On Mon, 17 Nov 2025 at 12:43, Quentin Schulz <[email protected]> wrote: > > From: Quentin Schulz <[email protected]> > > This adds a test that signs a FIT and verifies the signature with > fit_check_sign. > > OpenSSL engines are typically for signing with external HW so it's not > that straight-forward to simulate. > > For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA > 4096 private key is made available. It can be selected by setting the > OpenSSL engine argument to dummy-rsa-engine. This can only be done if > the engine is detected by OpenSSL, which works by setting the > OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine > is properly implementing what is expected from an RSA engine, but it > seems to be enough for testing. > > For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11 > without specific hardware. The keypairs and tokens are generated on the > fly. The "prod" token is generated with a different PIN (1234 instead of > 1111) than the configured value in OpenSSL to force the use of > fit,engine-keypair. > > Binman will not mess with the local SoftHSMv2 setup as it will only use > tokens from a temporary directory enforced via the temporary > configuration file set via SOFTHSM2_CONF env variable in the tests. > > Once signed, it's checked with fit_check_sign with the associated > certificate. > > Finally, a new softhsm2_util bintool is added so that we can initialize > the token and import keypairs. On Debian, the package also brings > libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It > is not the only package required though, as it also needs p11-kit and > libengine-pkcs11-openssl (the latter bringing the former, only the > latter is explicitly installed), which we can detect with openssl engine > dynamic -c pkcs11. If that fails, we manually install the aforementioned > library packages within tests. > > Signed-off-by: Quentin Schulz <[email protected]> > --- > tools/binman/btool/softhsm2_util.py | 21 +++ > tools/binman/ftest.py | 193 > +++++++++++++++++++++ > tools/binman/test/340_dummy-rsa4096.crt | 31 ++++ > tools/binman/test/340_fit_signature_engine.dts | 99 +++++++++++ > .../test/340_fit_signature_engine_pkcs11.dts | 99 +++++++++++ > .../340_fit_signature_engine_pkcs11_object.dts | 100 +++++++++++ > tools/binman/test/340_openssl.conf | 10 ++ > tools/binman/test/340_softhsm2.conf | 16 ++ > tools/binman/test/Makefile | 6 +- > tools/binman/test/dummy-rsa-engine.c | 149 ++++++++++++++++ > 10 files changed, 723 insertions(+), 1 deletion(-)
Reviewed-by: Simon Glass <[email protected]> Looks like a solid test.
