[PATCH v3] Add support for OpenSSL Provider API

[PATCH v3] Add support for OpenSSL Provider API

[Eddie Kovsky]

The Engine API has been deprecated since the release of OpenSSL 3.0. End
users have been advised to migrate to the new Provider interface.
Several distributions have already removed support for engines, which is
preventing U-Boot from being compiled in those environments.

Add support for the Provider API while continuing to support the existing
Engine API on distros shipping older releases of OpenSSL.

This is based on similar work contributed by Jan Stancek updating Linux
to use the Provider interface.

    commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
    Author: Jan Stancek <jstancek@redhat.com>
    Date:   Fri Sep 20 19:52:48 2024 +0300

        sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3

The changes have been tested with the FIT signature verification vboot
tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
Engine library installed and with the Provider API.

Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
---
Changes in v3:
  - Removed Kconfig option
  - Changed macro symbol from CONFIG_OPENSSL_NO_DEPRECATED to
    USE_PKCS11_PROVIDER or USE_PKCS11_ENGINE
v2: https://lore.kernel.org/u-boot/20251027195834.71109-1-ekovsky@redhat.com/

Changes in v2:
  - Remove default for new Kconfig option
  - Use #ifdef instead of IS_ENABLED macro
  - Remove comment after #endif
  - Remove unrelated checkpatch cleanup of 'sslErr' variable name
v1: https://lore.kernel.org/u-boot/20251017171329.255689-1-ekovsky@redhat.com/
---
 lib/aes/aes-encrypt.c |  4 +-
 lib/rsa/rsa-sign.c    | 95 ++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 97 insertions(+), 2 deletions(-)

diff --git a/lib/aes/aes-encrypt.c b/lib/aes/aes-encrypt.c
index 90e1407b4f09..4fc4ce232478 100644
--- a/lib/aes/aes-encrypt.c
+++ b/lib/aes/aes-encrypt.c
@@ -16,7 +16,9 @@
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
-#include <openssl/engine.h>
+#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+# include <openssl/engine.h>
+#endif
 #include <uboot_aes.h>
 
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index 0e38c9e802fd..31269db65950 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -19,7 +19,47 @@
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
-#include <openssl/engine.h>
+#if OPENSSL_VERSION_MAJOR >= 3
+# define USE_PKCS11_PROVIDER
+# include <err.h>
+# include <openssl/provider.h>
+# include <openssl/store.h>
+#else
+# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#  define USE_PKCS11_ENGINE
+#  include <openssl/engine.h>
+# endif
+#endif
+
+#ifdef USE_PKCS11_PROVIDER
+#define ERR(cond, fmt, ...)				\
+	do {						\
+		bool __cond = (cond);			\
+		drain_openssl_errors(__LINE__, 0);	\
+		if (__cond) {				\
+			errx(1, fmt, ## __VA_ARGS__);	\
+		}					\
+	} while (0)
+
+static void drain_openssl_errors(int l, int silent)
+{
+	const char *file;
+	char buf[120];
+	int e, line;
+
+	if (ERR_peek_error() == 0)
+		return;
+	if (!silent)
+		fprintf(stderr, "At main.c:%d:\n", l);
+
+	while ((e = ERR_peek_error_line(&file, &line))) {
+		ERR_error_string(e, buf);
+		if (!silent)
+			fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
+		ERR_get_error();
+	}
+}
+#endif
 
 static int rsa_err(const char *msg)
 {
@@ -98,6 +138,7 @@ err_cert:
  * @evpp	Returns EVP_PKEY object, or NULL on failure
  * Return: 0 if ok, -ve on error (in which case *evpp will be set to NULL)
  */
+#ifdef USE_PKCS11_ENGINE
 static int rsa_engine_get_pub_key(const char *keydir, const char *name,
 				  ENGINE *engine, EVP_PKEY **evpp)
 {
@@ -157,6 +198,7 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
 
 	return 0;
 }
+#endif
 
 /**
  * rsa_get_pub_key() - read a public key
@@ -170,8 +212,10 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
 static int rsa_get_pub_key(const char *keydir, const char *name,
 			   ENGINE *engine, EVP_PKEY **evpp)
 {
+#ifdef USE_PKCS11_ENGINE
 	if (engine)
 		return rsa_engine_get_pub_key(keydir, name, engine, evpp);
+#endif
 	return rsa_pem_get_pub_key(keydir, name, evpp);
 }
 
@@ -207,6 +251,37 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
 		return -ENOENT;
 	}
 
+#ifdef USE_PKCS11_PROVIDER
+	EVP_PKEY *private_key = NULL;
+	OSSL_STORE_CTX *store;
+
+	if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
+		ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
+	if (!OSSL_PROVIDER_try_load(NULL, "default", true))
+		ERR(1, "OSSL_PROVIDER_try_load(default)");
+
+	store = OSSL_STORE_open(path, NULL, NULL, NULL, NULL);
+	ERR(!store, "OSSL_STORE_open");
+
+	while (!OSSL_STORE_eof(store)) {
+		OSSL_STORE_INFO *info = OSSL_STORE_load(store);
+
+		if (!info) {
+			drain_openssl_errors(__LINE__, 0);
+			continue;
+		}
+		if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
+			private_key = OSSL_STORE_INFO_get1_PKEY(info);
+			ERR(!private_key, "OSSL_STORE_INFO_get1_PKEY");
+		}
+		OSSL_STORE_INFO_free(info);
+		if (private_key)
+			break;
+	}
+	OSSL_STORE_close(store);
+
+	*evpp = private_key;
+#else
 	if (!PEM_read_PrivateKey(f, evpp, NULL, path)) {
 		rsa_err("Failure reading private key");
 		fclose(f);
@@ -214,6 +289,7 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
 	}
 	fclose(f);
 
+#endif
 	return 0;
 }
 
@@ -226,6 +302,7 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
  * @evpp	Returns EVP_PKEY object, or NULL on failure
  * Return: 0 if ok, -ve on error (in which case *evpp will be set to NULL)
  */
+#ifdef USE_PKCS11_ENGINE
 static int rsa_engine_get_priv_key(const char *keydir, const char *name,
 				   const char *keyfile,
 				   ENGINE *engine, EVP_PKEY **evpp)
@@ -293,6 +370,7 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
 
 	return 0;
 }
+#endif
 
 /**
  * rsa_get_priv_key() - read a private key
@@ -306,9 +384,11 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
 static int rsa_get_priv_key(const char *keydir, const char *name,
 			    const char *keyfile, ENGINE *engine, EVP_PKEY **evpp)
 {
+#ifdef USE_PKCS11_ENGINE
 	if (engine)
 		return rsa_engine_get_priv_key(keydir, name, keyfile, engine,
 					       evpp);
+#endif
 	return rsa_pem_get_priv_key(keydir, name, keyfile, evpp);
 }
 
@@ -325,6 +405,7 @@ static int rsa_init(void)
 	return 0;
 }
 
+#ifdef USE_PKCS11_ENGINE
 static int rsa_engine_init(const char *engine_id, ENGINE **pe)
 {
 	const char *key_pass;
@@ -380,6 +461,7 @@ static void rsa_engine_remove(ENGINE *e)
 		ENGINE_free(e);
 	}
 }
+#endif
 
 static int rsa_sign_with_key(EVP_PKEY *pkey, struct padding_algo *padding_algo,
 			     struct checksum_algo *checksum_algo,
@@ -480,11 +562,13 @@ int rsa_sign(struct image_sign_info *info,
 	if (ret)
 		return ret;
 
+#ifdef USE_PKCS11_ENGINE
 	if (info->engine_id) {
 		ret = rsa_engine_init(info->engine_id, &e);
 		if (ret)
 			return ret;
 	}
+#endif
 
 	ret = rsa_get_priv_key(info->keydir, info->keyname, info->keyfile,
 			       e, &pkey);
@@ -496,16 +580,21 @@ int rsa_sign(struct image_sign_info *info,
 		goto err_sign;
 
 	EVP_PKEY_free(pkey);
+
+#ifdef USE_PKCS11_ENGINE
 	if (info->engine_id)
 		rsa_engine_remove(e);
+#endif
 
 	return ret;
 
 err_sign:
 	EVP_PKEY_free(pkey);
 err_priv:
+#ifdef USE_PKCS11_ENGINE
 	if (info->engine_id)
 		rsa_engine_remove(e);
+#endif
 	return ret;
 }
 
@@ -645,11 +734,13 @@ int rsa_add_verify_data(struct image_sign_info *info, void *keydest)
 	ENGINE *e = NULL;
 
 	debug("%s: Getting verification data\n", __func__);
+#ifdef USE_PKCS11_ENGINE
 	if (info->engine_id) {
 		ret = rsa_engine_init(info->engine_id, &e);
 		if (ret)
 			return ret;
 	}
+#endif
 	ret = rsa_get_pub_key(info->keydir, info->keyname, e, &pkey);
 	if (ret)
 		goto err_get_pub_key;
@@ -726,8 +817,10 @@ done:
 err_get_params:
 	EVP_PKEY_free(pkey);
 err_get_pub_key:
+#ifdef USE_PKCS11_ENGINE
 	if (info->engine_id)
 		rsa_engine_remove(e);
+#endif
 
 	if (ret)
 		return ret;
-- 
2.52.0

Re: [PATCH v3] Add support for OpenSSL Provider API

[Mattijs Korpershoek]

Hi Eddie,

Thank you for the patch.

On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:

> The Engine API has been deprecated since the release of OpenSSL 3.0. End
> users have been advised to migrate to the new Provider interface.
> Several distributions have already removed support for engines, which is
> preventing U-Boot from being compiled in those environments.
>
> Add support for the Provider API while continuing to support the existing
> Engine API on distros shipping older releases of OpenSSL.
>
> This is based on similar work contributed by Jan Stancek updating Linux
> to use the Provider interface.
>
>     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
>     Author: Jan Stancek <jstancek@redhat.com>
>     Date:   Fri Sep 20 19:52:48 2024 +0300
>
>         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
>
> The changes have been tested with the FIT signature verification vboot
> tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> Engine library installed and with the Provider API.
>
> Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>

As a follow-up, can we look into reverting/removing
commit 3a8b919932fd ("tools: avoid OpenSSL deprecation warnings") ?

This looks much better than v2 in my opinion.

Some additional comments below:

> ---
> Changes in v3:
>   - Removed Kconfig option
>   - Changed macro symbol from CONFIG_OPENSSL_NO_DEPRECATED to
>     USE_PKCS11_PROVIDER or USE_PKCS11_ENGINE
> v2: https://lore.kernel.org/u-boot/20251027195834.71109-1-ekovsky@redhat.com/
>
> Changes in v2:
>   - Remove default for new Kconfig option
>   - Use #ifdef instead of IS_ENABLED macro
>   - Remove comment after #endif
>   - Remove unrelated checkpatch cleanup of 'sslErr' variable name
> v1: https://lore.kernel.org/u-boot/20251017171329.255689-1-ekovsky@redhat.com/
> ---
>  lib/aes/aes-encrypt.c |  4 +-
>  lib/rsa/rsa-sign.c    | 95 ++++++++++++++++++++++++++++++++++++++++++-
>  2 files changed, 97 insertions(+), 2 deletions(-)
>
> diff --git a/lib/aes/aes-encrypt.c b/lib/aes/aes-encrypt.c
> index 90e1407b4f09..4fc4ce232478 100644
> --- a/lib/aes/aes-encrypt.c
> +++ b/lib/aes/aes-encrypt.c
> @@ -16,7 +16,9 @@
>  #include <openssl/err.h>
>  #include <openssl/ssl.h>
>  #include <openssl/evp.h>
> -#include <openssl/engine.h>
> +#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
> +# include <openssl/engine.h>
> +#endif
>  #include <uboot_aes.h>
>  
>  #if OPENSSL_VERSION_NUMBER >= 0x10000000L
> diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
> index 0e38c9e802fd..31269db65950 100644
> --- a/lib/rsa/rsa-sign.c
> +++ b/lib/rsa/rsa-sign.c
> @@ -19,7 +19,47 @@
>  #include <openssl/err.h>
>  #include <openssl/ssl.h>
>  #include <openssl/evp.h>
> -#include <openssl/engine.h>
> +#if OPENSSL_VERSION_MAJOR >= 3
> +# define USE_PKCS11_PROVIDER
> +# include <err.h>
> +# include <openssl/provider.h>
> +# include <openssl/store.h>
> +#else
> +# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
> +#  define USE_PKCS11_ENGINE
> +#  include <openssl/engine.h>
> +# endif
> +#endif
> +
> +#ifdef USE_PKCS11_PROVIDER
> +#define ERR(cond, fmt, ...)				\
> +	do {						\
> +		bool __cond = (cond);			\
> +		drain_openssl_errors(__LINE__, 0);	\
> +		if (__cond) {				\
> +			errx(1, fmt, ## __VA_ARGS__);	\
> +		}					\
> +	} while (0)
> +
> +static void drain_openssl_errors(int l, int silent)
> +{
> +	const char *file;
> +	char buf[120];
> +	int e, line;
> +
> +	if (ERR_peek_error() == 0)
> +		return;
> +	if (!silent)
> +		fprintf(stderr, "At main.c:%d:\n", l);
> +
> +	while ((e = ERR_peek_error_line(&file, &line))) {
> +		ERR_error_string(e, buf);
> +		if (!silent)
> +			fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
> +		ERR_get_error();
> +	}
> +}
> +#endif
>  
>  static int rsa_err(const char *msg)
>  {
> @@ -98,6 +138,7 @@ err_cert:
>   * @evpp	Returns EVP_PKEY object, or NULL on failure
>   * Return: 0 if ok, -ve on error (in which case *evpp will be set to NULL)
>   */
> +#ifdef USE_PKCS11_ENGINE
>  static int rsa_engine_get_pub_key(const char *keydir, const char *name,
>  				  ENGINE *engine, EVP_PKEY **evpp)
>  {
> @@ -157,6 +198,7 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
>  
>  	return 0;
>  }
> +#endif
>  
>  /**
>   * rsa_get_pub_key() - read a public key
> @@ -170,8 +212,10 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,

With this change, the ENGINE pointer might be NULL (or undefined).
Can we please update the documentation comment to reflect this?

For example, we could reword as:
 * @engine	Engine to use or NULL when using pcks11 provider

>  static int rsa_get_pub_key(const char *keydir, const char *name,
>  			   ENGINE *engine, EVP_PKEY **evpp)
>  {
> +#ifdef USE_PKCS11_ENGINE
>  	if (engine)
>  		return rsa_engine_get_pub_key(keydir, name, engine, evpp);
> +#endif
>  	return rsa_pem_get_pub_key(keydir, name, evpp);
>  }

Actually, looking even closer at this function, it's seems to be called
only once.

Why can't we drop this function alltogether and call
rsa_engine_get_pub_key() / rsa_pem_get_pub_key() directly in
rsa_add_verify_data() ?

Reason I'm asking: in rsa_add_verify_data(), ENGINE *e is not used when
we use PROVIDER. It seems weird (and error prone) to pass a NULL pointer
to a function that does not need that argument

>  
> @@ -207,6 +251,37 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
>  		return -ENOENT;
>  	}
>  
> +#ifdef USE_PKCS11_PROVIDER
> +	EVP_PKEY *private_key = NULL;
> +	OSSL_STORE_CTX *store;
> +
> +	if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
> +		ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
> +	if (!OSSL_PROVIDER_try_load(NULL, "default", true))
> +		ERR(1, "OSSL_PROVIDER_try_load(default)");
> +
> +	store = OSSL_STORE_open(path, NULL, NULL, NULL, NULL);
> +	ERR(!store, "OSSL_STORE_open");
> +
> +	while (!OSSL_STORE_eof(store)) {
> +		OSSL_STORE_INFO *info = OSSL_STORE_load(store);
> +
> +		if (!info) {
> +			drain_openssl_errors(__LINE__, 0);
> +			continue;
> +		}
> +		if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
> +			private_key = OSSL_STORE_INFO_get1_PKEY(info);
> +			ERR(!private_key, "OSSL_STORE_INFO_get1_PKEY");
> +		}
> +		OSSL_STORE_INFO_free(info);
> +		if (private_key)
> +			break;
> +	}
> +	OSSL_STORE_close(store);
> +
> +	*evpp = private_key;
> +#else
>  	if (!PEM_read_PrivateKey(f, evpp, NULL, path)) {
>  		rsa_err("Failure reading private key");
>  		fclose(f);
> @@ -214,6 +289,7 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
>  	}
>  	fclose(f);
>  
> +#endif
>  	return 0;

This block should be

 	fclose(f);
+#endif

 	return 0;

(not having a blank line between the fclose and the #endif)

>  }
>  
> @@ -226,6 +302,7 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
>   * @evpp	Returns EVP_PKEY object, or NULL on failure
>   * Return: 0 if ok, -ve on error (in which case *evpp will be set to NULL)
>   */
> +#ifdef USE_PKCS11_ENGINE
>  static int rsa_engine_get_priv_key(const char *keydir, const char *name,
>  				   const char *keyfile,
>  				   ENGINE *engine, EVP_PKEY **evpp)
> @@ -293,6 +370,7 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
>  
>  	return 0;
>  }
> +#endif
>  
>  /**
>   * rsa_get_priv_key() - read a private key
> @@ -306,9 +384,11 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
>  static int rsa_get_priv_key(const char *keydir, const char *name,
>  			    const char *keyfile, ENGINE *engine, EVP_PKEY **evpp)
>  {
> +#ifdef USE_PKCS11_ENGINE
>  	if (engine)
>  		return rsa_engine_get_priv_key(keydir, name, keyfile, engine,
>  					       evpp);
> +#endif
>  	return rsa_pem_get_priv_key(keydir, name, keyfile, evpp);

Same remark as for rsa_engine_get_pub_key. Can't we drop this static
function? It's only called once.

Maybe do a cleanup patch first, that gets rid of the static functions
and then do the provider support in a second patch of the same series?

I think it will reduce the amount of #ifdefs, which seems a good
argument.

Re: [PATCH v3] Add support for OpenSSL Provider API

[Eddie Kovsky]

On 01/29/26, Mattijs Korpershoek wrote:
> Hi Eddie,
> 
> Thank you for the patch.
> 

Hi Mattijs

Thanks for the review.

> On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:
> 
> > The Engine API has been deprecated since the release of OpenSSL 3.0. End
> > users have been advised to migrate to the new Provider interface.
> > Several distributions have already removed support for engines, which is
> > preventing U-Boot from being compiled in those environments.
> >
> > Add support for the Provider API while continuing to support the existing
> > Engine API on distros shipping older releases of OpenSSL.
> >
> > This is based on similar work contributed by Jan Stancek updating Linux
> > to use the Provider interface.
> >
> >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> >     Author: Jan Stancek <jstancek@redhat.com>
> >     Date:   Fri Sep 20 19:52:48 2024 +0300
> >
> >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> >
> > The changes have been tested with the FIT signature verification vboot
> > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> > Engine library installed and with the Provider API.
> >
> > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
> 
> As a follow-up, can we look into reverting/removing
> commit 3a8b919932fd ("tools: avoid OpenSSL deprecation warnings") ?
> 

Yes, we could certainly revert this once we've determined it's no longer
needed for CI. But it's outside the scope of what I'm proposing for this
patch.

> This looks much better than v2 in my opinion.
> 
> Some additional comments below:
> 
> > ---
> > Changes in v3:
> >   - Removed Kconfig option
> >   - Changed macro symbol from CONFIG_OPENSSL_NO_DEPRECATED to
> >     USE_PKCS11_PROVIDER or USE_PKCS11_ENGINE
> > v2: https://lore.kernel.org/u-boot/20251027195834.71109-1-ekovsky@redhat.com/
> >
> > Changes in v2:
> >   - Remove default for new Kconfig option
> >   - Use #ifdef instead of IS_ENABLED macro
> >   - Remove comment after #endif
> >   - Remove unrelated checkpatch cleanup of 'sslErr' variable name
> > v1: https://lore.kernel.org/u-boot/20251017171329.255689-1-ekovsky@redhat.com/
> > ---
> >  lib/aes/aes-encrypt.c |  4 +-
> >  lib/rsa/rsa-sign.c    | 95 ++++++++++++++++++++++++++++++++++++++++++-
> >  2 files changed, 97 insertions(+), 2 deletions(-)
> >
> > diff --git a/lib/aes/aes-encrypt.c b/lib/aes/aes-encrypt.c
> > index 90e1407b4f09..4fc4ce232478 100644
> > --- a/lib/aes/aes-encrypt.c
> > +++ b/lib/aes/aes-encrypt.c
> > @@ -16,7 +16,9 @@
> >  #include <openssl/err.h>
> >  #include <openssl/ssl.h>
> >  #include <openssl/evp.h>
> > -#include <openssl/engine.h>
> > +#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
> > +# include <openssl/engine.h>
> > +#endif
> >  #include <uboot_aes.h>
> >  
> >  #if OPENSSL_VERSION_NUMBER >= 0x10000000L
> > diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
> > index 0e38c9e802fd..31269db65950 100644
> > --- a/lib/rsa/rsa-sign.c
> > +++ b/lib/rsa/rsa-sign.c
> > @@ -19,7 +19,47 @@
> >  #include <openssl/err.h>
> >  #include <openssl/ssl.h>
> >  #include <openssl/evp.h>
> > -#include <openssl/engine.h>
> > +#if OPENSSL_VERSION_MAJOR >= 3
> > +# define USE_PKCS11_PROVIDER
> > +# include <err.h>
> > +# include <openssl/provider.h>
> > +# include <openssl/store.h>
> > +#else
> > +# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
> > +#  define USE_PKCS11_ENGINE
> > +#  include <openssl/engine.h>
> > +# endif
> > +#endif
> > +
> > +#ifdef USE_PKCS11_PROVIDER
> > +#define ERR(cond, fmt, ...)				\
> > +	do {						\
> > +		bool __cond = (cond);			\
> > +		drain_openssl_errors(__LINE__, 0);	\
> > +		if (__cond) {				\
> > +			errx(1, fmt, ## __VA_ARGS__);	\
> > +		}					\
> > +	} while (0)
> > +
> > +static void drain_openssl_errors(int l, int silent)
> > +{
> > +	const char *file;
> > +	char buf[120];
> > +	int e, line;
> > +
> > +	if (ERR_peek_error() == 0)
> > +		return;
> > +	if (!silent)
> > +		fprintf(stderr, "At main.c:%d:\n", l);
> > +
> > +	while ((e = ERR_peek_error_line(&file, &line))) {
> > +		ERR_error_string(e, buf);
> > +		if (!silent)
> > +			fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
> > +		ERR_get_error();
> > +	}
> > +}
> > +#endif
> >  
> >  static int rsa_err(const char *msg)
> >  {
> > @@ -98,6 +138,7 @@ err_cert:
> >   * @evpp	Returns EVP_PKEY object, or NULL on failure
> >   * Return: 0 if ok, -ve on error (in which case *evpp will be set to NULL)
> >   */
> > +#ifdef USE_PKCS11_ENGINE
> >  static int rsa_engine_get_pub_key(const char *keydir, const char *name,
> >  				  ENGINE *engine, EVP_PKEY **evpp)
> >  {
> > @@ -157,6 +198,7 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
> >  
> >  	return 0;
> >  }
> > +#endif
> >  
> >  /**
> >   * rsa_get_pub_key() - read a public key
> > @@ -170,8 +212,10 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
> 
> With this change, the ENGINE pointer might be NULL (or undefined).
> Can we please update the documentation comment to reflect this?
> 
> For example, we could reword as:
>  * @engine	Engine to use or NULL when using pcks11 provider
> 

Sure, I can update the comment for v4.
> >  static int rsa_get_pub_key(const char *keydir, const char *name,
> >  			   ENGINE *engine, EVP_PKEY **evpp)
> >  {
> > +#ifdef USE_PKCS11_ENGINE
> >  	if (engine)
> >  		return rsa_engine_get_pub_key(keydir, name, engine, evpp);
> > +#endif
> >  	return rsa_pem_get_pub_key(keydir, name, evpp);
> >  }
> 
> Actually, looking even closer at this function, it's seems to be called
> only once.
> 
> Why can't we drop this function alltogether and call
> rsa_engine_get_pub_key() / rsa_pem_get_pub_key() directly in
> rsa_add_verify_data() ?
> 
> Reason I'm asking: in rsa_add_verify_data(), ENGINE *e is not used when
> we use PROVIDER. It seems weird (and error prone) to pass a NULL pointer
> to a function that does not need that argument
> 

Yes, we could drop rsa_get_pub_key(). It is set up as a helper function and
only called once from rsa_add_verify_data().

But I am hesitant to make any changes to the RSA API in this file. I
want to limit the scope of this patch so that the existing code is
unchanged for users of the Engine API. And I think removing this
function would require adding more #ifdefs around the error handling in
rsa_add_verify_data().

> >  
> > @@ -207,6 +251,37 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
> >  		return -ENOENT;
> >  	}
> >  
> > +#ifdef USE_PKCS11_PROVIDER
> > +	EVP_PKEY *private_key = NULL;
> > +	OSSL_STORE_CTX *store;
> > +
> > +	if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
> > +		ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
> > +	if (!OSSL_PROVIDER_try_load(NULL, "default", true))
> > +		ERR(1, "OSSL_PROVIDER_try_load(default)");
> > +
> > +	store = OSSL_STORE_open(path, NULL, NULL, NULL, NULL);
> > +	ERR(!store, "OSSL_STORE_open");
> > +
> > +	while (!OSSL_STORE_eof(store)) {
> > +		OSSL_STORE_INFO *info = OSSL_STORE_load(store);
> > +
> > +		if (!info) {
> > +			drain_openssl_errors(__LINE__, 0);
> > +			continue;
> > +		}
> > +		if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
> > +			private_key = OSSL_STORE_INFO_get1_PKEY(info);
> > +			ERR(!private_key, "OSSL_STORE_INFO_get1_PKEY");
> > +		}
> > +		OSSL_STORE_INFO_free(info);
> > +		if (private_key)
> > +			break;
> > +	}
> > +	OSSL_STORE_close(store);
> > +
> > +	*evpp = private_key;
> > +#else
> >  	if (!PEM_read_PrivateKey(f, evpp, NULL, path)) {
> >  		rsa_err("Failure reading private key");
> >  		fclose(f);
> > @@ -214,6 +289,7 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
> >  	}
> >  	fclose(f);
> >  
> > +#endif
> >  	return 0;
> 
> This block should be
> 
>  	fclose(f);
> +#endif
> 
>  	return 0;
> 
> (not having a blank line between the fclose and the #endif)
> 
> >  }

I'll clean that up in v4.
> >  
> > @@ -226,6 +302,7 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
> >   * @evpp	Returns EVP_PKEY object, or NULL on failure
> >   * Return: 0 if ok, -ve on error (in which case *evpp will be set to NULL)
> >   */
> > +#ifdef USE_PKCS11_ENGINE
> >  static int rsa_engine_get_priv_key(const char *keydir, const char *name,
> >  				   const char *keyfile,
> >  				   ENGINE *engine, EVP_PKEY **evpp)
> > @@ -293,6 +370,7 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
> >  
> >  	return 0;
> >  }
> > +#endif
> >  
> >  /**
> >   * rsa_get_priv_key() - read a private key
> > @@ -306,9 +384,11 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
> >  static int rsa_get_priv_key(const char *keydir, const char *name,
> >  			    const char *keyfile, ENGINE *engine, EVP_PKEY **evpp)
> >  {
> > +#ifdef USE_PKCS11_ENGINE
> >  	if (engine)
> >  		return rsa_engine_get_priv_key(keydir, name, keyfile, engine,
> >  					       evpp);
> > +#endif
> >  	return rsa_pem_get_priv_key(keydir, name, keyfile, evpp);
> 
> Same remark as for rsa_engine_get_pub_key. Can't we drop this static
> function? It's only called once.
> 
> Maybe do a cleanup patch first, that gets rid of the static functions
> and then do the provider support in a second patch of the same series?
> 
> I think it will reduce the amount of #ifdefs, which seems a good
> argument.
> 

Again, I am trying to limit the scope of this proposal to preserve the
existing code. If we remove the helper function rsa_get_priv_key() then
the #ifdef guards also have to move inside the caller rsa_sign(). And
since we would no longer be able to check the return value of
rsa_get_priv_key() additional guards would be needed to recreate the
return value logic that's already in the helper function.


Eddie

Re: [PATCH v3] Add support for OpenSSL Provider API

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 2042 bytes --]

On Thu, Feb 19, 2026 at 09:51:05AM -0700, Eddie Kovsky wrote:

> On 01/29/26, Mattijs Korpershoek wrote:
> > Hi Eddie,
> > 
> > Thank you for the patch.
> > 
> 
> Hi Mattijs
> 
> Thanks for the review.
> 
> > On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:
> > 
> > > The Engine API has been deprecated since the release of OpenSSL 3.0. End
> > > users have been advised to migrate to the new Provider interface.
> > > Several distributions have already removed support for engines, which is
> > > preventing U-Boot from being compiled in those environments.
> > >
> > > Add support for the Provider API while continuing to support the existing
> > > Engine API on distros shipping older releases of OpenSSL.
> > >
> > > This is based on similar work contributed by Jan Stancek updating Linux
> > > to use the Provider interface.
> > >
> > >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> > >     Author: Jan Stancek <jstancek@redhat.com>
> > >     Date:   Fri Sep 20 19:52:48 2024 +0300
> > >
> > >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> > >
> > > The changes have been tested with the FIT signature verification vboot
> > > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> > > Engine library installed and with the Provider API.
> > >
> > > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
[snip]
> Sure, I can update the comment for v4.

Since we're talking about v4, can you please make sure that for v4 it:
- Passes CI https://docs.u-boot.org/en/latest/develop/ci_testing.html as
  that will cover some non-Linux host builds.
- See if you can get access to a FreeBSD or OpenBSD host and make sure
  the tools build still works there too? I was hoping Mark would have
  commented / tested-by v3 because I do want to make sure the libressl
  case still builds. At worst case, I have a freebie Oracle VM that's
  FreeBSD based, so you can maybe spin one of those up as well?

Thanks!

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH v3] Add support for OpenSSL Provider API

[Enric Balletbo i Serra]

Hi all,

Thanks Eddie for the effort on doing this.

On Thu, Feb 19, 2026 at 6:28 PM Tom Rini <trini@konsulko.com> wrote:
>
> On Thu, Feb 19, 2026 at 09:51:05AM -0700, Eddie Kovsky wrote:
>
> > On 01/29/26, Mattijs Korpershoek wrote:
> > > Hi Eddie,
> > >
> > > Thank you for the patch.
> > >
> >
> > Hi Mattijs
> >
> > Thanks for the review.
> >
> > > On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:
> > >
> > > > The Engine API has been deprecated since the release of OpenSSL 3.0. End
> > > > users have been advised to migrate to the new Provider interface.
> > > > Several distributions have already removed support for engines, which is
> > > > preventing U-Boot from being compiled in those environments.
> > > >
> > > > Add support for the Provider API while continuing to support the existing
> > > > Engine API on distros shipping older releases of OpenSSL.
> > > >
> > > > This is based on similar work contributed by Jan Stancek updating Linux
> > > > to use the Provider interface.
> > > >
> > > >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> > > >     Author: Jan Stancek <jstancek@redhat.com>
> > > >     Date:   Fri Sep 20 19:52:48 2024 +0300
> > > >
> > > >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> > > >
> > > > The changes have been tested with the FIT signature verification vboot
> > > > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> > > > Engine library installed and with the Provider API.
> > > >
> > > > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
> [snip]
> > Sure, I can update the comment for v4.
>
> Since we're talking about v4, can you please make sure that for v4 it:
> - Passes CI https://docs.u-boot.org/en/latest/develop/ci_testing.html as
>   that will cover some non-Linux host builds.
> - See if you can get access to a FreeBSD or OpenBSD host and make sure
>   the tools build still works there too? I was hoping Mark would have
>   commented / tested-by v3 because I do want to make sure the libressl
>   case still builds. At worst case, I have a freebie Oracle VM that's
>   FreeBSD based, so you can maybe spin one of those up as well?
>

I wanted to provide some context on my testing efforts. I have
successfully tested these patches on Fedora and CentOS Stream 10,
where the engine support is already deprecated. These changes are
quite important because we are currently carrying them as a downstream
patch for some RPM packages.

Regarding testing on OpenBSD and FreeBSD ( it uses openssl 3.0 by
default ), I tried, but I ran into some build issues that I couldn't
quickly resolve due to my limited experience with those environments.
Instead, I decided to test with an alpine+libressl container and can
confirm that the build of the tools does not break with these patches
applied, which should cover the libressl case you were concerned
about.

   # make tools
   # ldd tools/mkimage
   /lib/ld-musl-x86_64.so.1 (0x7f12975f5000)
   libssl.so.60 => /usr/lib/libssl.so.60 (0x7f12973a4000)
   libcrypto.so.57 => /usr/lib/libcrypto.so.57 (0x7f129722a000)
   libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f12975f5000)

   # strings /usr/lib/libcrypto.so.57 | grep -i "libressl"
   LibreSSL 4.2.1
   %s/libressl.cnf

I'm happy to provide my tested-by tag if it helps move the patch
along. Feel free to include it in v4.

Tested-by: Enric Balletbo i Serra <eballetbo@kernel.org>

Thanks,

   Enric

> Thanks!
>
> --
> Tom

Re: [PATCH v3] Add support for OpenSSL Provider API

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 3958 bytes --]

On Tue, Feb 24, 2026 at 01:08:23PM +0100, Enric Balletbo i Serra wrote:
> Hi all,
> 
> Thanks Eddie for the effort on doing this.
> 
> On Thu, Feb 19, 2026 at 6:28 PM Tom Rini <trini@konsulko.com> wrote:
> >
> > On Thu, Feb 19, 2026 at 09:51:05AM -0700, Eddie Kovsky wrote:
> >
> > > On 01/29/26, Mattijs Korpershoek wrote:
> > > > Hi Eddie,
> > > >
> > > > Thank you for the patch.
> > > >
> > >
> > > Hi Mattijs
> > >
> > > Thanks for the review.
> > >
> > > > On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:
> > > >
> > > > > The Engine API has been deprecated since the release of OpenSSL 3.0. End
> > > > > users have been advised to migrate to the new Provider interface.
> > > > > Several distributions have already removed support for engines, which is
> > > > > preventing U-Boot from being compiled in those environments.
> > > > >
> > > > > Add support for the Provider API while continuing to support the existing
> > > > > Engine API on distros shipping older releases of OpenSSL.
> > > > >
> > > > > This is based on similar work contributed by Jan Stancek updating Linux
> > > > > to use the Provider interface.
> > > > >
> > > > >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> > > > >     Author: Jan Stancek <jstancek@redhat.com>
> > > > >     Date:   Fri Sep 20 19:52:48 2024 +0300
> > > > >
> > > > >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> > > > >
> > > > > The changes have been tested with the FIT signature verification vboot
> > > > > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> > > > > Engine library installed and with the Provider API.
> > > > >
> > > > > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
> > [snip]
> > > Sure, I can update the comment for v4.
> >
> > Since we're talking about v4, can you please make sure that for v4 it:
> > - Passes CI https://docs.u-boot.org/en/latest/develop/ci_testing.html as
> >   that will cover some non-Linux host builds.
> > - See if you can get access to a FreeBSD or OpenBSD host and make sure
> >   the tools build still works there too? I was hoping Mark would have
> >   commented / tested-by v3 because I do want to make sure the libressl
> >   case still builds. At worst case, I have a freebie Oracle VM that's
> >   FreeBSD based, so you can maybe spin one of those up as well?
> >
> 
> I wanted to provide some context on my testing efforts. I have
> successfully tested these patches on Fedora and CentOS Stream 10,
> where the engine support is already deprecated. These changes are
> quite important because we are currently carrying them as a downstream
> patch for some RPM packages.
> 
> Regarding testing on OpenBSD and FreeBSD ( it uses openssl 3.0 by
> default ), I tried, but I ran into some build issues that I couldn't
> quickly resolve due to my limited experience with those environments.
> Instead, I decided to test with an alpine+libressl container and can
> confirm that the build of the tools does not break with these patches
> applied, which should cover the libressl case you were concerned
> about.
> 
>    # make tools
>    # ldd tools/mkimage
>    /lib/ld-musl-x86_64.so.1 (0x7f12975f5000)
>    libssl.so.60 => /usr/lib/libssl.so.60 (0x7f12973a4000)
>    libcrypto.so.57 => /usr/lib/libcrypto.so.57 (0x7f129722a000)
>    libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f12975f5000)
> 
>    # strings /usr/lib/libcrypto.so.57 | grep -i "libressl"
>    LibreSSL 4.2.1
>    %s/libressl.cnf
> 
> I'm happy to provide my tested-by tag if it helps move the patch
> along. Feel free to include it in v4.
> 
> Tested-by: Enric Balletbo i Serra <eballetbo@kernel.org>

Thanks for doing that, I appreciate it. I'm much more confident the BSD
cases will be fine now. I still really want to see v4 put through CI
first just to catch any other oddities.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH v3] Add support for OpenSSL Provider API

[Mark Kettenis]

> From: Enric Balletbo i Serra <eballetbo@kernel.org>
> Date: Tue, 24 Feb 2026 13:08:23 +0100

Hi,

> Hi all,
> 
> Thanks Eddie for the effort on doing this.
> 
> On Thu, Feb 19, 2026 at 6:28 PM Tom Rini <trini@konsulko.com> wrote:
> >
> > On Thu, Feb 19, 2026 at 09:51:05AM -0700, Eddie Kovsky wrote:
> >
> > > On 01/29/26, Mattijs Korpershoek wrote:
> > > > Hi Eddie,
> > > >
> > > > Thank you for the patch.
> > > >
> > >
> > > Hi Mattijs
> > >
> > > Thanks for the review.
> > >
> > > > On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:
> > > >
> > > > > The Engine API has been deprecated since the release of OpenSSL 3.0. End
> > > > > users have been advised to migrate to the new Provider interface.
> > > > > Several distributions have already removed support for engines, which is
> > > > > preventing U-Boot from being compiled in those environments.
> > > > >
> > > > > Add support for the Provider API while continuing to support the existing
> > > > > Engine API on distros shipping older releases of OpenSSL.
> > > > >
> > > > > This is based on similar work contributed by Jan Stancek updating Linux
> > > > > to use the Provider interface.
> > > > >
> > > > >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> > > > >     Author: Jan Stancek <jstancek@redhat.com>
> > > > >     Date:   Fri Sep 20 19:52:48 2024 +0300
> > > > >
> > > > >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> > > > >
> > > > > The changes have been tested with the FIT signature verification vboot
> > > > > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> > > > > Engine library installed and with the Provider API.
> > > > >
> > > > > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
> > [snip]
> > > Sure, I can update the comment for v4.
> >
> > Since we're talking about v4, can you please make sure that for v4 it:
> > - Passes CI https://docs.u-boot.org/en/latest/develop/ci_testing.html as
> >   that will cover some non-Linux host builds.
> > - See if you can get access to a FreeBSD or OpenBSD host and make sure
> >   the tools build still works there too? I was hoping Mark would have
> >   commented / tested-by v3 because I do want to make sure the libressl
> >   case still builds. At worst case, I have a freebie Oracle VM that's
> >   FreeBSD based, so you can maybe spin one of those up as well?
> >

Sorry, I've been a bit busy the last weeks.  But I threw this on top
of today's master and built a few of my favourite targets.  There
seems to no regressions in the build experience.

> I wanted to provide some context on my testing efforts. I have
> successfully tested these patches on Fedora and CentOS Stream 10,
> where the engine support is already deprecated. These changes are
> quite important because we are currently carrying them as a downstream
> patch for some RPM packages.
> 
> Regarding testing on OpenBSD and FreeBSD ( it uses openssl 3.0 by
> default ), I tried, but I ran into some build issues that I couldn't
> quickly resolve due to my limited experience with those environments.
> Instead, I decided to test with an alpine+libressl container and can
> confirm that the build of the tools does not break with these patches
> applied, which should cover the libressl case you were concerned
> about.
> 
>    # make tools
>    # ldd tools/mkimage
>    /lib/ld-musl-x86_64.so.1 (0x7f12975f5000)
>    libssl.so.60 => /usr/lib/libssl.so.60 (0x7f12973a4000)
>    libcrypto.so.57 => /usr/lib/libcrypto.so.57 (0x7f129722a000)
>    libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f12975f5000)
> 
>    # strings /usr/lib/libcrypto.so.57 | grep -i "libressl"
>    LibreSSL 4.2.1
>    %s/libressl.cnf
> 
> I'm happy to provide my tested-by tag if it helps move the patch
> along. Feel free to include it in v4.
> 
> Tested-by: Enric Balletbo i Serra <eballetbo@kernel.org>
> 
> Thanks,
> 
>    Enric
> 
> > Thanks!
> >
> > --
> > Tom
> 

Re: [PATCH v3] Add support for OpenSSL Provider API

[Mattijs Korpershoek]

Hi Eddie,

On Thu, Feb 19, 2026 at 09:51, Eddie Kovsky <ekovsky@redhat.com> wrote:

> On 01/29/26, Mattijs Korpershoek wrote:
>> Hi Eddie,
>> 
>> Thank you for the patch.
>> 
>
> Hi Mattijs
>
> Thanks for the review.
>
>> On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:
>> 
>> > The Engine API has been deprecated since the release of OpenSSL 3.0. End
>> > users have been advised to migrate to the new Provider interface.
>> > Several distributions have already removed support for engines, which is
>> > preventing U-Boot from being compiled in those environments.
>> >
>> > Add support for the Provider API while continuing to support the existing
>> > Engine API on distros shipping older releases of OpenSSL.
>> >
>> > This is based on similar work contributed by Jan Stancek updating Linux
>> > to use the Provider interface.
>> >
>> >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
>> >     Author: Jan Stancek <jstancek@redhat.com>
>> >     Date:   Fri Sep 20 19:52:48 2024 +0300
>> >
>> >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
>> >
>> > The changes have been tested with the FIT signature verification vboot
>> > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
>> > Engine library installed and with the Provider API.
>> >
>> > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
>> 
>> As a follow-up, can we look into reverting/removing
>> commit 3a8b919932fd ("tools: avoid OpenSSL deprecation warnings") ?
>> 
>
> Yes, we could certainly revert this once we've determined it's no longer
> needed for CI. But it's outside the scope of what I'm proposing for this
> patch.

Yes agreed, this can be done later on and is out of scope for this patch.

>
>> This looks much better than v2 in my opinion.
>> 
>> Some additional comments below:
>> 
>> > ---
>> > Changes in v3:
>> >   - Removed Kconfig option
>> >   - Changed macro symbol from CONFIG_OPENSSL_NO_DEPRECATED to
>> >     USE_PKCS11_PROVIDER or USE_PKCS11_ENGINE
>> > v2: https://lore.kernel.org/u-boot/20251027195834.71109-1-ekovsky@redhat.com/
>> >
>> > Changes in v2:
>> >   - Remove default for new Kconfig option
>> >   - Use #ifdef instead of IS_ENABLED macro
>> >   - Remove comment after #endif
>> >   - Remove unrelated checkpatch cleanup of 'sslErr' variable name
>> > v1: https://lore.kernel.org/u-boot/20251017171329.255689-1-ekovsky@redhat.com/
>> > ---
>> >  lib/aes/aes-encrypt.c |  4 +-
>> >  lib/rsa/rsa-sign.c    | 95 ++++++++++++++++++++++++++++++++++++++++++-
>> >  2 files changed, 97 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/lib/aes/aes-encrypt.c b/lib/aes/aes-encrypt.c
>> > index 90e1407b4f09..4fc4ce232478 100644
>> > --- a/lib/aes/aes-encrypt.c
>> > +++ b/lib/aes/aes-encrypt.c
>> > @@ -16,7 +16,9 @@
>> >  #include <openssl/err.h>
>> >  #include <openssl/ssl.h>
>> >  #include <openssl/evp.h>
>> > -#include <openssl/engine.h>
>> > +#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
>> > +# include <openssl/engine.h>
>> > +#endif
>> >  #include <uboot_aes.h>
>> >  
>> >  #if OPENSSL_VERSION_NUMBER >= 0x10000000L
>> > diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
>> > index 0e38c9e802fd..31269db65950 100644
>> > --- a/lib/rsa/rsa-sign.c
>> > +++ b/lib/rsa/rsa-sign.c
>> > @@ -19,7 +19,47 @@
>> >  #include <openssl/err.h>
>> >  #include <openssl/ssl.h>
>> >  #include <openssl/evp.h>
>> > -#include <openssl/engine.h>
>> > +#if OPENSSL_VERSION_MAJOR >= 3
>> > +# define USE_PKCS11_PROVIDER
>> > +# include <err.h>
>> > +# include <openssl/provider.h>
>> > +# include <openssl/store.h>
>> > +#else
>> > +# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
>> > +#  define USE_PKCS11_ENGINE
>> > +#  include <openssl/engine.h>
>> > +# endif
>> > +#endif
>> > +
>> > +#ifdef USE_PKCS11_PROVIDER
>> > +#define ERR(cond, fmt, ...)				\
>> > +	do {						\
>> > +		bool __cond = (cond);			\
>> > +		drain_openssl_errors(__LINE__, 0);	\
>> > +		if (__cond) {				\
>> > +			errx(1, fmt, ## __VA_ARGS__);	\
>> > +		}					\
>> > +	} while (0)
>> > +
>> > +static void drain_openssl_errors(int l, int silent)
>> > +{
>> > +	const char *file;
>> > +	char buf[120];
>> > +	int e, line;
>> > +
>> > +	if (ERR_peek_error() == 0)
>> > +		return;
>> > +	if (!silent)
>> > +		fprintf(stderr, "At main.c:%d:\n", l);
>> > +
>> > +	while ((e = ERR_peek_error_line(&file, &line))) {
>> > +		ERR_error_string(e, buf);
>> > +		if (!silent)
>> > +			fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
>> > +		ERR_get_error();
>> > +	}
>> > +}
>> > +#endif
>> >  
>> >  static int rsa_err(const char *msg)
>> >  {
>> > @@ -98,6 +138,7 @@ err_cert:
>> >   * @evpp	Returns EVP_PKEY object, or NULL on failure
>> >   * Return: 0 if ok, -ve on error (in which case *evpp will be set to NULL)
>> >   */
>> > +#ifdef USE_PKCS11_ENGINE
>> >  static int rsa_engine_get_pub_key(const char *keydir, const char *name,
>> >  				  ENGINE *engine, EVP_PKEY **evpp)
>> >  {
>> > @@ -157,6 +198,7 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
>> >  
>> >  	return 0;
>> >  }
>> > +#endif
>> >  
>> >  /**
>> >   * rsa_get_pub_key() - read a public key
>> > @@ -170,8 +212,10 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
>> 
>> With this change, the ENGINE pointer might be NULL (or undefined).
>> Can we please update the documentation comment to reflect this?
>> 
>> For example, we could reword as:
>>  * @engine	Engine to use or NULL when using pcks11 provider
>> 
>
> Sure, I can update the comment for v4.
>> >  static int rsa_get_pub_key(const char *keydir, const char *name,
>> >  			   ENGINE *engine, EVP_PKEY **evpp)
>> >  {
>> > +#ifdef USE_PKCS11_ENGINE
>> >  	if (engine)
>> >  		return rsa_engine_get_pub_key(keydir, name, engine, evpp);
>> > +#endif
>> >  	return rsa_pem_get_pub_key(keydir, name, evpp);
>> >  }
>> 
>> Actually, looking even closer at this function, it's seems to be called
>> only once.
>> 
>> Why can't we drop this function alltogether and call
>> rsa_engine_get_pub_key() / rsa_pem_get_pub_key() directly in
>> rsa_add_verify_data() ?
>> 
>> Reason I'm asking: in rsa_add_verify_data(), ENGINE *e is not used when
>> we use PROVIDER. It seems weird (and error prone) to pass a NULL pointer
>> to a function that does not need that argument
>> 
>
> Yes, we could drop rsa_get_pub_key(). It is set up as a helper function and
> only called once from rsa_add_verify_data().
>
> But I am hesitant to make any changes to the RSA API in this file. I
> want to limit the scope of this patch so that the existing code is
> unchanged for users of the Engine API. And I think removing this
> function would require adding more #ifdefs around the error handling in
> rsa_add_verify_data().

I'm fine as well if you keep it this way.

>
>> >  
>> > @@ -207,6 +251,37 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
>> >  		return -ENOENT;
>> >  	}
>> >  
>> > +#ifdef USE_PKCS11_PROVIDER
>> > +	EVP_PKEY *private_key = NULL;
>> > +	OSSL_STORE_CTX *store;
>> > +
>> > +	if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
>> > +		ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
>> > +	if (!OSSL_PROVIDER_try_load(NULL, "default", true))
>> > +		ERR(1, "OSSL_PROVIDER_try_load(default)");
>> > +
>> > +	store = OSSL_STORE_open(path, NULL, NULL, NULL, NULL);
>> > +	ERR(!store, "OSSL_STORE_open");
>> > +
>> > +	while (!OSSL_STORE_eof(store)) {
>> > +		OSSL_STORE_INFO *info = OSSL_STORE_load(store);
>> > +
>> > +		if (!info) {
>> > +			drain_openssl_errors(__LINE__, 0);
>> > +			continue;
>> > +		}
>> > +		if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
>> > +			private_key = OSSL_STORE_INFO_get1_PKEY(info);
>> > +			ERR(!private_key, "OSSL_STORE_INFO_get1_PKEY");
>> > +		}
>> > +		OSSL_STORE_INFO_free(info);
>> > +		if (private_key)
>> > +			break;
>> > +	}
>> > +	OSSL_STORE_close(store);
>> > +
>> > +	*evpp = private_key;
>> > +#else
>> >  	if (!PEM_read_PrivateKey(f, evpp, NULL, path)) {
>> >  		rsa_err("Failure reading private key");
>> >  		fclose(f);
>> > @@ -214,6 +289,7 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
>> >  	}
>> >  	fclose(f);
>> >  
>> > +#endif
>> >  	return 0;
>> 
>> This block should be
>> 
>>  	fclose(f);
>> +#endif
>> 
>>  	return 0;
>> 
>> (not having a blank line between the fclose and the #endif)
>> 
>> >  }
>
> I'll clean that up in v4.
>> >  
>> > @@ -226,6 +302,7 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
>> >   * @evpp	Returns EVP_PKEY object, or NULL on failure
>> >   * Return: 0 if ok, -ve on error (in which case *evpp will be set to NULL)
>> >   */
>> > +#ifdef USE_PKCS11_ENGINE
>> >  static int rsa_engine_get_priv_key(const char *keydir, const char *name,
>> >  				   const char *keyfile,
>> >  				   ENGINE *engine, EVP_PKEY **evpp)
>> > @@ -293,6 +370,7 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
>> >  
>> >  	return 0;
>> >  }
>> > +#endif
>> >  
>> >  /**
>> >   * rsa_get_priv_key() - read a private key
>> > @@ -306,9 +384,11 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
>> >  static int rsa_get_priv_key(const char *keydir, const char *name,
>> >  			    const char *keyfile, ENGINE *engine, EVP_PKEY **evpp)
>> >  {
>> > +#ifdef USE_PKCS11_ENGINE
>> >  	if (engine)
>> >  		return rsa_engine_get_priv_key(keydir, name, keyfile, engine,
>> >  					       evpp);
>> > +#endif
>> >  	return rsa_pem_get_priv_key(keydir, name, keyfile, evpp);
>> 
>> Same remark as for rsa_engine_get_pub_key. Can't we drop this static
>> function? It's only called once.
>> 
>> Maybe do a cleanup patch first, that gets rid of the static functions
>> and then do the provider support in a second patch of the same series?
>> 
>> I think it will reduce the amount of #ifdefs, which seems a good
>> argument.
>> 
>
> Again, I am trying to limit the scope of this proposal to preserve the
> existing code. If we remove the helper function rsa_get_priv_key() then
> the #ifdef guards also have to move inside the caller rsa_sign(). And
> since we would no longer be able to check the return value of
> rsa_get_priv_key() additional guards would be needed to recreate the
> return value logic that's already in the helper function.

No worries, I'm fine if you keep it this way for v4.

>
>
> Eddie

Re: [PATCH v3] Add support for OpenSSL Provider API

[Eddie Kovsky]

On 02/19/26, Tom Rini wrote:
> On Thu, Feb 19, 2026 at 09:51:05AM -0700, Eddie Kovsky wrote:
> 
> > On 01/29/26, Mattijs Korpershoek wrote:
> > > Hi Eddie,
> > > 
> > > Thank you for the patch.
> > > 
> > 
> > Hi Mattijs
> > 
> > Thanks for the review.
> > 
> > > On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:
> > > 
> > > > The Engine API has been deprecated since the release of OpenSSL 3.0. End
> > > > users have been advised to migrate to the new Provider interface.
> > > > Several distributions have already removed support for engines, which is
> > > > preventing U-Boot from being compiled in those environments.
> > > >
> > > > Add support for the Provider API while continuing to support the existing
> > > > Engine API on distros shipping older releases of OpenSSL.
> > > >
> > > > This is based on similar work contributed by Jan Stancek updating Linux
> > > > to use the Provider interface.
> > > >
> > > >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> > > >     Author: Jan Stancek <jstancek@redhat.com>
> > > >     Date:   Fri Sep 20 19:52:48 2024 +0300
> > > >
> > > >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> > > >
> > > > The changes have been tested with the FIT signature verification vboot
> > > > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> > > > Engine library installed and with the Provider API.
> > > >
> > > > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
> [snip]
> > Sure, I can update the comment for v4.

Hi Tom

> 
> Since we're talking about v4, can you please make sure that for v4 it:
> - Passes CI https://docs.u-boot.org/en/latest/develop/ci_testing.html as
>   that will cover some non-Linux host builds.

I don't have resources available to set up a Gitlab runner. Based on the
documentation you provided it seems like this wouldn't be effective for
me as a non-custodian.

I did use GitHub to trigger an Azure pipeline. There was one failure and
several errors in the binman Command Line test.

    https://github.com/u-boot/u-boot/pull/875/checks?check_run_id=65015204887

These are PKCS11 errors, so of course I thought my patch was to blame.
But I'm seeing the same errors on Debian 13 running 'binman test'
manually on the master branch.

> - See if you can get access to a FreeBSD or OpenBSD host and make sure
>   the tools build still works there too? I was hoping Mark would have
>   commented / tested-by v3 because I do want to make sure the libressl
>   case still builds. At worst case, I have a freebie Oracle VM that's
>   FreeBSD based, so you can maybe spin one of those up as well?
> 

I spent some time again setting up OpenBSD and FreeBSD virtual machines, but I was
unable to reproduce the build environment for U-Boot. But thanks to
Enric and Mark's work it looks like we have the LibreSSL use case
covered now.


Eddie

Re: [PATCH v3] Add support for OpenSSL Provider API

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 3862 bytes --]

On Fri, Feb 27, 2026 at 10:36:53AM -0700, Eddie Kovsky wrote:
> On 02/19/26, Tom Rini wrote:
> > On Thu, Feb 19, 2026 at 09:51:05AM -0700, Eddie Kovsky wrote:
> > 
> > > On 01/29/26, Mattijs Korpershoek wrote:
> > > > Hi Eddie,
> > > > 
> > > > Thank you for the patch.
> > > > 
> > > 
> > > Hi Mattijs
> > > 
> > > Thanks for the review.
> > > 
> > > > On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:
> > > > 
> > > > > The Engine API has been deprecated since the release of OpenSSL 3.0. End
> > > > > users have been advised to migrate to the new Provider interface.
> > > > > Several distributions have already removed support for engines, which is
> > > > > preventing U-Boot from being compiled in those environments.
> > > > >
> > > > > Add support for the Provider API while continuing to support the existing
> > > > > Engine API on distros shipping older releases of OpenSSL.
> > > > >
> > > > > This is based on similar work contributed by Jan Stancek updating Linux
> > > > > to use the Provider interface.
> > > > >
> > > > >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> > > > >     Author: Jan Stancek <jstancek@redhat.com>
> > > > >     Date:   Fri Sep 20 19:52:48 2024 +0300
> > > > >
> > > > >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> > > > >
> > > > > The changes have been tested with the FIT signature verification vboot
> > > > > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> > > > > Engine library installed and with the Provider API.
> > > > >
> > > > > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
> > [snip]
> > > Sure, I can update the comment for v4.
> 
> Hi Tom
> 
> > 
> > Since we're talking about v4, can you please make sure that for v4 it:
> > - Passes CI https://docs.u-boot.org/en/latest/develop/ci_testing.html as
> >   that will cover some non-Linux host builds.
> 
> I don't have resources available to set up a Gitlab runner. Based on the
> documentation you provided it seems like this wouldn't be effective for
> me as a non-custodian.

Yes, correct, today using Azure is the easy option.

> I did use GitHub to trigger an Azure pipeline. There was one failure and
> several errors in the binman Command Line test.
> 
>     https://github.com/u-boot/u-boot/pull/875/checks?check_run_id=65015204887

And the full log is:
https://dev.azure.com/u-boot/u-boot/_build/results?buildId=12893&view=logs&j=c59aff74-743b-5f08-f408-4a608a489153&t=f2ea3536-b291-5a39-ad92-0220c9b8101a

and so yes, it's from your changes.

> These are PKCS11 errors, so of course I thought my patch was to blame.
> But I'm seeing the same errors on Debian 13 running 'binman test'
> manually on the master branch.

Some of the tests are indeed more frustrating than others to run either
outside of CI, or outside of the containers, or both. I would recommend
looking at the portion of .azure-pipelines.yml for that job for the
steps to replicate, and if it doesn't work inside of your host (and
https://docs.u-boot.org/en/latest/build/gcc.html is still missing
things) it's easiest to just pull and run the CI container.

> > - See if you can get access to a FreeBSD or OpenBSD host and make sure
> >   the tools build still works there too? I was hoping Mark would have
> >   commented / tested-by v3 because I do want to make sure the libressl
> >   case still builds. At worst case, I have a freebie Oracle VM that's
> >   FreeBSD based, so you can maybe spin one of those up as well?
> > 
> 
> I spent some time again setting up OpenBSD and FreeBSD virtual machines, but I was
> unable to reproduce the build environment for U-Boot. But thanks to
> Enric and Mark's work it looks like we have the LibreSSL use case
> covered now.

Yes, thanks.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH v3] Add support for OpenSSL Provider API

[Eddie Kovsky]

On 02/27/26, Tom Rini wrote:
> On Fri, Feb 27, 2026 at 10:36:53AM -0700, Eddie Kovsky wrote:
> > On 02/19/26, Tom Rini wrote:
> > > On Thu, Feb 19, 2026 at 09:51:05AM -0700, Eddie Kovsky wrote:
> > > 
> > > > On 01/29/26, Mattijs Korpershoek wrote:
> > > > > Hi Eddie,
> > > > > 
> > > > > Thank you for the patch.
> > > > > 
> > > > 
> > > > Hi Mattijs
> > > > 
> > > > Thanks for the review.
> > > > 
> > > > > On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:
> > > > > 
> > > > > > The Engine API has been deprecated since the release of OpenSSL 3.0. End
> > > > > > users have been advised to migrate to the new Provider interface.
> > > > > > Several distributions have already removed support for engines, which is
> > > > > > preventing U-Boot from being compiled in those environments.
> > > > > >
> > > > > > Add support for the Provider API while continuing to support the existing
> > > > > > Engine API on distros shipping older releases of OpenSSL.
> > > > > >
> > > > > > This is based on similar work contributed by Jan Stancek updating Linux
> > > > > > to use the Provider interface.
> > > > > >
> > > > > >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> > > > > >     Author: Jan Stancek <jstancek@redhat.com>
> > > > > >     Date:   Fri Sep 20 19:52:48 2024 +0300
> > > > > >
> > > > > >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> > > > > >
> > > > > > The changes have been tested with the FIT signature verification vboot
> > > > > > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> > > > > > Engine library installed and with the Provider API.
> > > > > >
> > > > > > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
> > > [snip]
> > > > Sure, I can update the comment for v4.
> > 
> > Hi Tom
> > 
> > > 
> > > Since we're talking about v4, can you please make sure that for v4 it:
> > > - Passes CI https://docs.u-boot.org/en/latest/develop/ci_testing.html as
> > >   that will cover some non-Linux host builds.
> > 
> > I don't have resources available to set up a Gitlab runner. Based on the
> > documentation you provided it seems like this wouldn't be effective for
> > me as a non-custodian.
> 
> Yes, correct, today using Azure is the easy option.
> 
> > I did use GitHub to trigger an Azure pipeline. There was one failure and
> > several errors in the binman Command Line test.
> > 
> >     https://github.com/u-boot/u-boot/pull/875/checks?check_run_id=65015204887
> 
> And the full log is:
> https://dev.azure.com/u-boot/u-boot/_build/results?buildId=12893&view=logs&j=c59aff74-743b-5f08-f408-4a608a489153&t=f2ea3536-b291-5a39-ad92-0220c9b8101a
> 
> and so yes, it's from your changes.
> 
> > These are PKCS11 errors, so of course I thought my patch was to blame.
> > But I'm seeing the same errors on Debian 13 running 'binman test'
> > manually on the master branch.
> 
> Some of the tests are indeed more frustrating than others to run either
> outside of CI, or outside of the containers, or both. I would recommend
> looking at the portion of .azure-pipelines.yml for that job for the
> steps to replicate, and if it doesn't work inside of your host (and
> https://docs.u-boot.org/en/latest/build/gcc.html is still missing
> things) it's easiest to just pull and run the CI container.
> 
> > > - See if you can get access to a FreeBSD or OpenBSD host and make sure
> > >   the tools build still works there too? I was hoping Mark would have
> > >   commented / tested-by v3 because I do want to make sure the libressl
> > >   case still builds. At worst case, I have a freebie Oracle VM that's
> > >   FreeBSD based, so you can maybe spin one of those up as well?
> > > 
> > 
> > I spent some time again setting up OpenBSD and FreeBSD virtual machines, but I was
> > unable to reproduce the build environment for U-Boot. But thanks to
> > Enric and Mark's work it looks like we have the LibreSSL use case
> > covered now.
> 
> Yes, thanks.
> 
> -- 
> Tom

I finally got to the bottom of this. Debian/Ubuntu ship OpenSSL backends
separately. The CI environment is missing the 'pkcs11-provider'
package, which is causing the binman tests to fail.

    $ apt show pkcs11-provider
    Package: pkcs11-provider
    Version: 1.0-3
    Priority: optional
    Section: libs
    Maintainer: Luca Boccassi <bluca@debian.org>
    Installed-Size: 410 kB
    Depends: libc6 (>= 2.34), libssl3t64 (>= 3.0.7~)
    Homepage: https://github.com/latchset/pkcs11-provider
    Download-Size: 125 kB
    APT-Manual-Installed: yes
    APT-Sources: http://ftp.debian.org/debian stable/main amd64 Packages
    Description: OpenSSL 3 provider for PKCS11
    With this provider for OpenSSL you can use the OpenSSL library
    (version 3) and command line tools with any PKCS11 implementation as
    backend for the crypto operations.

With this package installed the SSL errors logged on Azure are no longer reproducible.

The results from the first pipeline expired while I was investigating
this. I reran the CI job so you can see the error messages.

    https://dev.azure.com/u-boot/u-boot/_build/results?buildId=13035&view=logs&j=c59aff74-743b-5f08-f408-4a608a489153&t=f2ea3536-b291-5a39-ad92-0220c9b8101a

I have looked into the .azure-pipelines.yml file, but it's not clear to
me how to configure the CI to install extra packages.


Eddie

Re: [PATCH v3] Add support for OpenSSL Provider API

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 6079 bytes --]

On Wed, Apr 01, 2026 at 04:05:29PM -0600, Eddie Kovsky wrote:
> On 02/27/26, Tom Rini wrote:
> > On Fri, Feb 27, 2026 at 10:36:53AM -0700, Eddie Kovsky wrote:
> > > On 02/19/26, Tom Rini wrote:
> > > > On Thu, Feb 19, 2026 at 09:51:05AM -0700, Eddie Kovsky wrote:
> > > > 
> > > > > On 01/29/26, Mattijs Korpershoek wrote:
> > > > > > Hi Eddie,
> > > > > > 
> > > > > > Thank you for the patch.
> > > > > > 
> > > > > 
> > > > > Hi Mattijs
> > > > > 
> > > > > Thanks for the review.
> > > > > 
> > > > > > On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:
> > > > > > 
> > > > > > > The Engine API has been deprecated since the release of OpenSSL 3.0. End
> > > > > > > users have been advised to migrate to the new Provider interface.
> > > > > > > Several distributions have already removed support for engines, which is
> > > > > > > preventing U-Boot from being compiled in those environments.
> > > > > > >
> > > > > > > Add support for the Provider API while continuing to support the existing
> > > > > > > Engine API on distros shipping older releases of OpenSSL.
> > > > > > >
> > > > > > > This is based on similar work contributed by Jan Stancek updating Linux
> > > > > > > to use the Provider interface.
> > > > > > >
> > > > > > >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> > > > > > >     Author: Jan Stancek <jstancek@redhat.com>
> > > > > > >     Date:   Fri Sep 20 19:52:48 2024 +0300
> > > > > > >
> > > > > > >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> > > > > > >
> > > > > > > The changes have been tested with the FIT signature verification vboot
> > > > > > > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> > > > > > > Engine library installed and with the Provider API.
> > > > > > >
> > > > > > > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
> > > > [snip]
> > > > > Sure, I can update the comment for v4.
> > > 
> > > Hi Tom
> > > 
> > > > 
> > > > Since we're talking about v4, can you please make sure that for v4 it:
> > > > - Passes CI https://docs.u-boot.org/en/latest/develop/ci_testing.html as
> > > >   that will cover some non-Linux host builds.
> > > 
> > > I don't have resources available to set up a Gitlab runner. Based on the
> > > documentation you provided it seems like this wouldn't be effective for
> > > me as a non-custodian.
> > 
> > Yes, correct, today using Azure is the easy option.
> > 
> > > I did use GitHub to trigger an Azure pipeline. There was one failure and
> > > several errors in the binman Command Line test.
> > > 
> > >     https://github.com/u-boot/u-boot/pull/875/checks?check_run_id=65015204887
> > 
> > And the full log is:
> > https://dev.azure.com/u-boot/u-boot/_build/results?buildId=12893&view=logs&j=c59aff74-743b-5f08-f408-4a608a489153&t=f2ea3536-b291-5a39-ad92-0220c9b8101a
> > 
> > and so yes, it's from your changes.
> > 
> > > These are PKCS11 errors, so of course I thought my patch was to blame.
> > > But I'm seeing the same errors on Debian 13 running 'binman test'
> > > manually on the master branch.
> > 
> > Some of the tests are indeed more frustrating than others to run either
> > outside of CI, or outside of the containers, or both. I would recommend
> > looking at the portion of .azure-pipelines.yml for that job for the
> > steps to replicate, and if it doesn't work inside of your host (and
> > https://docs.u-boot.org/en/latest/build/gcc.html is still missing
> > things) it's easiest to just pull and run the CI container.
> > 
> > > > - See if you can get access to a FreeBSD or OpenBSD host and make sure
> > > >   the tools build still works there too? I was hoping Mark would have
> > > >   commented / tested-by v3 because I do want to make sure the libressl
> > > >   case still builds. At worst case, I have a freebie Oracle VM that's
> > > >   FreeBSD based, so you can maybe spin one of those up as well?
> > > > 
> > > 
> > > I spent some time again setting up OpenBSD and FreeBSD virtual machines, but I was
> > > unable to reproduce the build environment for U-Boot. But thanks to
> > > Enric and Mark's work it looks like we have the LibreSSL use case
> > > covered now.
> > 
> > Yes, thanks.
> > 
> > -- 
> > Tom
> 
> I finally got to the bottom of this. Debian/Ubuntu ship OpenSSL backends
> separately. The CI environment is missing the 'pkcs11-provider'
> package, which is causing the binman tests to fail.
> 
>     $ apt show pkcs11-provider
>     Package: pkcs11-provider
>     Version: 1.0-3
>     Priority: optional
>     Section: libs
>     Maintainer: Luca Boccassi <bluca@debian.org>
>     Installed-Size: 410 kB
>     Depends: libc6 (>= 2.34), libssl3t64 (>= 3.0.7~)
>     Homepage: https://github.com/latchset/pkcs11-provider
>     Download-Size: 125 kB
>     APT-Manual-Installed: yes
>     APT-Sources: http://ftp.debian.org/debian stable/main amd64 Packages
>     Description: OpenSSL 3 provider for PKCS11
>     With this provider for OpenSSL you can use the OpenSSL library
>     (version 3) and command line tools with any PKCS11 implementation as
>     backend for the crypto operations.
> 
> With this package installed the SSL errors logged on Azure are no longer reproducible.
> 
> The results from the first pipeline expired while I was investigating
> this. I reran the CI job so you can see the error messages.
> 
>     https://dev.azure.com/u-boot/u-boot/_build/results?buildId=13035&view=logs&j=c59aff74-743b-5f08-f408-4a608a489153&t=f2ea3536-b291-5a39-ad92-0220c9b8101a
> 
> I have looked into the .azure-pipelines.yml file, but it's not clear to
> me how to configure the CI to install extra packages.

Ah, OK. So the package needs to be added to tools/docker/Dockerfile (and
doc/build/gcc.rst). For testing changes out, you can then modify
.azure-pipelines.yml to point at your image, rather than the default
image. Or hack in a "sudo apt-get update && sudo apt-get install ..." to
the job.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]