On 10/17/25, Tom Rini wrote: > On Fri, Oct 17, 2025 at 11:13:27AM -0600, Eddie Kovsky wrote: > > > The Engine API has been deprecated since the release of OpenSSL 3.0. End > > users > > have been advised to migrate to the new Provider interface. Several > > distributions have already removed support for engines, which is preventing > > U-Boot from being compiled in those environments. > > > > The Kconfig option OPENSSL_NO_DEPRECATED introduces support for the > > Provider API > > while continuing to use the existing Engine API on distros shipping older > > releases of OpenSSL. > > > > This is based on similar work contributed by Jan Stancek > > updating Linux to use the Provider interface. > > > > commit 558bdc45dfb2669e1741384a0c80be9c82fa052c > > Author: Jan Stancek <[email protected]> > > Date: Fri Sep 20 19:52:48 2024 +0300 > > > > sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 > > > > The changes have been tested with the FIT signature verification vboot > > tests on > > Fedora 42 and Debian 13. All 30 tests pass with both the legacy Engine > > library > > installed and with the Provider API. > > > > Signed-off-by: Eddie Kovsky <[email protected]> > > --- > > lib/aes/aes-encrypt.c | 2 + > > lib/rsa/Kconfig | 8 ++++ > > lib/rsa/rsa-sign.c | 93 ++++++++++++++++++++++++++++++++++++++++++- > > 3 files changed, 101 insertions(+), 2 deletions(-) > > Thanks for doing this, I'm glad to see the work, and my comments are > really style things to fix up and v2 once there's been time for real > content comments if any. > > [snip] > > diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig > > index 9033384e60a3..622f06f8dba0 100644 > > --- a/lib/rsa/Kconfig > > +++ b/lib/rsa/Kconfig > > @@ -20,6 +20,14 @@ config SPL_RSA > > bool "Use RSA Library within SPL" > > depends on SPL > > > > +config OPENSSL_NO_DEPRECATED > > + bool "Build U-Boot without support for OpenSSL Engine" > > + default n > > This is the default, you can drop this. > > [snip] > > diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c > > index 92b9d7876e52..9ebbcdfd52f3 100644 > > --- a/lib/rsa/rsa-sign.c > > +++ b/lib/rsa/rsa-sign.c > > @@ -19,15 +19,51 @@ > > #include <openssl/err.h> > > #include <openssl/ssl.h> > > #include <openssl/evp.h> > > +#if (IS_ENABLED(CONFIG_OPENSSL_NO_DEPRECATED)) > > +#include <err.h> > > +#include <openssl/provider.h> > > +#include <openssl/store.h> > > +#else > > #include <openssl/engine.h> > > +#endif // CONFIG_OPENSSL_NO_DEPRECATED > > Two things (here and elsewhere). One, since we're generally using > '#ifndef CONFIG_OPENSSL_NO_DEPRECATED' just using '#ifdef > CONFIG_OPENSSL_NO_DEPRECATED' is fine, using a macro here is not aiding > readability. Two, if the if/else/endif is within the patch context we > really don't need a comment on the endif part. > > -- > Tom
Hi Tom I was trying to stick to the coding guidelines as closely as possible. But I'm happy to replace the macro usage with standard #ifdef. I will remove the extra comments and the default Kconfig as well when I send a v2. Thanks Eddie
