[PATCH 0/4] rkimage: Add resigning support

[PATCH 0/4] rkimage: Add resigning support

[Sascha Hauer]

Add support for changing the signing key of an existing image. Can be
either used to add a key or to replace a key. Also some cleanups along
the way

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Sascha Hauer (4):
      rkimage: Support openssl provider API
      rkimage: unconditionally fill newidb
      rkimage: add support for re-signing an existing image
      rkimage: improve error handling

 scripts/rkimage.c | 115 ++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 102 insertions(+), 13 deletions(-)
---
base-commit: 019d102038a64e6b6e8f445cbfd2d15e68d0ec3f
change-id: 20260429-rkimage-resign-670567b22e75

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>

[PATCH 1/4] rkimage: Support openssl provider API

[Sascha Hauer]

openssl engine support has long been deprecated. Add provider support.
engine support is still needed in some cases, so first try provider
support and fall back to engine support if necessary.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 scripts/rkimage.c | 40 ++++++++++++++++++++++++++++++++++------
 1 file changed, 34 insertions(+), 6 deletions(-)

diff --git a/scripts/rkimage.c b/scripts/rkimage.c
index e5b6d61c4a..04d98daa6d 100644
--- a/scripts/rkimage.c
+++ b/scripts/rkimage.c
@@ -13,15 +13,13 @@
 #include <stdbool.h>
 
 #include <openssl/bn.h>
-/*
- * TODO Switch from the OpenSSL ENGINE API to the PKCS#11 provider and the
- * PROVIDER API: https://github.com/latchset/pkcs11-provider
- */
+#include <openssl/err.h>
 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 #include <openssl/engine.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
+#include <openssl/store.h>
 
 #include "common.h"
 #include "common.c"
@@ -63,12 +61,42 @@ static void idb_hash(struct newidb *idb)
 		sha512(idbu8, size, idbu8 + size);
 }
 
-static __attribute__((unused)) EVP_PKEY *load_key_pkcs11(const char *path)
+static __attribute__((unused)) EVP_PKEY *load_key_pkcs11(const char *uri)
 {
+	OSSL_STORE_CTX *ctx;
+	OSSL_STORE_INFO *info;
 	const char *engine_id = "pkcs11";
 	ENGINE *e;
 	EVP_PKEY *pkey = NULL;
 
+	/* Try provider-based store first (requires pkcs11-provider) */
+	ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL);
+	if (ctx) {
+		while (!OSSL_STORE_eof(ctx)) {
+			info = OSSL_STORE_load(ctx);
+			if (!info)
+				break;
+			if (OSSL_STORE_INFO_get_type(info) ==
+			    OSSL_STORE_INFO_PKEY) {
+				pkey = OSSL_STORE_INFO_get1_PKEY(info);
+				OSSL_STORE_INFO_free(info);
+				break;
+			}
+			OSSL_STORE_INFO_free(info);
+		}
+		OSSL_STORE_close(ctx);
+		if (pkey)
+			return pkey;
+	}
+
+	/*
+	 * Fall back to legacy ENGINE API (requires libp11 pkcs11 engine).
+	 * The provider-based approach above requires pkcs11-provider, which is
+	 * not yet available in ptxdist environments. The deprecated ENGINE API
+	 * via libp11 remains functional there and is used as a fallback.
+	 */
+	ERR_clear_error();
+
 	ENGINE_load_builtin_engines();
 
 	e = ENGINE_by_id(engine_id);
@@ -81,7 +109,7 @@ static __attribute__((unused)) EVP_PKEY *load_key_pkcs11(const char *path)
 		goto err_engine_init;
 	}
 
-	pkey = ENGINE_load_private_key(e, path, NULL, NULL);
+	pkey = ENGINE_load_private_key(e, uri, NULL, NULL);
 
 	ENGINE_finish(e);
 err_engine_init:

-- 
2.47.3

[PATCH 2/4] rkimage: unconditionally fill newidb

[Sascha Hauer]

The rkimage tool checks if the incoming image already is a Rockchip
image and only if it's not creates a idb header. This seems to be a
remnant of some never completed support for adding a new signarure to an
existing image. Drop this to cleanly implement resigning in the next
step.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 scripts/rkimage.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/scripts/rkimage.c b/scripts/rkimage.c
index 04d98daa6d..2dd5fceab3 100644
--- a/scripts/rkimage.c
+++ b/scripts/rkimage.c
@@ -473,8 +473,7 @@ int main(int argc, char *argv[])
 		close(fd);
 	}
 
-	if (!(n_code == 1 && has_magic(code[0].buf)))
-		create_newidb(&idb);
+	create_newidb(&idb);
 
 	if (key) {
 		int ret;

-- 
2.47.3

[PATCH 3/4] rkimage: add support for re-signing an existing image

[Sascha Hauer]

This adds the -r <file> option to add a signature to an existing image
or to replace the signature in an existing image.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 scripts/rkimage.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 58 insertions(+), 2 deletions(-)

diff --git a/scripts/rkimage.c b/scripts/rkimage.c
index 2dd5fceab3..2dc67f499b 100644
--- a/scripts/rkimage.c
+++ b/scripts/rkimage.c
@@ -394,6 +394,43 @@ static int sign_newidb(struct newidb *idb, const char *path)
 }
 #endif
 
+static int re_sign_image(const char *infile, const char *outfile, const char *key)
+{
+	void *buf;
+	size_t size;
+	int ret;
+
+	if (!key) {
+		fprintf(stderr, "Can't resign without key\n");
+		exit(1);
+	}
+
+	buf = read_file(infile, &size);
+	if (!buf) {
+		fprintf(stderr, "Cannot read %s\n", infile);
+		exit(1);
+	}
+
+	if (!has_magic(buf)) {
+		fprintf(stderr, "%s is not a rockchip image\n", infile);
+		exit(1);
+	}
+
+	ret = sign_newidb(buf, key);
+	if (ret) {
+		fprintf(stderr, "Cannot sign image: %s: %s\n", infile, strerror(-ret));
+		exit(1);
+	}
+
+	ret = write_file(outfile, buf, size);
+	if (ret) {
+		fprintf(stderr, "Cannot write %s: %s\n", outfile, strerror(errno));
+		exit(1);
+	}
+
+	return 0;
+}
+
 struct option cbootcmd[] = {
 	{"help", 0, NULL, 'h'},
 	{"o", 1, NULL, 'o'},
@@ -412,18 +449,20 @@ static void usage(const char *prgname)
 "Options:\n"
 "  -o <file>   Output image to <file>\n"
 "  -k <key>    Sign the image with <key> as PEM file or PKCS#11 uri\n"
+"  -r <file>   Re-sign the image\n"
 "  -h          This help\n",
 	prgname);
 }
 
 int main(int argc, char *argv[])
 {
-	int opt, i, fd;
+	int opt, i, fd, ret;
 	const char *outfile = NULL;
 	const char *key = NULL;
+	const char *re_sign = NULL;
 	struct newidb idb = {};
 
-	while ((opt = getopt_long(argc, argv, "ho:k:", cbootcmd, NULL)) > 0) {
+	while ((opt = getopt_long(argc, argv, "hr:o:k:", cbootcmd, NULL)) > 0) {
 		switch (opt) {
 		case 'o':
 			outfile = optarg;
@@ -431,6 +470,9 @@ int main(int argc, char *argv[])
 		case 'k':
 			key = optarg;
 			break;
+		case 'r':
+			re_sign = optarg;
+			break;
 		case 'h':
 			usage(argv[0]);
 			exit(0);
@@ -438,6 +480,20 @@ int main(int argc, char *argv[])
 	}
 
 	n_code = argc - optind;
+
+	if (re_sign) {
+		if (n_code) {
+			fprintf(stderr, "unhandled non-opt arguments\n");
+			exit(1);
+		}
+
+		ret = re_sign_image(re_sign, outfile, key);
+		if (ret)
+			exit(1);
+		else
+			exit(0);
+	}
+
 	if (!n_code) {
 		usage(argv[0]);
 		exit(1);

-- 
2.47.3

[PATCH 4/4] rkimage: improve error handling

[Sascha Hauer]

Complain when outfile is not given. Also, mention that we actually can't
create a file which is more accurate than just saying "open". While at
it fix some tab/whitespace issues.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 scripts/rkimage.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/scripts/rkimage.c b/scripts/rkimage.c
index 2dc67f499b..8243742d65 100644
--- a/scripts/rkimage.c
+++ b/scripts/rkimage.c
@@ -389,8 +389,8 @@ static int sign_newidb(struct newidb *idb, const char *path)
 #else
 static int sign_newidb(struct newidb *idb, const char *path)
 {
-       fprintf(stderr, "Signing support requires at least OpenSSL 3.0\n");
-       return -ENOSYS;
+	fprintf(stderr, "Signing support requires at least OpenSSL 3.0\n");
+	return -ENOSYS;
 }
 #endif
 
@@ -481,6 +481,12 @@ int main(int argc, char *argv[])
 
 	n_code = argc - optind;
 
+	if (!outfile) {
+		fprintf(stderr, "No output file specified, use -o\n");
+		usage(argv[0]);
+		exit(1);
+	}
+
 	if (re_sign) {
 		if (n_code) {
 			fprintf(stderr, "unhandled non-opt arguments\n");
@@ -543,7 +549,7 @@ int main(int argc, char *argv[])
 
 	fd = creat(outfile, 0644);
 	if (fd < 0) {
-		fprintf(stderr, "Cannot open %s: %s\n", outfile, strerror(errno));
+		fprintf(stderr, "Cannot create %s: %s\n", outfile, strerror(errno));
 		exit(1);
 	}
 

-- 
2.47.3

Re: [PATCH 0/4] rkimage: Add resigning support

[Sascha Hauer]

On Wed, 29 Apr 2026 12:19:52 +0200, Sascha Hauer wrote:
> Add support for changing the signing key of an existing image. Can be
> either used to add a key or to replace a key. Also some cleanups along
> the way
> 
> 

Applied, thanks!

[1/4] rkimage: Support openssl provider API
      https://git.pengutronix.de/cgit/barebox/commit/?id=e0163b29de33 (link may not be stable)
[2/4] rkimage: unconditionally fill newidb
      https://git.pengutronix.de/cgit/barebox/commit/?id=18f4312def72 (link may not be stable)
[3/4] rkimage: add support for re-signing an existing image
      https://git.pengutronix.de/cgit/barebox/commit/?id=7608e33ca28e (link may not be stable)
[4/4] rkimage: improve error handling
      https://git.pengutronix.de/cgit/barebox/commit/?id=8e7ef228b68c (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>