Re: [PATCH v3] Add support for OpenSSL Provider API

[Tom Rini <trini@konsulko.com>]

[-- Attachment #1: Type: text/plain, Size: 6079 bytes --]

On Wed, Apr 01, 2026 at 04:05:29PM -0600, Eddie Kovsky wrote:
> On 02/27/26, Tom Rini wrote:
> > On Fri, Feb 27, 2026 at 10:36:53AM -0700, Eddie Kovsky wrote:
> > > On 02/19/26, Tom Rini wrote:
> > > > On Thu, Feb 19, 2026 at 09:51:05AM -0700, Eddie Kovsky wrote:
> > > > 
> > > > > On 01/29/26, Mattijs Korpershoek wrote:
> > > > > > Hi Eddie,
> > > > > > 
> > > > > > Thank you for the patch.
> > > > > > 
> > > > > 
> > > > > Hi Mattijs
> > > > > 
> > > > > Thanks for the review.
> > > > > 
> > > > > > On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:
> > > > > > 
> > > > > > > The Engine API has been deprecated since the release of OpenSSL 3.0. End
> > > > > > > users have been advised to migrate to the new Provider interface.
> > > > > > > Several distributions have already removed support for engines, which is
> > > > > > > preventing U-Boot from being compiled in those environments.
> > > > > > >
> > > > > > > Add support for the Provider API while continuing to support the existing
> > > > > > > Engine API on distros shipping older releases of OpenSSL.
> > > > > > >
> > > > > > > This is based on similar work contributed by Jan Stancek updating Linux
> > > > > > > to use the Provider interface.
> > > > > > >
> > > > > > >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> > > > > > >     Author: Jan Stancek <jstancek@redhat.com>
> > > > > > >     Date:   Fri Sep 20 19:52:48 2024 +0300
> > > > > > >
> > > > > > >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> > > > > > >
> > > > > > > The changes have been tested with the FIT signature verification vboot
> > > > > > > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> > > > > > > Engine library installed and with the Provider API.
> > > > > > >
> > > > > > > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
> > > > [snip]
> > > > > Sure, I can update the comment for v4.
> > > 
> > > Hi Tom
> > > 
> > > > 
> > > > Since we're talking about v4, can you please make sure that for v4 it:
> > > > - Passes CI https://docs.u-boot.org/en/latest/develop/ci_testing.html as
> > > >   that will cover some non-Linux host builds.
> > > 
> > > I don't have resources available to set up a Gitlab runner. Based on the
> > > documentation you provided it seems like this wouldn't be effective for
> > > me as a non-custodian.
> > 
> > Yes, correct, today using Azure is the easy option.
> > 
> > > I did use GitHub to trigger an Azure pipeline. There was one failure and
> > > several errors in the binman Command Line test.
> > > 
> > >     https://github.com/u-boot/u-boot/pull/875/checks?check_run_id=65015204887
> > 
> > And the full log is:
> > https://dev.azure.com/u-boot/u-boot/_build/results?buildId=12893&view=logs&j=c59aff74-743b-5f08-f408-4a608a489153&t=f2ea3536-b291-5a39-ad92-0220c9b8101a
> > 
> > and so yes, it's from your changes.
> > 
> > > These are PKCS11 errors, so of course I thought my patch was to blame.
> > > But I'm seeing the same errors on Debian 13 running 'binman test'
> > > manually on the master branch.
> > 
> > Some of the tests are indeed more frustrating than others to run either
> > outside of CI, or outside of the containers, or both. I would recommend
> > looking at the portion of .azure-pipelines.yml for that job for the
> > steps to replicate, and if it doesn't work inside of your host (and
> > https://docs.u-boot.org/en/latest/build/gcc.html is still missing
> > things) it's easiest to just pull and run the CI container.
> > 
> > > > - See if you can get access to a FreeBSD or OpenBSD host and make sure
> > > >   the tools build still works there too? I was hoping Mark would have
> > > >   commented / tested-by v3 because I do want to make sure the libressl
> > > >   case still builds. At worst case, I have a freebie Oracle VM that's
> > > >   FreeBSD based, so you can maybe spin one of those up as well?
> > > > 
> > > 
> > > I spent some time again setting up OpenBSD and FreeBSD virtual machines, but I was
> > > unable to reproduce the build environment for U-Boot. But thanks to
> > > Enric and Mark's work it looks like we have the LibreSSL use case
> > > covered now.
> > 
> > Yes, thanks.
> > 
> > -- 
> > Tom
> 
> I finally got to the bottom of this. Debian/Ubuntu ship OpenSSL backends
> separately. The CI environment is missing the 'pkcs11-provider'
> package, which is causing the binman tests to fail.
> 
>     $ apt show pkcs11-provider
>     Package: pkcs11-provider
>     Version: 1.0-3
>     Priority: optional
>     Section: libs
>     Maintainer: Luca Boccassi <bluca@debian.org>
>     Installed-Size: 410 kB
>     Depends: libc6 (>= 2.34), libssl3t64 (>= 3.0.7~)
>     Homepage: https://github.com/latchset/pkcs11-provider
>     Download-Size: 125 kB
>     APT-Manual-Installed: yes
>     APT-Sources: http://ftp.debian.org/debian stable/main amd64 Packages
>     Description: OpenSSL 3 provider for PKCS11
>     With this provider for OpenSSL you can use the OpenSSL library
>     (version 3) and command line tools with any PKCS11 implementation as
>     backend for the crypto operations.
> 
> With this package installed the SSL errors logged on Azure are no longer reproducible.
> 
> The results from the first pipeline expired while I was investigating
> this. I reran the CI job so you can see the error messages.
> 
>     https://dev.azure.com/u-boot/u-boot/_build/results?buildId=13035&view=logs&j=c59aff74-743b-5f08-f408-4a608a489153&t=f2ea3536-b291-5a39-ad92-0220c9b8101a
> 
> I have looked into the .azure-pipelines.yml file, but it's not clear to
> me how to configure the CI to install extra packages.

Ah, OK. So the package needs to be added to tools/docker/Dockerfile (and
doc/build/gcc.rst). For testing changes out, you can then modify
.azure-pipelines.yml to point at your image, rather than the default
image. Or hack in a "sudo apt-get update && sudo apt-get install ..." to
the job.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]