Disable support for signing with pkcs11

2025-09-12 12:50:34 +00:00 · 2025-09-12 12:50:34 +00:00 · e274c02182
commit e274c02182
parent 7f61af2d58
2 changed files with 170 additions and 0 deletions
--- a/0001-disable-support-for-signing-with-pkcs11-if-there-is-.patch
+++ b/0001-disable-support-for-signing-with-pkcs11-if-there-is-.patch
@ -0,0 +1,164 @@
+From cac8d2cb7161443f860c69169979f37bd4994be6 Mon Sep 17 00:00:00 2001
+From: Opvolger <opvolger@gmail.com>
+Date: Mon, 4 Nov 2024 00:09:09 +0100
+Subject: [PATCH] disable support for signing with pkcs11 if there is no
+ openssl engine
+
+---
+ lib/rsa/rsa-sign.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
+index 2304030e32f4..fd1063c54284 100644
+--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
+@@ -4,6 +4,7 @@
+  */
+ 
+ #define OPENSSL_API_COMPAT 0x10101000L
+#define HAVE_OPENSSL_ENGINE 0
+ 
+ #include "mkimage.h"
+ #include <stdlib.h>
+@@ -19,7 +20,9 @@
+ #include <openssl/err.h>
+ #include <openssl/ssl.h>
+ #include <openssl/evp.h>
+#if HAVE_OPENSSL_ENGINE
+ #include <openssl/engine.h>
+#endif
+ 
+ static int rsa_err(const char *msg)
+ {
+@@ -89,6 +92,7 @@ static int rsa_pem_get_pub_key(const char *keydir, const char *name, EVP_PKEY **
+ 	return ret;
+ }
+ 
+#if HAVE_OPENSSL_ENGINE
+ /**
+  * rsa_engine_get_pub_key() - read a public key from given engine
+  *
+@@ -157,6 +161,7 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
+ 
+ 	return 0;
+ }
+#endif
+ 
+ /**
+  * rsa_get_pub_key() - read a public key
+@@ -170,8 +175,10 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
+ static int rsa_get_pub_key(const char *keydir, const char *name,
+ 			   ENGINE *engine, EVP_PKEY **evpp)
+ {
+#if HAVE_OPENSSL_ENGINE	
+ 	if (engine)
+ 		return rsa_engine_get_pub_key(keydir, name, engine, evpp);
+#endif
+ 	return rsa_pem_get_pub_key(keydir, name, evpp);
+ }
+ 
+@@ -217,6 +224,7 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name,
+ 	return 0;
+ }
+ 
+#if HAVE_OPENSSL_ENGINE
+ /**
+  * rsa_engine_get_priv_key() - read a private key from given engine
+  *
+@@ -293,6 +301,7 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
+ 
+ 	return 0;
+ }
+#endif
+ 
+ /**
+  * rsa_get_priv_key() - read a private key
+@@ -306,9 +315,11 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
+ static int rsa_get_priv_key(const char *keydir, const char *name,
+ 			    const char *keyfile, ENGINE *engine, EVP_PKEY **evpp)
+ {
+#if HAVE_OPENSSL_ENGINE
+ 	if (engine)
+ 		return rsa_engine_get_priv_key(keydir, name, keyfile, engine,
+ 					       evpp);
+#endif
+ 	return rsa_pem_get_priv_key(keydir, name, keyfile, evpp);
+ }
+ 
+@@ -325,6 +336,7 @@ static int rsa_init(void)
+ 	return 0;
+ }
+ 
+#if HAVE_OPENSSL_ENGINE
+ static int rsa_engine_init(const char *engine_id, ENGINE **pe)
+ {
+ 	const char *key_pass;
+@@ -380,6 +392,7 @@ static void rsa_engine_remove(ENGINE *e)
+ 		ENGINE_free(e);
+ 	}
+ }
+#endif
+ 
+ static int rsa_sign_with_key(EVP_PKEY *pkey, struct padding_algo *padding_algo,
+ 			     struct checksum_algo *checksum_algo,
+@@ -471,11 +484,13 @@ int rsa_sign(struct image_sign_info *info,
+ 	if (ret)
+ 		return ret;
+ 
+#if HAVE_OPENSSL_ENGINE
+ 	if (info->engine_id) {
+ 		ret = rsa_engine_init(info->engine_id, &e);
+ 		if (ret)
+ 			return ret;
+ 	}
+#endif
+ 
+ 	ret = rsa_get_priv_key(info->keydir, info->keyname, info->keyfile,
+ 			       e, &pkey);
+@@ -487,16 +502,19 @@ int rsa_sign(struct image_sign_info *info,
+ 		goto err_sign;
+ 
+ 	EVP_PKEY_free(pkey);
+#if HAVE_OPENSSL_ENGINE
+ 	if (info->engine_id)
+ 		rsa_engine_remove(e);
+-
+#endif
+ 	return ret;
+ 
+ err_sign:
+ 	EVP_PKEY_free(pkey);
+ err_priv:
+#if HAVE_OPENSSL_ENGINE
+ 	if (info->engine_id)
+ 		rsa_engine_remove(e);
+#endif
+ 	return ret;
+ }
+ 
+@@ -636,11 +654,13 @@ int rsa_add_verify_data(struct image_sign_info *info, void *keydest)
+ 	ENGINE *e = NULL;
+ 
+ 	debug("%s: Getting verification data\n", __func__);
+#if HAVE_OPENSSL_ENGINE
+ 	if (info->engine_id) {
+ 		ret = rsa_engine_init(info->engine_id, &e);
+ 		if (ret)
+ 			return ret;
+ 	}
+#endif
+ 	ret = rsa_get_pub_key(info->keydir, info->keyname, e, &pkey);
+ 	if (ret)
+ 		goto err_get_pub_key;
+@@ -717,9 +737,10 @@ int rsa_add_verify_data(struct image_sign_info *info, void *keydest)
+ err_get_params:
+ 	EVP_PKEY_free(pkey);
+ err_get_pub_key:
+#if HAVE_OPENSSL_ENGINE
+ 	if (info->engine_id)
+ 		rsa_engine_remove(e);
+-
+#endif
+ 	if (ret)
+ 		return ret;
+ 
--- a/uboot-tools.spec
+++ b/uboot-tools.spec
@ -58,6 +58,9 @@ Patch23:  efi_selftest-Add-basic-partition-info-check-to-block.patch
 # RISCV (riscv64):
 Patch30: improve-riscv64-configs.patch

+# https://github.com/Opvolger/u-boot/commit/cac8d2cb7161443f860c69169979f37bd4994be6
+Patch31: 0001-disable-support-for-signing-with-pkcs11-if-there-is-.patch
+
 BuildRequires:  bc
 BuildRequires:  bison
 BuildRequires:  dtc
@ -285,6 +288,9 @@ install -p -m 0755 builds/tools/env/fw_printenv %{buildroot}%{_bindir}
 %endif

 %changelog
+* Fri Sep 12 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 1:2025.07-2.alma.1
+- Disable support for signing with pkcs11
+
 * Fri Jul 11 2025 David Abdurachmanov <davidlt@rivosinc.com> - 1:2025.07-2.0.riscv64
 - Update for riscv64