From patchwork Wed Mar  4 15:31:41 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Luebbe <jlu@pengutronix.de>
X-Patchwork-Id: 82459
Return-Path: <jlu@pengutronix.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 92134EF8FF7
	for <webhook@archiver.kernel.org>; Wed,  4 Mar 2026 15:31:54 +0000 (UTC)
Received: from metis.whiteo.stw.pengutronix.de
 (metis.whiteo.stw.pengutronix.de [185.203.201.7])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.20935.1772638311462282034
 for <openembedded-devel@lists.openembedded.org>;
 Wed, 04 Mar 2026 07:31:52 -0800
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=pass (domain: pengutronix.de, ip: 185.203.201.7,
 mailfrom: jlu@pengutronix.de)
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
	by metis.whiteo.stw.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <jlu@pengutronix.de>)
	id 1vxoCS-0004uV-Vv; Wed, 04 Mar 2026 16:31:49 +0100
Received: from dude06.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::5c])
	by drehscheibe.grey.stw.pengutronix.de with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jlu@pengutronix.de>)
	id 1vxoCQ-003joC-2C;
	Wed, 04 Mar 2026 16:31:48 +0100
Received: from jlu by dude06.red.stw.pengutronix.de with local (Exim 4.98.2)
	(envelope-from <jlu@pengutronix.de>)
	id 1vxoCR-0000000GJ8x-44NZ;
	Wed, 04 Mar 2026 16:31:47 +0100
From: Jan Luebbe <jlu@pengutronix.de>
To: openembedded-devel@lists.openembedded.org
Cc: Jan Luebbe <jlu@pengutronix.de>
Subject: [meta-oe][PATCH 1/3] signing.bbclass: remove trailing white space
Date: Wed,  4 Mar 2026 16:31:41 +0100
Message-ID: <20260304153143.3886815-1-jlu@pengutronix.de>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2
X-SA-Exim-Mail-From: jlu@pengutronix.de
X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de);
 SAEximRunCond expanded to false
X-PTX-Original-Recipient: openembedded-devel@lists.openembedded.org
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 04 Mar 2026 15:31:54 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124850

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
---
 meta-oe/classes/signing.bbclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index b35184398a45..cb54b55641da 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -19,7 +19,7 @@
 # build system level, this class takes the approach of always using PKCS #11 at
 # the recipe level. For cases where the keys are available as files (i.e. test
 # keys in CI), they are imported into SoftHSM (a HSM emulation library).
-# 
+#
 # Recipes access the available keys via a specific role. So, depending on
 # whether we're building during development or for release, a given role can
 # refer to different keys.
@@ -33,7 +33,7 @@
 #   SIGNING_PKCS11_MODULE[fit] = "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so"
 #
 # Examples for defining roles and importing keys:
-# 
+#
 #   meta-code-signing/recipes-security/signing-keys/dummy-rsa-key-native.bb
 #   meta-code-signing-demo/recipes-security/ptx-dev-keys/ptx-dev-keys-native_git.bb
 #

From patchwork Wed Mar  4 15:31:42 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Luebbe <jlu@pengutronix.de>
X-Patchwork-Id: 82460
Return-Path: <jlu@pengutronix.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AD8AEEF8FF9
	for <webhook@archiver.kernel.org>; Wed,  4 Mar 2026 15:31:54 +0000 (UTC)
Received: from metis.whiteo.stw.pengutronix.de
 (metis.whiteo.stw.pengutronix.de [185.203.201.7])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.20936.1772638312597429961
 for <openembedded-devel@lists.openembedded.org>;
 Wed, 04 Mar 2026 07:31:52 -0800
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=pass (domain: pengutronix.de, ip: 185.203.201.7,
 mailfrom: jlu@pengutronix.de)
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
	by metis.whiteo.stw.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <jlu@pengutronix.de>)
	id 1vxoCV-0004v9-5K; Wed, 04 Mar 2026 16:31:51 +0100
Received: from dude06.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::5c])
	by drehscheibe.grey.stw.pengutronix.de with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jlu@pengutronix.de>)
	id 1vxoCT-003joI-23;
	Wed, 04 Mar 2026 16:31:50 +0100
Received: from jlu by dude06.red.stw.pengutronix.de with local (Exim 4.98.2)
	(envelope-from <jlu@pengutronix.de>)
	id 1vxoCU-0000000GJ95-3rux;
	Wed, 04 Mar 2026 16:31:50 +0100
From: Jan Luebbe <jlu@pengutronix.de>
To: openembedded-devel@lists.openembedded.org
Cc: Fabian Pflug <f.pflug@pengutronix.de>,
	Jan Luebbe <jlu@pengutronix.de>
Subject: [meta-oe][PATCH 2/3] signing.bbclass: add support for OpenSSL PKCS#11
 provider
Date: Wed,  4 Mar 2026 16:31:42 +0100
Message-ID: <20260304153143.3886815-2-jlu@pengutronix.de>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260304153143.3886815-1-jlu@pengutronix.de>
References: <20260304153143.3886815-1-jlu@pengutronix.de>
MIME-Version: 1.0
X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2
X-SA-Exim-Mail-From: jlu@pengutronix.de
X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de);
 SAEximRunCond expanded to false
X-PTX-Original-Recipient: openembedded-devel@lists.openembedded.org
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 04 Mar 2026 15:31:54 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124851

From: Fabian Pflug <f.pflug@pengutronix.de>

OpenSSL 4.0 will drop support for engines and use providers instead.

To access SoftHSM and other PKCS#11 modules via the provider API, we
rely on https://github.com/latchset/pkcs11-provider, which is already
available as via pkcs11-provider recipe.

We enable this provider by using a specific OpenSSL config when signing.
This means that recipes inheriting this class can decide whether they
want to use the engine or provider to access the key.

SoftHSM seems to produce broken keys when calling the C_CopyObject, so
disable caching in the provider for now.

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
 meta-oe/classes/signing.bbclass | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index cb54b55641da..70c3807a6dfd 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -54,7 +54,7 @@
 SIGNING_PKCS11_URI ?= ""
 SIGNING_PKCS11_MODULE ?= ""
 
-DEPENDS += "softhsm-native libp11-native opensc-native openssl-native extract-cert-native"
+DEPENDS += "softhsm-native pkcs11-provider-native libp11-native opensc-native openssl-native extract-cert-native"
 
 def signing_class_prepare(d):
     import os.path
@@ -338,16 +338,10 @@ signing_import_install() {
 signing_prepare() {
     export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
     export OPENSSL_ENGINES="${STAGING_LIBDIR_NATIVE}/engines-3"
-    export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/ssl-3/openssl.cnf"
+    export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/openssl-provider-signing.cnf"
     export SSL_CERT_DIR="${STAGING_LIBDIR_NATIVE}/ssl-3/certs"
     export SSL_CERT_FILE="${STAGING_LIBDIR_NATIVE}/ssl-3/cert.pem"
 
-    if [ -f ${OPENSSL_CONF} ]; then
-        echo "Using '${OPENSSL_CONF}' for OpenSSL configuration"
-    else
-        echo "Missing 'openssl.cnf' at '${STAGING_ETCDIR_NATIVE}/ssl'"
-        return 1
-    fi
     if [ -d ${OPENSSL_MODULES} ]; then
         echo "Using '${OPENSSL_MODULES}' for OpenSSL run-time modules"
     else
@@ -367,6 +361,26 @@ signing_prepare() {
     echo "directories.tokendir = $SOFTHSM2_DIR" > "$SOFTHSM2_CONF"
     echo "objectstore.backend = db" >> "$SOFTHSM2_CONF"
 
+    cat > "${OPENSSL_CONF}" <<EOF
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+pkcs11 = pkcs11_sect
+
+[default_sect]
+activate = 1
+
+[pkcs11_sect]
+pkcs11-module-quirks = no-operation-state no-deinit
+pkcs11-module-cache-keys = false
+pkcs11-module-encode-provider-uri-to-pem = true
+activate = 1
+EOF
+
     for env in $(ls "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d"); do
         . "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d/$env"
     done
@@ -378,6 +392,8 @@ signing_use_role() {
     local role="${1}"
 
     export PKCS11_MODULE_PATH="$(signing_get_module $role)"
+    export PKCS11_PROVIDER_MODULE="$PKCS11_MODULE_PATH"
+    # export PKCS11_PROVIDER_DEBUG="file:/dev/stderr"
     export PKCS11_URI="$(signing_get_uri $role)"
 
     if [ -z "$PKCS11_MODULE_PATH" ]; then

From patchwork Wed Mar  4 15:31:43 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Luebbe <jlu@pengutronix.de>
X-Patchwork-Id: 82458
Return-Path: <jlu@pengutronix.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 93A48EF8FF8
	for <webhook@archiver.kernel.org>; Wed,  4 Mar 2026 15:31:54 +0000 (UTC)
Received: from metis.whiteo.stw.pengutronix.de
 (metis.whiteo.stw.pengutronix.de [185.203.201.7])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.21080.1772638313406573666
 for <openembedded-devel@lists.openembedded.org>;
 Wed, 04 Mar 2026 07:31:53 -0800
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=pass (domain: pengutronix.de, ip: 185.203.201.7,
 mailfrom: jlu@pengutronix.de)
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
	by metis.whiteo.stw.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <jlu@pengutronix.de>)
	id 1vxoCV-0004vQ-VP; Wed, 04 Mar 2026 16:31:51 +0100
Received: from dude06.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::5c])
	by drehscheibe.grey.stw.pengutronix.de with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jlu@pengutronix.de>)
	id 1vxoCU-003joM-1Q;
	Wed, 04 Mar 2026 16:31:51 +0100
Received: from jlu by dude06.red.stw.pengutronix.de with local (Exim 4.98.2)
	(envelope-from <jlu@pengutronix.de>)
	id 1vxoCV-0000000GJ9C-330E;
	Wed, 04 Mar 2026 16:31:51 +0100
From: Jan Luebbe <jlu@pengutronix.de>
To: openembedded-devel@lists.openembedded.org
Cc: Fabian Pflug <f.pflug@pengutronix.de>,
	Jan Luebbe <jlu@pengutronix.de>
Subject: [meta-oe][PATCH 3/3] signing.bbclass: add signing_create_uri_pem
 helper function
Date: Wed,  4 Mar 2026 16:31:43 +0100
Message-ID: <20260304153143.3886815-3-jlu@pengutronix.de>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260304153143.3886815-1-jlu@pengutronix.de>
References: <20260304153143.3886815-1-jlu@pengutronix.de>
MIME-Version: 1.0
X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2
X-SA-Exim-Mail-From: jlu@pengutronix.de
X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de);
 SAEximRunCond expanded to false
X-PTX-Original-Recipient: openembedded-devel@lists.openembedded.org
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 04 Mar 2026 15:31:54 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124852

From: Fabian Pflug <f.pflug@pengutronix.de>

The PKCS#11 provider has a mechanism [1] to support older applications
which have not yet migrated to the OSSL_STORE API [2]. It works by
encoding the 'pkcs11:' URI into a PEM file and passing that to an
application as a file. From the application's perspective it loads the
private key from a file, but OpenSSL will transparently use select the
provider to access it via PKCS#11 instead.

Instead of upstream's Python-based tool [3] (which would pull in
asn1crypto as a dependency), we just generate the ASN.1 for the PEM
using OpenSSL's 'asn1parse -genconf'.

It has been tested with RAUC, U-Boot's mkimage (for signed FITs) and
NXP's CST.

[1] https://github.com/latchset/pkcs11-provider/blob/main/docs/provider-pkcs11.7.md#use-in-older-applications-uris-in-pem-files
[2] https://docs.openssl.org/master/man7/ossl_store/
[3] https://github.com/latchset/pkcs11-provider/blob/main/tools/uri2pem.py

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
 meta-oe/classes/signing.bbclass | 34 +++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index 70c3807a6dfd..a9f657feb6bb 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -463,6 +463,40 @@ signing_extract_cert_pem() {
     rm "${output}.tmp-der"
 }
 
+# signing_create_uri_pem <role> <pem>
+#
+# Wrap the role's pkcs11: URI in a PEM file.
+# The resulting file can be used instead of the URI returned by
+# 'signing_get_uri $role' with applications which do not yet support the
+# OSSL_STORE for native access to the PKCS#11 provider.
+signing_create_uri_pem() {
+    local role="${1}"
+    local output="${2}"
+    local conf="${output}.cnf"
+    local der="${output}.der"
+
+    local uri="$(signing_get_uri $role)"
+
+    echo "Wrapping PKCS#11 URI for role '$role' as '${output}'"
+
+    # The \# escape prevents OpenSSL's config parser treating # as a comment.
+    cat > "${conf}" <<EOF
+asn1=SEQUENCE:pkcs11_uri_seq
+
+[pkcs11_uri_seq]
+version=VISIBLESTRING:PKCS\#11 Provider URI v1.0
+uri=UTF8:${uri}
+EOF
+
+    openssl asn1parse -genconf "${conf}" -noout -out "${der}"
+
+    {
+        echo "-----BEGIN PKCS#11 PROVIDER URI-----"
+        openssl base64 -in "${der}"
+        echo "-----END PKCS#11 PROVIDER URI-----"
+    } > "${output}"
+}
+
 python () {
     signing_class_prepare(d)
 }