[U-Boot] [PATCH] mkimage: Build signing only if board has CONFIG_FIT_SIGNATURE

[U-Boot] [PATCH] mkimage: Build signing only if board has CONFIG_FIT_SIGNATURE

[Simon Glass]

At present mkimage is set up to always build with image signing support.
This means that the SSL libraries (e.g. libssl-dev) are always required.

Adjust things so that mkimage can be built with and without image signing,
controlled by the presence of CONFIG_FIT_SIGNATURE in the board config file.

If CONFIG_FIT_SIGNATURE is not enabled, then mkimage will report a warning
that signing is not supported. If the option is enabled, but libraries are
not available, then a build error similar to this will be shown:

lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No such file or directory

Signed-off-by: Simon Glass <sjg@chromium.org>
---
 config.mk       | 6 +++++-
 include/image.h | 3 ---
 tools/Makefile  | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/config.mk b/config.mk
index 5a91203..81c2584 100644
--- a/config.mk
+++ b/config.mk
@@ -96,7 +96,6 @@ HOSTCFLAGS	+= $(call os_x_before, 10, 4, "-traditional-cpp")
 HOSTLDFLAGS	+= $(call os_x_before, 10, 5, "-multiply_defined suppress")
 else
 HOSTCC		= gcc
-HOSTLIBS	+= -lssl -lcrypto
 endif
 
 ifeq ($(HOSTOS),cygwin)
@@ -211,6 +210,11 @@ CPPFLAGS += -ffunction-sections -fdata-sections
 LDFLAGS_FINAL += --gc-sections
 endif
 
+# TODO(sjg at chromium.org): Is this correct on Mac OS?
+ifdef CONFIG_FIT_SIGNATURE
+HOSTLIBS	+= -lssl -lcrypto
+endif
+
 ifneq ($(CONFIG_SYS_TEXT_BASE),)
 CPPFLAGS += -DCONFIG_SYS_TEXT_BASE=$(CONFIG_SYS_TEXT_BASE)
 endif
diff --git a/include/image.h b/include/image.h
index 2614918..a7b93db 100644
--- a/include/image.h
+++ b/include/image.h
@@ -46,9 +46,6 @@ struct lmb;
 #define CONFIG_OF_LIBFDT	1
 #define CONFIG_FIT_VERBOSE	1 /* enable fit_format_{error,warning}() */
 
-/* Support FIT image signing on host */
-#define CONFIG_FIT_SIGNATURE
-
 #define IMAGE_ENABLE_IGNORE	0
 #define IMAGE_INDENT_STRING	""
 
diff --git a/tools/Makefile b/tools/Makefile
index cc912fb..46159b2 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -126,7 +126,7 @@ LIBFDT_OBJ_FILES-y += fdt_strerror.o
 LIBFDT_OBJ_FILES-y += fdt_wip.o
 
 # RSA objects
-RSA_OBJ_FILES-y += rsa-sign.o
+RSA_OBJ_FILES-$(CONFIG_FIT_SIGNATURE) += rsa-sign.o
 
 # Generated LCD/video logo
 LOGO_H = $(OBJTREE)/include/bmp_logo.h
-- 
1.8.3

[U-Boot] [PATCH] mkimage: Build signing only if board has CONFIG_FIT_SIGNATURE

[Albert ARIBAUD]

Hi Simon,

On Thu, 27 Jun 2013 10:43:18 -0700, Simon Glass <sjg@chromium.org>
wrote:

> If CONFIG_FIT_SIGNATURE is not enabled, then mkimage will report a warning
> that signing is not supported.

Not sure I understand this scenario. Can you develop?

Amicalement,
-- 
Albert.

[U-Boot] [PATCH] mkimage: Build signing only if board has CONFIG_FIT_SIGNATURE

[Tom Rini]

On Thu, Jun 27, 2013 at 10:55:19PM +0200, Albert ARIBAUD wrote:
> Hi Simon,
> 
> On Thu, 27 Jun 2013 10:43:18 -0700, Simon Glass <sjg@chromium.org>
> wrote:
> 
> > If CONFIG_FIT_SIGNATURE is not enabled, then mkimage will report a warning
> > that signing is not supported.
> 
> Not sure I understand this scenario. Can you develop?

mkimage is stand-alone and for example, some distributions build and
ship a copy.  If they build it without ssl stuff installed, their
distribution shipped copy will not be able to make signed images.  I'll
make sure to spell things out in the release notes.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20130627/80855f5f/attachment.pgp>

[U-Boot] [PATCH] mkimage: Build signing only if board has CONFIG_FIT_SIGNATURE

[Andreas Bießmann]

Hi Simon,

On 27.06.13 19:43, Simon Glass wrote:
> At present mkimage is set up to always build with image signing support.
> This means that the SSL libraries (e.g. libssl-dev) are always required.
> 
> Adjust things so that mkimage can be built with and without image signing,
> controlled by the presence of CONFIG_FIT_SIGNATURE in the board config file.
> 
> If CONFIG_FIT_SIGNATURE is not enabled, then mkimage will report a warning
> that signing is not supported. If the option is enabled, but libraries are
> not available, then a build error similar to this will be shown:
> 
> lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No such file or directory
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> ---
>  config.mk       | 6 +++++-
>  include/image.h | 3 ---
>  tools/Makefile  | 2 +-
>  3 files changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/config.mk b/config.mk
> index 5a91203..81c2584 100644
> --- a/config.mk
> +++ b/config.mk
> @@ -96,7 +96,6 @@ HOSTCFLAGS	+= $(call os_x_before, 10, 4, "-traditional-cpp")
>  HOSTLDFLAGS	+= $(call os_x_before, 10, 5, "-multiply_defined suppress")
>  else
>  HOSTCC		= gcc
> -HOSTLIBS	+= -lssl -lcrypto
>  endif
>  
>  ifeq ($(HOSTOS),cygwin)
> @@ -211,6 +210,11 @@ CPPFLAGS += -ffunction-sections -fdata-sections
>  LDFLAGS_FINAL += --gc-sections
>  endif
>  
> +# TODO(sjg at chromium.org): Is this correct on Mac OS?

I'll check it these days. Unfortunately regex is behaving differently on
OS X too, so prooftool.c is not compiling:

---8<---
proftool.c: In function ?check_trace_config_line?:
proftool.c:336: error: ?REG_NOERROR? undeclared (first use in this function)
--->8---

I'll check this too.

Best regards

Andreas Bie?mann

[U-Boot] [PATCH] mkimage: Build signing only if board has CONFIG_FIT_SIGNATURE

[Simon Glass]

Hi Andreas,

On Thu, Jun 27, 2013 at 11:48 PM, Andreas Bie?mann <
andreas.devel@googlemail.com> wrote:

> Hi Simon,
>
> On 27.06.13 19:43, Simon Glass wrote:
> > At present mkimage is set up to always build with image signing support.
> > This means that the SSL libraries (e.g. libssl-dev) are always required.
> >
> > Adjust things so that mkimage can be built with and without image
> signing,
> > controlled by the presence of CONFIG_FIT_SIGNATURE in the board config
> file.
> >
> > If CONFIG_FIT_SIGNATURE is not enabled, then mkimage will report a
> warning
> > that signing is not supported. If the option is enabled, but libraries
> are
> > not available, then a build error similar to this will be shown:
> >
> > lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No such file or
> directory
> >
> > Signed-off-by: Simon Glass <sjg@chromium.org>
> > ---
> >  config.mk       | 6 +++++-
> >  include/image.h | 3 ---
> >  tools/Makefile  | 2 +-
> >  3 files changed, 6 insertions(+), 5 deletions(-)
> >
> > diff --git a/config.mk b/config.mk
> > index 5a91203..81c2584 100644
> > --- a/config.mk
> > +++ b/config.mk
> > @@ -96,7 +96,6 @@ HOSTCFLAGS  += $(call os_x_before, 10, 4,
> "-traditional-cpp")
> >  HOSTLDFLAGS  += $(call os_x_before, 10, 5, "-multiply_defined suppress")
> >  else
> >  HOSTCC               = gcc
> > -HOSTLIBS     += -lssl -lcrypto
> >  endif
> >
> >  ifeq ($(HOSTOS),cygwin)
> > @@ -211,6 +210,11 @@ CPPFLAGS += -ffunction-sections -fdata-sections
> >  LDFLAGS_FINAL += --gc-sections
> >  endif
> >
> > +# TODO(sjg at chromium.org): Is this correct on Mac OS?
>
> I'll check it these days. Unfortunately regex is behaving differently on
> OS X too, so prooftool.c is not compiling:
>
> ---8<---
> proftool.c: In function ?check_trace_config_line?:
> proftool.c:336: error: ?REG_NOERROR? undeclared (first use in this
> function)
> --->8---
>
> I'll check this too.
>

Thank you! I do actually have a Mac somewhere but just not the enthusiasm
to get their baroque dev env running. I had a crack at installing pygame
and it nearly finished me off. Is there a web page somewhere with simple
instructions?

Regards,
Simon

[U-Boot] [PATCH] lib/rsa/rsa-sig.c: compile on OS X

[Andreas Bießmann]

Interfaces exposed by error.h seems not to be used in rsa-sig.c, remove it.
This also fixes an compile error on OS X:

---8<---
u-boot/lib/rsa/rsa-sign.c:23:19: error: error.h: No such file or directory
--->8---

Signed-off-by: Andreas Bie?mann <andreas.devel@googlemail.com>
---
At least rsa-sig compiles with this change on OS X, mkimage is successfully
linked against ssl and crypto, havn't runtime tested it though.
So Simon, you could remove the TODO about host libs.

 lib/rsa/rsa-sign.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index a75ae24..e30d8ca 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -20,7 +20,6 @@
 #include "mkimage.h"
 #include <stdio.h>
 #include <string.h>
-#include <error.h>
 #include <image.h>
 #include <time.h>
 #include <openssl/rsa.h>
-- 
1.8.3.1

[U-Boot] [PATCH] mkimage: Build signing only if board has CONFIG_FIT_SIGNATURE

[Andreas Bießmann]

Hi Simon,

On 28.06.13 08:52, Simon Glass wrote:
> Hi Andreas,
> 
> On Thu, Jun 27, 2013 at 11:48 PM, Andreas Bie?mann
> <andreas.devel at googlemail.com <mailto:andreas.devel@googlemail.com>> wrote:

<snip>

>     > +# TODO(sjg at chromium.org <mailto:sjg@chromium.org>): Is this
>     correct on Mac OS?
> 
>     I'll check it these days. Unfortunately regex is behaving differently on
>     OS X too, so prooftool.c is not compiling:
> 
>     ---8<---
>     proftool.c: In function ?check_trace_config_line?:
>     proftool.c:336: error: ?REG_NOERROR? undeclared (first use in this
>     function)
>     --->8---
> 
>     I'll check this too.
> 
> 
> Thank you! I do actually have a Mac somewhere but just not the
> enthusiasm to get their baroque dev env running.

Use third party stuff like fink, macports or something like that.

> I had a crack at
> installing pygame and it nearly finished me off. Is there a web page
> somewhere with simple instructions?

finkproject.org ;)
No, not really something on u-boot or linux dev on Mac.

Best regards

Andreas Bie?mann

[U-Boot] [PATCH] mkimage: Build signing only if board has CONFIG_FIT_SIGNATURE

[Simon Glass]

Hi Andreas,

On Fri, Jun 28, 2013 at 12:02 AM, Andreas Bie?mann <
andreas.devel@googlemail.com> wrote:

> Hi Simon,
>
> On 28.06.13 08:52, Simon Glass wrote:
> > Hi Andreas,
> >
> > On Thu, Jun 27, 2013 at 11:48 PM, Andreas Bie?mann
> > <andreas.devel at googlemail.com <mailto:andreas.devel@googlemail.com>>
> wrote:
>
> <snip>
>
> >     > +# TODO(sjg at chromium.org <mailto:sjg@chromium.org>): Is this
> >     correct on Mac OS?
> >
> >     I'll check it these days. Unfortunately regex is behaving
> differently on
> >     OS X too, so prooftool.c is not compiling:
> >
> >     ---8<---
> >     proftool.c: In function ?check_trace_config_line?:
> >     proftool.c:336: error: ?REG_NOERROR? undeclared (first use in this
> >     function)
> >     --->8---
> >
> >     I'll check this too.
> >
> >
> > Thank you! I do actually have a Mac somewhere but just not the
> > enthusiasm to get their baroque dev env running.
>
> Use third party stuff like fink, macports or something like that.
>
> > I had a crack at
> > installing pygame and it nearly finished me off. Is there a web page
> > somewhere with simple instructions?
>
> finkproject.org ;)
> No, not really something on u-boot or linux dev on Mac.
>

Thanks - I vaguely remember finding that, I will try harder. I am sure it
is soluble in a sufficient quantity of ale.

Regards,
Simon

[U-Boot] [PATCH] mkimage: Build signing only if board has CONFIG_FIT_SIGNATURE

[Lubomir Popov]

Hi Simon,

On 28/06/13 10:02, Andreas Bie?mann wrote:
> Hi Simon,
> 
> On 28.06.13 08:52, Simon Glass wrote:
>> Hi Andreas,
>>
>> On Thu, Jun 27, 2013 at 11:48 PM, Andreas Bie?mann
>> <andreas.devel at googlemail.com <mailto:andreas.devel@googlemail.com>> wrote:
> 
> <snip>
> 
>>     > +# TODO(sjg at chromium.org <mailto:sjg@chromium.org>): Is this
>>     correct on Mac OS?
>>
>>     I'll check it these days. Unfortunately regex is behaving differently on
>>     OS X too, so prooftool.c is not compiling:
>>
>>     ---8<---
>>     proftool.c: In function ?check_trace_config_line?:
>>     proftool.c:336: error: ?REG_NOERROR? undeclared (first use in this
>>     function)
>>     --->8---
>>
>>     I'll check this too.
>>
>>
>> Thank you! I do actually have a Mac somewhere but just not the
>> enthusiasm to get their baroque dev env running.
> 
> Use third party stuff like fink, macports or something like that.

Right. I'm using macports, with relatively fresh gcc, arm crosscomp and binutils
(one has to install the Xcode Command Line Tools first however). Then I use Xcode
as editor only.

One known problem with MacOS X is that if the filesystem is not case-sensitive
(and by default it is not on factory-formatted Mac boot drives), we may run into
some make errors. And making it case-sensitive requires HDD reformatting... Or
creating a separate partition... Or buying another drive for development.

> 
>> I had a crack at
>> installing pygame and it nearly finished me off. Is there a web page
>> somewhere with simple instructions?
> 
> finkproject.org ;)
> No, not really something on u-boot or linux dev on Mac.
> 
> Best regards
> 
> Andreas Bie?mann
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
> 
Regards,
Lubo

[U-Boot] [PATCH] mkimage: Build signing only if board has CONFIG_FIT_SIGNATURE

[Tom Rini]

On Thu, Jun 27, 2013 at 10:43:18AM -0700, Simon Glass wrote:

> At present mkimage is set up to always build with image signing support.
> This means that the SSL libraries (e.g. libssl-dev) are always required.
> 
> Adjust things so that mkimage can be built with and without image signing,
> controlled by the presence of CONFIG_FIT_SIGNATURE in the board config file.
> 
> If CONFIG_FIT_SIGNATURE is not enabled, then mkimage will report a warning
> that signing is not supported. If the option is enabled, but libraries are
> not available, then a build error similar to this will be shown:
> 
> lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No such file or directory
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20130628/7c7bd660/attachment.pgp>

[U-Boot] [PATCH] lib/rsa/rsa-sig.c: compile on OS X

[Andreas Bießmann]

superseded by http://patchwork.ozlabs.org/patch/255877/

On 28.06.13 09:00, Andreas Bie?mann wrote:
> Interfaces exposed by error.h seems not to be used in rsa-sig.c, remove it.
> This also fixes an compile error on OS X:
> 
> ---8<---
> u-boot/lib/rsa/rsa-sign.c:23:19: error: error.h: No such file or directory
> --->8---
> 
> Signed-off-by: Andreas Bie?mann <andreas.devel@googlemail.com>
> ---