On Mon, Jan 05, 2026 at 10:36:04AM +0100, Mattijs Korpershoek wrote: > On Mon, Dec 22, 2025 at 10:38, Eddie Kovsky <[email protected]> wrote: > > > On 12/11/25, Mattijs Korpershoek wrote: > >> Hi Eddie, > >> > >> Thank you for working on this. It would be really nice if we could build > >> U-Boot on more recent Linux distros without bridge packages such as > >> openssl-devel-engine. > >> > >> > >> I also don't linke this double negative. > >> As you already shared, Linux solved this via: > >> > >> #if OPENSSL_VERSION_MAJOR >= 3 > >> > >> Why can't we have something similar? > >> See: > >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=558bdc45dfb2669e1741384a0c80be9c82fa052c > >> > > > > Hi Mattijs > > > > Yes, we could also implement it this way with the extra USE_PKCS11_XXX > > symbol. Jan's original patch I based my work on does something similar, > > and I perhaps oversimplified it. > > In my experience, when porting things from the Linux kernel into U-Boot, > we try to keep the code as similar as possible. This helps reducing > maintainance burden. > > Sometimes, we can't do that. In that case, we should explain why. > > Do we have a strong reason for *not* reusing OPENSSL_VERSION_MAJOR with > USE_PKCS11_XXX ? > > [...] > > >> >> > >> > > >> > It's not the prettiest code. But I'm trying to be very conservative > >> > in making these changes so that no one's workflow is disrupted. > >> > Developers should be able to build U-Boot with the latest OpenSSL > >> > without impacting developers who are in environments utilizing the > >> > Engine API. The goal here is to preserve feature parity between the two > >> > APIs. Adding support for custom Providers is outside the scope of this > >> > change, but could certainly be added later. > >> > >> I'd be in favor to drop CONFIG_OPENSSL_NO_DEPRECATED all together and > >> just use "#if OPENSSL_VERSION_MAJOR >= 3". > >> > >> Tom, or anyone else, is there a particular` reason for gating this in a > >> Kconfig ? > >> > >> The oldest Ubuntu version that seems supported (22.04) already has > >> OpenSSL version 3: > >> > >> $ podman run -it /bin/bash ubuntu:22.04 > >> root@6dc347676b8a:~# apt update && apt install -y openssl > >> root@6dc347676b8a:~# openssl version > >> OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) > >> > > > > I assumed that we would want this to be an explicit config option, but > > logically there is no reason that it has to be. I'd be happy to spin up > > a v3 if there's agreement that the Kconfig isn't needed. > > Tom, do you have an opinion on this? It seems you are listed as > maintainer for this (THE REST).
Yes, sorry, I think part of the question here is how it plays out with LibreSSL and other alternatives to openssl, which ends up being a Mark question. -- Tom
signature.asc
Description: PGP signature
