine, including PKCS11 and custom engines. If a key-dir needs to be passed (which is typical for PKCS11), one can do so by using fit,engine-keydir. Note that the public key (.crt extension) still needs to be available if one wants to embed it for signature verification (which is probably what one wants to do :) ). It is probably possible to use the engine for getting the public key instead of storing it on disk, but this needs to be added to fdt_add_pubkey and then binman, through a mechanism different from fit,engine*. One issue though is that since binman resolves key paths absolutely and that I don't believe an OpenSSL engine would happen to have the exact same key_id value than a local absolute path, fit,encrypt and fit,engine cannot cohabit. An issue for the next person who wants an OpenSSL engine AND encrypt the same FIT image, I don't. Note that LibreSSL supports neither engines nor providers as far as I could tell (engine support has been explicitly removed). Note that OpenSSL engines have been deprecated since 3.0 (Q3-2021), however note that OpenSSL 3.5 still seems to support engines (git grep) and is EOL end of Q1 2030. If anyone has an idea on how to test PKCS11 with SOftHSMv2 with id= passed in fit,engine-keydir, I'm all ears. I'm also wondering if the explanation around fit,engine-keydir aren't too much. After all, they are passed verbatim to mkimage as -k argument and the special cases are all specific to mkimage and not binman. Link: https://lore.kernel.org/r/20251121-binman-engine-v3-0-b80180aaa783@cherry.de --- 7f053fc40ae6e3c96758b4f3a7dbe702fc2bde65