Re: [PATCH] Add support for OpenSSL Provider API

[Tom Rini <trini@konsulko.com>]

[-- Attachment #1: Type: text/plain, Size: 2761 bytes --]

On Fri, Oct 17, 2025 at 11:13:27AM -0600, Eddie Kovsky wrote:

> The Engine API has been deprecated since the release of OpenSSL 3.0. End users
> have been advised to migrate to the new Provider interface. Several
> distributions have already removed support for engines, which is preventing
> U-Boot from being compiled in those environments.
> 
> The Kconfig option OPENSSL_NO_DEPRECATED introduces support for the Provider API
> while continuing to use the existing Engine API on distros shipping older
> releases of OpenSSL.
> 
> This is based on similar work contributed by Jan Stancek
> updating Linux to use the Provider interface.
> 
>     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
>     Author: Jan Stancek <jstancek@redhat.com>
>     Date:   Fri Sep 20 19:52:48 2024 +0300
> 
>         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> 
> The changes have been tested with the FIT signature verification vboot tests on
> Fedora 42 and Debian 13. All 30 tests pass with both the legacy Engine library
> installed and with the Provider API.
> 
> Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
> ---
>  lib/aes/aes-encrypt.c |  2 +
>  lib/rsa/Kconfig       |  8 ++++
>  lib/rsa/rsa-sign.c    | 93 ++++++++++++++++++++++++++++++++++++++++++-
>  3 files changed, 101 insertions(+), 2 deletions(-)

Thanks for doing this, I'm glad to see the work, and my comments are
really style things to fix up and v2 once there's been time for real
content comments if any.

[snip]
> diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
> index 9033384e60a3..622f06f8dba0 100644
> --- a/lib/rsa/Kconfig
> +++ b/lib/rsa/Kconfig
> @@ -20,6 +20,14 @@ config SPL_RSA
>  	bool "Use RSA Library within SPL"
>  	depends on SPL
>  
> +config OPENSSL_NO_DEPRECATED
> +	bool "Build U-Boot without support for OpenSSL Engine"
> +	default n

This is the default, you can drop this.

[snip]
> diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
> index 92b9d7876e52..9ebbcdfd52f3 100644
> --- a/lib/rsa/rsa-sign.c
> +++ b/lib/rsa/rsa-sign.c
> @@ -19,15 +19,51 @@
>  #include <openssl/err.h>
>  #include <openssl/ssl.h>
>  #include <openssl/evp.h>
> +#if (IS_ENABLED(CONFIG_OPENSSL_NO_DEPRECATED))
> +#include <err.h>
> +#include <openssl/provider.h>
> +#include <openssl/store.h>
> +#else
>  #include <openssl/engine.h>
> +#endif // CONFIG_OPENSSL_NO_DEPRECATED

Two things (here and elsewhere). One, since we're generally using
'#ifndef CONFIG_OPENSSL_NO_DEPRECATED' just using '#ifdef
CONFIG_OPENSSL_NO_DEPRECATED' is fine, using a macro here is not aiding
readability. Two, if the if/else/endif is within the patch context we
really don't need a comment on the endif part.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]