Re: [PATCH v3] Add support for OpenSSL Provider API

[Eddie Kovsky <ekovsky@redhat.com>]

On 02/19/26, Tom Rini wrote:
> On Thu, Feb 19, 2026 at 09:51:05AM -0700, Eddie Kovsky wrote:
> 
> > On 01/29/26, Mattijs Korpershoek wrote:
> > > Hi Eddie,
> > > 
> > > Thank you for the patch.
> > > 
> > 
> > Hi Mattijs
> > 
> > Thanks for the review.
> > 
> > > On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <ekovsky@redhat.com> wrote:
> > > 
> > > > The Engine API has been deprecated since the release of OpenSSL 3.0. End
> > > > users have been advised to migrate to the new Provider interface.
> > > > Several distributions have already removed support for engines, which is
> > > > preventing U-Boot from being compiled in those environments.
> > > >
> > > > Add support for the Provider API while continuing to support the existing
> > > > Engine API on distros shipping older releases of OpenSSL.
> > > >
> > > > This is based on similar work contributed by Jan Stancek updating Linux
> > > > to use the Provider interface.
> > > >
> > > >     commit 558bdc45dfb2669e1741384a0c80be9c82fa052c
> > > >     Author: Jan Stancek <jstancek@redhat.com>
> > > >     Date:   Fri Sep 20 19:52:48 2024 +0300
> > > >
> > > >         sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> > > >
> > > > The changes have been tested with the FIT signature verification vboot
> > > > tests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy
> > > > Engine library installed and with the Provider API.
> > > >
> > > > Signed-off-by: Eddie Kovsky <ekovsky@redhat.com>
> [snip]
> > Sure, I can update the comment for v4.

Hi Tom

> 
> Since we're talking about v4, can you please make sure that for v4 it:
> - Passes CI https://docs.u-boot.org/en/latest/develop/ci_testing.html as
>   that will cover some non-Linux host builds.

I don't have resources available to set up a Gitlab runner. Based on the
documentation you provided it seems like this wouldn't be effective for
me as a non-custodian.

I did use GitHub to trigger an Azure pipeline. There was one failure and
several errors in the binman Command Line test.

    https://github.com/u-boot/u-boot/pull/875/checks?check_run_id=65015204887

These are PKCS11 errors, so of course I thought my patch was to blame.
But I'm seeing the same errors on Debian 13 running 'binman test'
manually on the master branch.

> - See if you can get access to a FreeBSD or OpenBSD host and make sure
>   the tools build still works there too? I was hoping Mark would have
>   commented / tested-by v3 because I do want to make sure the libressl
>   case still builds. At worst case, I have a freebie Oracle VM that's
>   FreeBSD based, so you can maybe spin one of those up as well?
> 

I spent some time again setting up OpenBSD and FreeBSD virtual machines, but I was
unable to reproduce the build environment for U-Boot. But thanks to
Enric and Mark's work it looks like we have the LibreSSL use case
covered now.


Eddie