From e274c021829abf7efbc797fe5874d73b285bf3fd Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Fri, 12 Sep 2025 12:50:34 +0000 Subject: [PATCH] Disable support for signing with pkcs11 --- ...for-signing-with-pkcs11-if-there-is-.patch | 164 ++++++++++++++++++ uboot-tools.spec | 6 + 2 files changed, 170 insertions(+) create mode 100644 0001-disable-support-for-signing-with-pkcs11-if-there-is-.patch diff --git a/0001-disable-support-for-signing-with-pkcs11-if-there-is-.patch b/0001-disable-support-for-signing-with-pkcs11-if-there-is-.patch new file mode 100644 index 0000000..d9619e7 --- /dev/null +++ b/0001-disable-support-for-signing-with-pkcs11-if-there-is-.patch @@ -0,0 +1,164 @@ +From cac8d2cb7161443f860c69169979f37bd4994be6 Mon Sep 17 00:00:00 2001 +From: Opvolger +Date: Mon, 4 Nov 2024 00:09:09 +0100 +Subject: [PATCH] disable support for signing with pkcs11 if there is no + openssl engine + +--- + lib/rsa/rsa-sign.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c +index 2304030e32f4..fd1063c54284 100644 +--- a/lib/rsa/rsa-sign.c ++++ b/lib/rsa/rsa-sign.c +@@ -4,6 +4,7 @@ + */ + + #define OPENSSL_API_COMPAT 0x10101000L ++#define HAVE_OPENSSL_ENGINE 0 + + #include "mkimage.h" + #include +@@ -19,7 +20,9 @@ + #include + #include + #include ++#if HAVE_OPENSSL_ENGINE + #include ++#endif + + static int rsa_err(const char *msg) + { +@@ -89,6 +92,7 @@ static int rsa_pem_get_pub_key(const char *keydir, const char *name, EVP_PKEY ** + return ret; + } + ++#if HAVE_OPENSSL_ENGINE + /** + * rsa_engine_get_pub_key() - read a public key from given engine + * +@@ -157,6 +161,7 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name, + + return 0; + } ++#endif + + /** + * rsa_get_pub_key() - read a public key +@@ -170,8 +175,10 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name, + static int rsa_get_pub_key(const char *keydir, const char *name, + ENGINE *engine, EVP_PKEY **evpp) + { ++#if HAVE_OPENSSL_ENGINE + if (engine) + return rsa_engine_get_pub_key(keydir, name, engine, evpp); ++#endif + return rsa_pem_get_pub_key(keydir, name, evpp); + } + +@@ -217,6 +224,7 @@ static int rsa_pem_get_priv_key(const char *keydir, const char *name, + return 0; + } + ++#if HAVE_OPENSSL_ENGINE + /** + * rsa_engine_get_priv_key() - read a private key from given engine + * +@@ -293,6 +301,7 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name, + + return 0; + } ++#endif + + /** + * rsa_get_priv_key() - read a private key +@@ -306,9 +315,11 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name, + static int rsa_get_priv_key(const char *keydir, const char *name, + const char *keyfile, ENGINE *engine, EVP_PKEY **evpp) + { ++#if HAVE_OPENSSL_ENGINE + if (engine) + return rsa_engine_get_priv_key(keydir, name, keyfile, engine, + evpp); ++#endif + return rsa_pem_get_priv_key(keydir, name, keyfile, evpp); + } + +@@ -325,6 +336,7 @@ static int rsa_init(void) + return 0; + } + ++#if HAVE_OPENSSL_ENGINE + static int rsa_engine_init(const char *engine_id, ENGINE **pe) + { + const char *key_pass; +@@ -380,6 +392,7 @@ static void rsa_engine_remove(ENGINE *e) + ENGINE_free(e); + } + } ++#endif + + static int rsa_sign_with_key(EVP_PKEY *pkey, struct padding_algo *padding_algo, + struct checksum_algo *checksum_algo, +@@ -471,11 +484,13 @@ int rsa_sign(struct image_sign_info *info, + if (ret) + return ret; + ++#if HAVE_OPENSSL_ENGINE + if (info->engine_id) { + ret = rsa_engine_init(info->engine_id, &e); + if (ret) + return ret; + } ++#endif + + ret = rsa_get_priv_key(info->keydir, info->keyname, info->keyfile, + e, &pkey); +@@ -487,16 +502,19 @@ int rsa_sign(struct image_sign_info *info, + goto err_sign; + + EVP_PKEY_free(pkey); ++#if HAVE_OPENSSL_ENGINE + if (info->engine_id) + rsa_engine_remove(e); +- ++#endif + return ret; + + err_sign: + EVP_PKEY_free(pkey); + err_priv: ++#if HAVE_OPENSSL_ENGINE + if (info->engine_id) + rsa_engine_remove(e); ++#endif + return ret; + } + +@@ -636,11 +654,13 @@ int rsa_add_verify_data(struct image_sign_info *info, void *keydest) + ENGINE *e = NULL; + + debug("%s: Getting verification data\n", __func__); ++#if HAVE_OPENSSL_ENGINE + if (info->engine_id) { + ret = rsa_engine_init(info->engine_id, &e); + if (ret) + return ret; + } ++#endif + ret = rsa_get_pub_key(info->keydir, info->keyname, e, &pkey); + if (ret) + goto err_get_pub_key; +@@ -717,9 +737,10 @@ int rsa_add_verify_data(struct image_sign_info *info, void *keydest) + err_get_params: + EVP_PKEY_free(pkey); + err_get_pub_key: ++#if HAVE_OPENSSL_ENGINE + if (info->engine_id) + rsa_engine_remove(e); +- ++#endif + if (ret) + return ret; + diff --git a/uboot-tools.spec b/uboot-tools.spec index b2c59b8..0255d00 100644 --- a/uboot-tools.spec +++ b/uboot-tools.spec @@ -58,6 +58,9 @@ Patch23: efi_selftest-Add-basic-partition-info-check-to-block.patch # RISCV (riscv64): Patch30: improve-riscv64-configs.patch +# https://github.com/Opvolger/u-boot/commit/cac8d2cb7161443f860c69169979f37bd4994be6 +Patch31: 0001-disable-support-for-signing-with-pkcs11-if-there-is-.patch + BuildRequires: bc BuildRequires: bison BuildRequires: dtc @@ -285,6 +288,9 @@ install -p -m 0755 builds/tools/env/fw_printenv %{buildroot}%{_bindir} %endif %changelog +* Fri Sep 12 2025 Andrew Lukoshko - 1:2025.07-2.alma.1 +- Disable support for signing with pkcs11 + * Fri Jul 11 2025 David Abdurachmanov - 1:2025.07-2.0.riscv64 - Update for riscv64