From: Eddie Kovsky <ekovsky@redhat.com>
To: Mark Kettenis <mark.kettenis@xs4all.nl>
Cc: trini@konsulko.com, loic.poulain@linaro.org, tobias@eub.se,
paul.henrys_ext@softathome.com, sjg@chromium.org,
jstancek@redhat.com, eballetb@redhat.com, u-boot@lists.denx.de
Subject: Re: [PATCH] Add support for OpenSSL Provider API
Date: Wed, 22 Oct 2025 17:03:17 -0600 [thread overview]
Message-ID: <aPlitSZ8x1yqHFHG@daedalus> (raw)
In-Reply-To: <87347gpi7s.fsf@bloch.sibelius.xs4all.nl>
On 10/18/25, Mark Kettenis wrote:
> > From: Eddie Kovsky <ekovsky@redhat.com>
> > Date: Fri, 17 Oct 2025 11:13:27 -0600
> >
> > The Engine API has been deprecated since the release of OpenSSL
> > 3.0. End users have been advised to migrate to the new Provider
> > interface. Several distributions have already removed support for
> > engines, which is preventing U-Boot from being compiled in those
> > environments.
> >
> > The Kconfig option OPENSSL_NO_DEPRECATED introduces support for the
> > Provider API while continuing to use the existing Engine API on
> > distros shipping older releases of OpenSSL.
> >
> > This is based on similar work contributed by Jan Stancek
> > updating Linux to use the Provider interface.
> >
> > commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> > Author: Jan Stancek <jstancek@redhat.com>
> > Date: Fri Sep 20 19:52:48 2024 +0300
> >
> > sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> >
> > The changes have been tested with the FIT signature verification
> > vboot tests on Fedora 42 and Debian 13. All 30 tests pass with both
> > the legacy Engine library installed and with the Provider API.
>
> Did you test this with LibreSSL?
>
Hi Mark
No, I did not test this patch with LibreSSL. OpenSSL is the build
dependency for U-Boot, so that's what I was focused on. The LibreSSL
project states that "The OpenSSL 3 API is not currently supported."
I did make sure to add #ifdef guards throughout the existing code so
that users who do not enable this configuration option can continue to
use the engine interface. That should also work for users who substitute
LibreSSL on their systems.
I did attempt to use the libretls package since you first asked about
this, but I wasn't able to get the build to compile. Is this something
you would be able to verify? I'd be happy to add your Tested-by.
Thanks
Eddie
prev parent reply other threads:[~2025-10-23 7:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-17 17:13 [PATCH] Add support for OpenSSL Provider API Eddie Kovsky
2025-10-17 21:57 ` Tom Rini
2025-10-22 22:44 ` Eddie Kovsky
2025-10-18 11:22 ` Mark Kettenis
2025-10-22 23:03 ` Eddie Kovsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aPlitSZ8x1yqHFHG@daedalus \
--to=ekovsky@redhat.com \
--cc=eballetb@redhat.com \
--cc=jstancek@redhat.com \
--cc=loic.poulain@linaro.org \
--cc=mark.kettenis@xs4all.nl \
--cc=paul.henrys_ext@softathome.com \
--cc=sjg@chromium.org \
--cc=tobias@eub.se \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox