Re: [PATCH] Add support for OpenSSL Provider API

[Eddie Kovsky <ekovsky@redhat.com>]

On 10/17/25, Tom Rini wrote:
> On Fri, Oct 17, 2025 at 11:13:27AM -0600, Eddie Kovsky wrote:
> 
> > The Engine API has been deprecated since the release of OpenSSL 3.0. End users
> > have been advised to migrate to the new Provider interface. Several
> > distributions have already removed support for engines, which is preventing
> > U-Boot from being compiled in those environments.
> > 
> > The Kconfig option OPENSSL_NO_DEPRECATED introduces support for the Provider API
> > while continuing to use the existing Engine API on distros shipping older
> > releases of OpenSSL.
> > 
> > This is based on similar work contributed by Jan Stancek
> > updating Linux to use the Provider interface.
> > 
> >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> >     Author: Jan Stancek <jstancek@redhat.com>
> >     Date:   Fri Sep 20 19:52:48 2024 +0300
> > 
> >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> > 
> > The changes have been tested with the FIT signature verification vboot tests on
> > Fedora 42 and Debian 13. All 30 tests pass with both the legacy Engine library
> > installed and with the Provider API.
> > 
> > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
> > ---
> >  lib/aes/aes-encrypt.c |  2 +
> >  lib/rsa/Kconfig       |  8 ++++
> >  lib/rsa/rsa-sign.c    | 93 ++++++++++++++++++++++++++++++++++++++++++-
> >  3 files changed, 101 insertions(+), 2 deletions(-)
> 
> Thanks for doing this, I'm glad to see the work, and my comments are
> really style things to fix up and v2 once there's been time for real
> content comments if any.
> 
> [snip]
> > diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
> > index 9033384e60a3..622f06f8dba0 100644
> > --- a/lib/rsa/Kconfig
> > +++ b/lib/rsa/Kconfig
> > @@ -20,6 +20,14 @@ config SPL_RSA
> >  	bool "Use RSA Library within SPL"
> >  	depends on SPL
> >  
> > +config OPENSSL_NO_DEPRECATED
> > +	bool "Build U-Boot without support for OpenSSL Engine"
> > +	default n
> 
> This is the default, you can drop this.
> 
> [snip]
> > diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
> > index 92b9d7876e52..9ebbcdfd52f3 100644
> > --- a/lib/rsa/rsa-sign.c
> > +++ b/lib/rsa/rsa-sign.c
> > @@ -19,15 +19,51 @@
> >  #include <openssl/err.h>
> >  #include <openssl/ssl.h>
> >  #include <openssl/evp.h>
> > +#if (IS_ENABLED(CONFIG_OPENSSL_NO_DEPRECATED))
> > +#include <err.h>
> > +#include <openssl/provider.h>
> > +#include <openssl/store.h>
> > +#else
> >  #include <openssl/engine.h>
> > +#endif // CONFIG_OPENSSL_NO_DEPRECATED
> 
> Two things (here and elsewhere). One, since we're generally using
> '#ifndef CONFIG_OPENSSL_NO_DEPRECATED' just using '#ifdef
> CONFIG_OPENSSL_NO_DEPRECATED' is fine, using a macro here is not aiding
> readability. Two, if the if/else/endif is within the patch context we
> really don't need a comment on the endif part.
> 
> -- 
> Tom

Hi Tom

I was trying to stick to the coding guidelines as closely as possible.
But I'm happy to replace the macro usage with standard #ifdef. I will
remove the extra comments and the default Kconfig as well when I send a
v2.

Thanks

Eddie