From: Tom Rini <trini@konsulko.com>
To: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Cc: u-boot@lists.denx.de, sjg@chromium.org
Subject: Re: [PATCH v2] tools: Use a single target-independent config to enable OpenSSL
Date: Wed, 14 Jul 2021 17:11:38 -0400 [thread overview]
Message-ID: <20210714211138.GA25256@bill-the-cat> (raw)
In-Reply-To: <20210706150326.2800576-1-mr.nuke.me@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1961 bytes --]
On Tue, Jul 06, 2021 at 10:03:26AM -0500, Alexandru Gagniuc wrote:
> Host tool features, such as mkimage's ability to sign FIT images were
> enabled or disabled based on the target configuration. However, this
> misses the point of a target-agnostic host tool.
>
> A target's ability to verify FIT signatures is independent of
> mkimage's ability to create those signatures. In fact, u-boot's build
> system doesn't sign images. The target code can be successfully built
> without relying on any ability to sign such code.
>
> Conversely, mkimage's ability to sign images does not require that
> those images will only work on targets which support FIT verification.
> Linking mkimage cryptographic features to target support for FIT
> verification is misguided.
>
> Without loss of generality, we can say that host features are and
> should be independent of target features.
>
> While we prefer that a host tool always supports the same feature set,
> we recognize the following
> - some users prefer to build u-boot without a dependency on OpenSSL.
> - some distros prefer to ship mkimage without linking to OpenSSL
>
> To allow these use cases, introduce a host-only Kconfig which is used
> to select or deselect libcrypto support. Some mkimage features or some
> host tools might not be available, but this shouldn't affect the
> u-boot build.
>
> I also considered setting the default of this config based on
> FIT_SIGNATURE. While it would preserve the old behaviour it's also
> contrary to the goals of this change. I decided to enable it by
> default, so that the default build yields the most feature-complete
> mkimage.
>
> Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
This doesn't apply cleanly right now, and while I thought I had fixed
that up correctly, building rpi_3_32b for example in the CI contains
fails very loudly/badly with this change. Please rebase, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next prev parent reply other threads:[~2021-07-14 21:11 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-06 15:03 [PATCH v2] tools: Use a single target-independent config to enable OpenSSL Alexandru Gagniuc
2021-07-14 21:11 ` Tom Rini [this message]
2021-07-14 22:05 ` [PATCH v3 00/19] tools: Use a single config for Host OpenSSL (plus dependent patches) Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 01/19] image: Shorten FIT_ENABLE_SHAxxx_SUPPORT Alexandru Gagniuc
2021-07-17 17:47 ` Tom Rini
2021-07-14 22:05 ` [PATCH v3 02/19] image: Rename SPL_SHAxxx_SUPPORT to SPL_FIT_SHAxxx Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 03/19] image: Rename CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 04/19] Kconfig: Rename SPL_CRC32_SUPPORT to SPL_CRC32 Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 05/19] Kconfig: Rename SPL_MD5_SUPPORT to SPL_MD5 Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 06/19] image: Drop IMAGE_ENABLE_SHA1 Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 07/19] image: Drop IMAGE_ENABLE_SHAxxx Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 08/19] image: Drop IMAGE_ENABLE_BEST_MATCH Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 09/19] common: Move host-only logic in image-sig.c to separate file Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 10/19] common: image-sig.c: Remove host-specific logic and #ifdefs Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 11/19] image: Add support for placing crypto_algo in linker lists Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 12/19] image: rsa: Move verification algorithm to a linker list Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 13/19] image: image-sig.c: Remove crypto_algos array Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 14/19] lib: ecdsa: Remove #ifdefs from ecdsa.h Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 15/19] lib: rsa: Remove #ifdefs from rsa.h Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 16/19] image: Eliminate IMAGE_ENABLE_VERIFY macro Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 17/19] image: Eliminate IMAGE_ENABLE_VERIFY_ECDSA macro Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 18/19] image: Add support for relocating crypto_algos in linker lists Alexandru Gagniuc
2021-07-14 22:05 ` [PATCH v3 19/19] tools: Use a single target-independent config to enable OpenSSL Alexandru Gagniuc
2021-07-27 9:59 ` Heiko Thiery
2021-07-27 14:34 ` Alex G.
2021-07-27 19:51 ` Heiko Thiery
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210714211138.GA25256@bill-the-cat \
--to=trini@konsulko.com \
--cc=mr.nuke.me@gmail.com \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.