On Tue, Feb 24, 2026 at 01:08:23PM +0100, Enric Balletbo i Serra wrote: > Hi all, > > Thanks Eddie for the effort on doing this. > > On Thu, Feb 19, 2026 at 6:28 PM Tom Rini <[email protected]> wrote: > > > > On Thu, Feb 19, 2026 at 09:51:05AM -0700, Eddie Kovsky wrote: > > > > > On 01/29/26, Mattijs Korpershoek wrote: > > > > Hi Eddie, > > > > > > > > Thank you for the patch. > > > > > > > > > > Hi Mattijs > > > > > > Thanks for the review. > > > > > > > On Tue, Jan 20, 2026 at 09:45, Eddie Kovsky <[email protected]> wrote: > > > > > > > > > The Engine API has been deprecated since the release of OpenSSL 3.0. > > > > > End > > > > > users have been advised to migrate to the new Provider interface. > > > > > Several distributions have already removed support for engines, which > > > > > is > > > > > preventing U-Boot from being compiled in those environments. > > > > > > > > > > Add support for the Provider API while continuing to support the > > > > > existing > > > > > Engine API on distros shipping older releases of OpenSSL. > > > > > > > > > > This is based on similar work contributed by Jan Stancek updating > > > > > Linux > > > > > to use the Provider interface. > > > > > > > > > > commit 558bdc45dfb2669e1741384a0c80be9c82fa052c > > > > > Author: Jan Stancek <[email protected]> > > > > > Date: Fri Sep 20 19:52:48 2024 +0300 > > > > > > > > > > sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR > > > > > >= 3 > > > > > > > > > > The changes have been tested with the FIT signature verification vboot > > > > > tests on Fedora 42 and Debian 13. All 30 tests pass with both the > > > > > legacy > > > > > Engine library installed and with the Provider API. > > > > > > > > > > Signed-off-by: Eddie Kovsky <[email protected]> > > [snip] > > > Sure, I can update the comment for v4. > > > > Since we're talking about v4, can you please make sure that for v4 it: > > - Passes CI https://docs.u-boot.org/en/latest/develop/ci_testing.html as > > that will cover some non-Linux host builds. > > - See if you can get access to a FreeBSD or OpenBSD host and make sure > > the tools build still works there too? I was hoping Mark would have > > commented / tested-by v3 because I do want to make sure the libressl > > case still builds. At worst case, I have a freebie Oracle VM that's > > FreeBSD based, so you can maybe spin one of those up as well? > > > > I wanted to provide some context on my testing efforts. I have > successfully tested these patches on Fedora and CentOS Stream 10, > where the engine support is already deprecated. These changes are > quite important because we are currently carrying them as a downstream > patch for some RPM packages. > > Regarding testing on OpenBSD and FreeBSD ( it uses openssl 3.0 by > default ), I tried, but I ran into some build issues that I couldn't > quickly resolve due to my limited experience with those environments. > Instead, I decided to test with an alpine+libressl container and can > confirm that the build of the tools does not break with these patches > applied, which should cover the libressl case you were concerned > about. > > # make tools > # ldd tools/mkimage > /lib/ld-musl-x86_64.so.1 (0x7f12975f5000) > libssl.so.60 => /usr/lib/libssl.so.60 (0x7f12973a4000) > libcrypto.so.57 => /usr/lib/libcrypto.so.57 (0x7f129722a000) > libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f12975f5000) > > # strings /usr/lib/libcrypto.so.57 | grep -i "libressl" > LibreSSL 4.2.1 > %s/libressl.cnf > > I'm happy to provide my tested-by tag if it helps move the patch > along. Feel free to include it in v4. > > Tested-by: Enric Balletbo i Serra <[email protected]>
Thanks for doing that, I appreciate it. I'm much more confident the BSD cases will be fine now. I still really want to see v4 put through CI first just to catch any other oddities. -- Tom
signature.asc
Description: PGP signature
