Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2230583/?format=api
{ "id": 2230583, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2230583/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/patch/20260429180247.83091-1-ekovsky@redhat.com/", "project": { "id": 18, "url": "http://patchwork.ozlabs.org/api/1.1/projects/18/?format=api", "name": "U-Boot", "link_name": "uboot", "list_id": "u-boot.lists.denx.de", "list_email": "u-boot@lists.denx.de", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260429180247.83091-1-ekovsky@redhat.com>", "date": "2026-04-29T18:02:45", "name": "[v4] Add support for OpenSSL Provider API", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "0d5821f13d181d51b89e1146233c91d7f86893a4", "submitter": { "id": 90908, "url": "http://patchwork.ozlabs.org/api/1.1/people/90908/?format=api", "name": "Eddie Kovsky", "email": "ekovsky@redhat.com" }, "delegate": { "id": 3651, "url": "http://patchwork.ozlabs.org/api/1.1/users/3651/?format=api", "username": "trini", "first_name": "Tom", "last_name": "Rini", "email": "trini@ti.com" }, "mbox": "http://patchwork.ozlabs.org/project/uboot/patch/20260429180247.83091-1-ekovsky@redhat.com/mbox/", "series": [ { "id": 502154, "url": "http://patchwork.ozlabs.org/api/1.1/series/502154/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/list/?series=502154", "date": "2026-04-29T18:02:45", "name": "[v4] Add support for OpenSSL Provider API", "version": 4, "mbox": "http://patchwork.ozlabs.org/series/502154/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2230583/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2230583/checks/", "tags": {}, "headers": { "Return-Path": "<u-boot-bounces@lists.denx.de>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=USGwrGux;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)", "phobos.denx.de;\n dmarc=pass (p=quarantine dis=none) header.from=redhat.com", "phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de", "phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.b=\"USGwrGux\";\n\tdkim-atps=neutral", "phobos.denx.de; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com", "phobos.denx.de;\n spf=pass smtp.mailfrom=ekovsky@redhat.com" ], "Received": [ "from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5VWY3jH8z1yGq\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 07:17:45 +1000 (AEST)", "from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 83E5C8493E;\n\tWed, 29 Apr 2026 23:15:58 +0200 (CEST)", "by phobos.denx.de (Postfix, from userid 109)\n id E2868848BE; Wed, 29 Apr 2026 20:03:20 +0200 (CEST)", "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 9BFA3848BB\n for <u-boot@lists.denx.de>; Wed, 29 Apr 2026 20:03:17 +0200 (CEST)", "from mail-qk1-f199.google.com (mail-qk1-f199.google.com\n [209.85.222.199]) by relay.mimecast.com with ESMTP with STARTTLS\n (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id\n us-mta-611-gNtshNtoMfOrrMUQwfoSzQ-1; Wed, 29 Apr 2026 14:03:15 -0400", "by mail-qk1-f199.google.com with SMTP id\n af79cd13be357-8eb21daf7ddso12719285a.1\n for <u-boot@lists.denx.de>; Wed, 29 Apr 2026 11:03:14 -0700 (PDT)", "from localhost ([38.246.12.206]) by smtp.gmail.com with ESMTPSA id\n af79cd13be357-8f94073200asm260474385a.46.2026.04.29.11.03.12\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 29 Apr 2026 11:03:13 -0700 (PDT)" ], "X-Spam-Checker-Version": "SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de", "X-Spam-Level": "", "X-Spam-Status": "No, score=-2.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1777485796;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=rtUp6EUTw/L0WsomPESPwF+V+SaNbN8BDmpKNBc4ZJ4=;\n b=USGwrGuxNAgjR0ZqQcn6MSG8eG/S9kMBqaQFJTx6xVUBklUr2RNiFfHzBeC82mRimgP10d\n /2+0M4UPiAbOMo1893BEJ19Soact0CeuM8WSTG+ZarBcuj+WMPPQ+nqBND1rOtiXgp1pei\n 26X03yILya6p8Y8aaSFWZUaTuGRoLLA=", "X-MC-Unique": "gNtshNtoMfOrrMUQwfoSzQ-1", "X-Mimecast-MFC-AGG-ID": "gNtshNtoMfOrrMUQwfoSzQ_1777485794", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777485794; x=1778090594;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=rtUp6EUTw/L0WsomPESPwF+V+SaNbN8BDmpKNBc4ZJ4=;\n b=lUlTpKNPeO5xurzMN+w+QKDsjiQrMERwSdDkD7wX8BfS/arNKFtfdB7SaoJsmNgG1F\n UthCa6BNR5Hx1s9Vj5qKGN9C7POJW+KLoZayo4nfdg3O9AEbXLTwPabiag7Ls0LBQAqA\n EIqdkHLKhif6n2vJgPbI+mwFwo0zb+pl0GW0DoAiriqJHL6+c3uNHPaQWA6y8aRvEGlr\n qmIDJmVBbjcnHQfJEA8+vQiWqgouOkHkLbXbBf5tf0EJMjviGHxFbbPJ4/Q5Dry8Mw4c\n 76xZDWinWcA+Q620YSG93BcZeSSXBXMcKL3R0RhzgDu/6rexEP9AfLzW9mpfePj1UYo2\n u+gQ==", "X-Gm-Message-State": "AOJu0YxiHcN1VyBn4KMJSAyGabCxEkcWpmrDk+WDsGdvvNGcoIGEXBet\n tTU+pc+juiO2wBJLeL1eTXSlny/yTw8SCgwZw/pV6dc/5e6zwpj6/SLD7yVi6jq+oTk3g+hrSUl\n E1Di8jRZoqIsGHcgbjII/mVqgXBM1XTj9xlkShBGne7FxAOiIkJDEEPo=", "X-Gm-Gg": "AeBDievXvQTQ1KF4cRsOdLATth6AUCSwSIkZpkE8+Sp5oviT+MHCDsn/2HcMaKuMqH1\n cS21tidocjnlgZRKBJ+w+B1q9byf5QNZv3ktI4TCvjwChP6W/UFR/EMGwh5aQPrxZq73rPqe8Og\n +Lbnp39a50a7CyuTkXekQmPrN0ToHLo9GFkc6gxtfIXTmzA3lhyzr3w94A4owlDsiIAzWCDA/7u\n OTt/vRAigjNva6mgaurM73XW4dyu0BfOQUc8tXgmajaUA0U8j99Nza25FrCHk8ar3VcxvA8xg7B\n v72gY62puJaauRqeIpc+9wPd6eU2MECnK0kJdZtEICgQ7JJzbNoQWZH9KGD5zE5/xx6uaCl/DrL\n WYDqbyIiK1jn2mk+tH7D7y6gRsqk=", "X-Received": [ "by 2002:a05:620a:1792:b0:8eb:f3c7:2230 with SMTP id\n af79cd13be357-8f7d9501f41mr1173377085a.42.1777485794053;\n Wed, 29 Apr 2026 11:03:14 -0700 (PDT)", "by 2002:a05:620a:1792:b0:8eb:f3c7:2230 with SMTP id\n af79cd13be357-8f7d9501f41mr1173371985a.42.1777485793433;\n Wed, 29 Apr 2026 11:03:13 -0700 (PDT)" ], "From": "Eddie Kovsky <ekovsky@redhat.com>", "To": "Tom Rini <trini@konsulko.com>, Tobias Olausson <tobias@eub.se>,\n Paul HENRYS <paul.henrys_ext@softathome.com>,\n Simon Glass <sjg@chromium.org>, Jan Stancek <jstancek@redhat.com>,\n Enric Balletbo i Serra <eballetb@redhat.com>, a.fatoum@pengutronix.de,\n mark.kettenis@xs4all.nl, Mattijs Korpershoek <mkorpershoek@kernel.org>", "Cc": "u-boot@lists.denx.de", "Subject": "[PATCH v4] Add support for OpenSSL Provider API", "Date": "Wed, 29 Apr 2026 12:02:45 -0600", "Message-ID": "<20260429180247.83091-1-ekovsky@redhat.com>", "X-Mailer": "git-send-email 2.53.0", "MIME-Version": "1.0", "X-Mimecast-Spam-Score": "0", "X-Mimecast-MFC-PROC-ID": "UGDFD6zeyMT_34bn4AhboCUDMjPQu8a3FBXg4lsMb6o_1777485794", "X-Mimecast-Originator": "redhat.com", "Content-Transfer-Encoding": "8bit", "content-type": "text/plain; charset=\"US-ASCII\"; x-default=true", "X-Mailman-Approved-At": "Wed, 29 Apr 2026 23:15:47 +0200", "X-BeenThere": "u-boot@lists.denx.de", "X-Mailman-Version": "2.1.39", "Precedence": "list", "List-Id": "U-Boot discussion <u-boot.lists.denx.de>", "List-Unsubscribe": "<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>", "List-Archive": "<https://lists.denx.de/pipermail/u-boot/>", "List-Post": "<mailto:u-boot@lists.denx.de>", "List-Help": "<mailto:u-boot-request@lists.denx.de?subject=help>", "List-Subscribe": "<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>", "Errors-To": "u-boot-bounces@lists.denx.de", "Sender": "\"U-Boot\" <u-boot-bounces@lists.denx.de>", "X-Virus-Scanned": "clamav-milter 0.103.8 at phobos.denx.de", "X-Virus-Status": "Clean" }, "content": "The Engine API has been deprecated since the release of OpenSSL 3.0. End\nusers have been advised to migrate to the new Provider interface.\nSeveral distributions have already removed support for engines, which is\npreventing U-Boot from being compiled in those environments.\n\nAdd support for the Provider API while continuing to support the existing\nEngine API on distros shipping older releases of OpenSSL.\n\nThis is based on similar work contributed by Jan Stancek updating Linux\nto use the Provider interface.\n\n commit 558bdc45dfb2669e1741384a0c80be9c82fa052c\n Author: Jan Stancek <jstancek@redhat.com>\n Date: Fri Sep 20 19:52:48 2024 +0300\n\n sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3\n\nThe changes have been tested with the FIT signature verification vboot\ntests on Fedora 42 and Debian 13. All 30 tests pass with both the legacy\nEngine library installed and with the Provider API.\n\nTested-by Enric Balletbo i Serra <eballetb@redhat.com>\nTested-by Mark Kettenis <mark.kettenis@xs4all.nl>\nSigned-off-by: Eddie Kovsky <ekovsky@redhat.com>\n---\nChanges in v4:\n- Add comment that @engine pointer is null when using pkcs11 provider\n- Remove extra line break\n- Add pkcs11-provider package to build dependencies\nv3: https://lore.kernel.org/u-boot/20260120164524.253188-1-ekovsky@redhat.com/\n\nChanges in v3:\n- Removed Kconfig option\n- Changed macro symbol from CONFIG_OPENSSL_NO_DEPRECATED to\n USE_PKCS11_PROVIDER or USE_PKCS11_ENGINE\nv2: https://lore.kernel.org/u-boot/20251027195834.71109-1-ekovsky@redhat.com/\n\nChanges in v2:\n- Remove default for new Kconfig option\n- Use #ifdef instead of IS_ENABLED macro\n- Remove comment after #endif\n- Remove unrelated checkpatch cleanup of 'sslErr' variable name\nv1: https://lore.kernel.org/u-boot/20251017171329.255689-1-ekovsky@redhat.com/\n---\n doc/build/gcc.rst | 4 +-\n lib/aes/aes-encrypt.c | 4 +-\n lib/rsa/rsa-sign.c | 102 ++++++++++++++++++++++++++++++++++++++--\n tools/docker/Dockerfile | 1 +\n 4 files changed, 103 insertions(+), 8 deletions(-)", "diff": "diff --git a/doc/build/gcc.rst b/doc/build/gcc.rst\nindex 1fef718ceecb..29a6a632e7e3 100644\n--- a/doc/build/gcc.rst\n+++ b/doc/build/gcc.rst\n@@ -25,8 +25,8 @@ Depending on the build targets further packages maybe needed\n \n sudo apt-get install bc bison build-essential coccinelle \\\n device-tree-compiler dfu-util efitools flex gdisk graphviz imagemagick \\\n- libgnutls28-dev libguestfs-tools libncurses-dev \\\n- libpython3-dev libsdl2-dev libssl-dev lz4 lzma lzma-alone openssl \\\n+ libgnutls28-dev libguestfs-tools libncurses-dev libpython3-dev \\\n+ libsdl2-dev libssl-dev lz4 lzma lzma-alone openssl pkcs11-provider \\\n pkg-config python3 python3-asteval python3-coverage python3-filelock \\\n python3-pkg-resources python3-pycryptodome python3-pyelftools \\\n python3-pytest python3-pytest-xdist python3-sphinxcontrib.apidoc \\\ndiff --git a/lib/aes/aes-encrypt.c b/lib/aes/aes-encrypt.c\nindex 90e1407b4f09..4fc4ce232478 100644\n--- a/lib/aes/aes-encrypt.c\n+++ b/lib/aes/aes-encrypt.c\n@@ -16,7 +16,9 @@\n #include <openssl/err.h>\n #include <openssl/ssl.h>\n #include <openssl/evp.h>\n-#include <openssl/engine.h>\n+#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)\n+# include <openssl/engine.h>\n+#endif\n #include <uboot_aes.h>\n \n #if OPENSSL_VERSION_NUMBER >= 0x10000000L\ndiff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c\nindex 0e38c9e802fd..f456f3c58e65 100644\n--- a/lib/rsa/rsa-sign.c\n+++ b/lib/rsa/rsa-sign.c\n@@ -19,7 +19,47 @@\n #include <openssl/err.h>\n #include <openssl/ssl.h>\n #include <openssl/evp.h>\n-#include <openssl/engine.h>\n+#if OPENSSL_VERSION_MAJOR >= 3\n+# define USE_PKCS11_PROVIDER\n+# include <err.h>\n+# include <openssl/provider.h>\n+# include <openssl/store.h>\n+#else\n+# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)\n+# define USE_PKCS11_ENGINE\n+# include <openssl/engine.h>\n+# endif\n+#endif\n+\n+#ifdef USE_PKCS11_PROVIDER\n+#define ERR(cond, fmt, ...)\t\t\t\t\\\n+\tdo {\t\t\t\t\t\t\\\n+\t\tbool __cond = (cond);\t\t\t\\\n+\t\tdrain_openssl_errors(__LINE__, 0);\t\\\n+\t\tif (__cond) {\t\t\t\t\\\n+\t\t\terrx(1, fmt, ## __VA_ARGS__);\t\\\n+\t\t}\t\t\t\t\t\\\n+\t} while (0)\n+\n+static void drain_openssl_errors(int l, int silent)\n+{\n+\tconst char *file;\n+\tchar buf[120];\n+\tint e, line;\n+\n+\tif (ERR_peek_error() == 0)\n+\t\treturn;\n+\tif (!silent)\n+\t\tfprintf(stderr, \"At main.c:%d:\\n\", l);\n+\n+\twhile ((e = ERR_peek_error_line(&file, &line))) {\n+\t\tERR_error_string(e, buf);\n+\t\tif (!silent)\n+\t\t\tfprintf(stderr, \"- SSL %s: %s:%d\\n\", buf, file, line);\n+\t\tERR_get_error();\n+\t}\n+}\n+#endif\n \n static int rsa_err(const char *msg)\n {\n@@ -94,10 +134,11 @@ err_cert:\n *\n * @keydir:\tKey prefix\n * @name\tName of key\n- * @engine\tEngine to use\n+ * @engine\tEngine to use or NULL when using pkcs11 provider\n * @evpp\tReturns EVP_PKEY object, or NULL on failure\n * Return: 0 if ok, -ve on error (in which case *evpp will be set to NULL)\n */\n+#ifdef USE_PKCS11_ENGINE\n static int rsa_engine_get_pub_key(const char *keydir, const char *name,\n \t\t\t\t ENGINE *engine, EVP_PKEY **evpp)\n {\n@@ -157,21 +198,24 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,\n \n \treturn 0;\n }\n+#endif\n \n /**\n * rsa_get_pub_key() - read a public key\n *\n * @keydir:\tDirectory containing the key (PEM file) or key prefix (engine)\n * @name\tName of key file (will have a .crt extension)\n- * @engine\tEngine to use\n+ * @engine\tEngine to use or NULL when using pkcs11 provider\n * @evpp\tReturns EVP_PKEY object, or NULL on failure\n * Return: 0 if ok, -ve on error (in which case *evpp will be set to NULL)\n */\n static int rsa_get_pub_key(const char *keydir, const char *name,\n \t\t\t ENGINE *engine, EVP_PKEY **evpp)\n {\n+#ifdef USE_PKCS11_ENGINE\n \tif (engine)\n \t\treturn rsa_engine_get_pub_key(keydir, name, engine, evpp);\n+#endif\n \treturn rsa_pem_get_pub_key(keydir, name, evpp);\n }\n \n@@ -207,13 +251,44 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,\n \t\treturn -ENOENT;\n \t}\n \n+#ifdef USE_PKCS11_PROVIDER\n+\tEVP_PKEY *private_key = NULL;\n+\tOSSL_STORE_CTX *store;\n+\n+\tif (!OSSL_PROVIDER_try_load(NULL, \"pkcs11\", true))\n+\t\tERR(1, \"OSSL_PROVIDER_try_load(pkcs11)\");\n+\tif (!OSSL_PROVIDER_try_load(NULL, \"default\", true))\n+\t\tERR(1, \"OSSL_PROVIDER_try_load(default)\");\n+\n+\tstore = OSSL_STORE_open(path, NULL, NULL, NULL, NULL);\n+\tERR(!store, \"OSSL_STORE_open\");\n+\n+\twhile (!OSSL_STORE_eof(store)) {\n+\t\tOSSL_STORE_INFO *info = OSSL_STORE_load(store);\n+\n+\t\tif (!info) {\n+\t\t\tdrain_openssl_errors(__LINE__, 0);\n+\t\t\tcontinue;\n+\t\t}\n+\t\tif (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {\n+\t\t\tprivate_key = OSSL_STORE_INFO_get1_PKEY(info);\n+\t\t\tERR(!private_key, \"OSSL_STORE_INFO_get1_PKEY\");\n+\t\t}\n+\t\tOSSL_STORE_INFO_free(info);\n+\t\tif (private_key)\n+\t\t\tbreak;\n+\t}\n+\tOSSL_STORE_close(store);\n+\n+\t*evpp = private_key;\n+#else\n \tif (!PEM_read_PrivateKey(f, evpp, NULL, path)) {\n \t\trsa_err(\"Failure reading private key\");\n \t\tfclose(f);\n \t\treturn -EPROTO;\n \t}\n \tfclose(f);\n-\n+#endif\n \treturn 0;\n }\n \n@@ -226,6 +301,7 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,\n * @evpp\tReturns EVP_PKEY object, or NULL on failure\n * Return: 0 if ok, -ve on error (in which case *evpp will be set to NULL)\n */\n+#ifdef USE_PKCS11_ENGINE\n static int rsa_engine_get_priv_key(const char *keydir, const char *name,\n \t\t\t\t const char *keyfile,\n \t\t\t\t ENGINE *engine, EVP_PKEY **evpp)\n@@ -293,22 +369,25 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,\n \n \treturn 0;\n }\n+#endif\n \n /**\n * rsa_get_priv_key() - read a private key\n *\n * @keydir:\tDirectory containing the key (PEM file) or key prefix (engine)\n * @name\tName of key\n- * @engine\tEngine to use for signing\n+ * @engine\tEngine to use or NULL when using pkcs11 provider\n * @evpp\tReturns EVP_PKEY object, or NULL on failure\n * Return: 0 if ok, -ve on error (in which case *evpp will be set to NULL)\n */\n static int rsa_get_priv_key(const char *keydir, const char *name,\n \t\t\t const char *keyfile, ENGINE *engine, EVP_PKEY **evpp)\n {\n+#ifdef USE_PKCS11_ENGINE\n \tif (engine)\n \t\treturn rsa_engine_get_priv_key(keydir, name, keyfile, engine,\n \t\t\t\t\t evpp);\n+#endif\n \treturn rsa_pem_get_priv_key(keydir, name, keyfile, evpp);\n }\n \n@@ -325,6 +404,7 @@ static int rsa_init(void)\n \treturn 0;\n }\n \n+#ifdef USE_PKCS11_ENGINE\n static int rsa_engine_init(const char *engine_id, ENGINE **pe)\n {\n \tconst char *key_pass;\n@@ -380,6 +460,7 @@ static void rsa_engine_remove(ENGINE *e)\n \t\tENGINE_free(e);\n \t}\n }\n+#endif\n \n static int rsa_sign_with_key(EVP_PKEY *pkey, struct padding_algo *padding_algo,\n \t\t\t struct checksum_algo *checksum_algo,\n@@ -480,11 +561,13 @@ int rsa_sign(struct image_sign_info *info,\n \tif (ret)\n \t\treturn ret;\n \n+#ifdef USE_PKCS11_ENGINE\n \tif (info->engine_id) {\n \t\tret = rsa_engine_init(info->engine_id, &e);\n \t\tif (ret)\n \t\t\treturn ret;\n \t}\n+#endif\n \n \tret = rsa_get_priv_key(info->keydir, info->keyname, info->keyfile,\n \t\t\t e, &pkey);\n@@ -496,16 +579,21 @@ int rsa_sign(struct image_sign_info *info,\n \t\tgoto err_sign;\n \n \tEVP_PKEY_free(pkey);\n+\n+#ifdef USE_PKCS11_ENGINE\n \tif (info->engine_id)\n \t\trsa_engine_remove(e);\n+#endif\n \n \treturn ret;\n \n err_sign:\n \tEVP_PKEY_free(pkey);\n err_priv:\n+#ifdef USE_PKCS11_ENGINE\n \tif (info->engine_id)\n \t\trsa_engine_remove(e);\n+#endif\n \treturn ret;\n }\n \n@@ -645,11 +733,13 @@ int rsa_add_verify_data(struct image_sign_info *info, void *keydest)\n \tENGINE *e = NULL;\n \n \tdebug(\"%s: Getting verification data\\n\", __func__);\n+#ifdef USE_PKCS11_ENGINE\n \tif (info->engine_id) {\n \t\tret = rsa_engine_init(info->engine_id, &e);\n \t\tif (ret)\n \t\t\treturn ret;\n \t}\n+#endif\n \tret = rsa_get_pub_key(info->keydir, info->keyname, e, &pkey);\n \tif (ret)\n \t\tgoto err_get_pub_key;\n@@ -726,8 +816,10 @@ done:\n err_get_params:\n \tEVP_PKEY_free(pkey);\n err_get_pub_key:\n+#ifdef USE_PKCS11_ENGINE\n \tif (info->engine_id)\n \t\trsa_engine_remove(e);\n+#endif\n \n \tif (ret)\n \t\treturn ret;\ndiff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile\nindex 73bf6cdd2c52..50e98e83dc20 100644\n--- a/tools/docker/Dockerfile\n+++ b/tools/docker/Dockerfile\n@@ -122,6 +122,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \\\n \topenssl \\\n \tpicocom \\\n \tparted \\\n+\tpkcs11-provider \\\n \tpkg-config \\\n \tpython-is-python3 \\\n \tpython3 \\\n", "prefixes": [ "v4" ] }