On Tue, 11 Nov 2025 at 10:14, Wolfgang Wallner <[email protected]> wrote: > > Hi Peter, > > > > This adds support for using an OpenSSL engine for signing a FIT image. > > > To use it, one should set the fit,sign-engine property at the FIT node > > > level with the engine to use. This will in turn call mkimage with the -N > > > option. > > > > Just to be aware this should likely be a OpenSSL provider, engines in > > OpenSSL are deprecated and due to be removed in 4.0. A lot of distros > > are already dropping support for engines. There's a patch [1] adding > > support for Providers support to U-Boot, I suspect we shouldn't be > > adding more deps on the Engine support. OpenSSL 4 is due in March. > > I'm aware that the engine API is deprecated in OpenSSL, and that the provider > API is the way to go forward. > > But the PKI provider of my employer currently only provides a PKCS#11 library > with an engine API, and I'm not aware of any plans yet if/when they will > be supporting the provider API. > > So for the transition period it would be nice to keep the engine API around as > such use cases still depend on it.
my comment wasn't so much about removing engine support but rather having parity with the newer version so that when users upgrade they don't end up being stuck with broken functionality.
