[PATCH v3 0/2] tools: Fix build without host OpenSSL

[PATCH v3 0/2] tools: Fix build without host OpenSSL

[Alexander Dahl]

Hei hei,

both patches of the series got a review and this is my last work day of
the year, so I just incorporated the feedback, collected the tags, and
send this out before returning to office in January.

Link to v2 with whole motivation text:
https://lore.kernel.org/u-boot/20231214121136.3286703-1-ada@thorsis.com/

Have some peaceful days everyone.

Greets
Alex

v2 -> v3:
* Rebased on v2024.01-rc5
* Removed a superflous new newline introduced in v1
* Collected tags

Cc: Marek Vasut <marex@denx.de>
Cc: Paul-Erwan Rio <paulerwan.rio@gmail.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Stefan Roese <sr@denx.de>
Cc: Tom Rini <trini@konsulko.com>
Link: https://lore.kernel.org/u-boot/20211021093304.25399-1-pali@kernel.org/
Link: https://lore.kernel.org/u-boot/20220111153120.1276641-1-marex@denx.de/
Link: https://lore.kernel.org/u-boot/1884029.XjOfZupGQm@ada/
Link: https://lore.kernel.org/u-boot/20230121154743.667253-1-paulerwan.rio@gmail.com/
Link: https://lore.kernel.org/u-boot/AM6PR04MB61521B84F78571B282FE1D828FD5A@AM6PR04MB6152.eurprd04.prod.outlook.com/


Alexander Dahl (1):
  tools: kwbimage: Allow disabling build on non-mvebu platforms

Paul-Erwan Rio (1):
  tools: fix build without LIBCRYPTO support

 arch/arm/mach-mvebu/Kconfig | 1 +
 include/image.h             | 2 +-
 tools/Kconfig               | 6 ++++++
 tools/Makefile              | 4 +++-
 tools/fit_image.c           | 2 +-
 tools/image-host.c          | 4 ++++
 tools/mkimage.c             | 5 +++--
 7 files changed, 19 insertions(+), 5 deletions(-)


base-commit: 97a897444235921ce19b4f8a3b27de6f5a9ab367
-- 
2.39.2

[PATCH v3 1/2] tools: kwbimage: Allow disabling build on non-mvebu platforms

[Alexander Dahl]

Some users want to build with CONFIG_TOOLS_LIBCRYPTO disabled, which in
general is possible for at least some boards.  32-bit mvebu however
requires kwbimage for building SPL, and kwbimage has a hard dependency
to host OpenSSL.

The new symbol CONFIG_TOOLS_KWBIMAGE allows disabling kwbimage build on
non-mvebu platforms, and thus building without host libcrypto from
OpenSSL.

Based on previous work and discussions, see links below.

Link: https://lore.kernel.org/u-boot/20211021093304.25399-1-pali@kernel.org/
Link: https://lore.kernel.org/u-boot/20220111153120.1276641-1-marex@denx.de/
Link: https://lore.kernel.org/u-boot/20230121154743.667253-2-paulerwan.rio@gmail.com/
Cc: Marek Vasut <marex@denx.de>
Cc: Paul-Erwan Rio <paulerwan.rio@gmail.com>
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
---

Notes:
    This is more or less a mashup of the patches of Pali and Marek, but
    considering the feedback given by Samuel on Pali's patch and considering
    what I thought was the preferred style in other parts of the Makefile.
    
    Link: https://lore.kernel.org/u-boot/f4660467-9d25-dc46-9e60-b2f7f09236c2@sholland.org/
    
    v1 -> v2:
    * removed a useless new newline added in v1
    * collected tags

 arch/arm/mach-mvebu/Kconfig | 1 +
 tools/Kconfig               | 5 +++++
 tools/Makefile              | 4 +++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/arch/arm/mach-mvebu/Kconfig b/arch/arm/mach-mvebu/Kconfig
index c80d8587b14..2058c95ca2d 100644
--- a/arch/arm/mach-mvebu/Kconfig
+++ b/arch/arm/mach-mvebu/Kconfig
@@ -15,6 +15,7 @@ config ARMADA_32BIT
 	select SUPPORT_SPL
 	select SYS_L2_PL310 if !SYS_L2CACHE_OFF
 	select TRANSLATION_OFFSET
+	select TOOLS_KWBIMAGE if SPL
 	select SPL_SYS_NO_VECTOR_TABLE if SPL
 	select ARCH_VERY_EARLY_INIT
 
diff --git a/tools/Kconfig b/tools/Kconfig
index 6e23f44d550..f8632cd59d0 100644
--- a/tools/Kconfig
+++ b/tools/Kconfig
@@ -25,6 +25,11 @@ config TOOLS_LIBCRYPTO
 	  This selection does not affect target features, such as runtime FIT
 	  signature verification.
 
+config TOOLS_KWBIMAGE
+	bool "Enable kwbimage support in host tools"
+	default y
+	select TOOLS_LIBCRYPTO
+
 config TOOLS_FIT
 	def_bool y
 	help
diff --git a/tools/Makefile b/tools/Makefile
index 1aa1e36137b..6a4280e3668 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -94,6 +94,8 @@ LIBCRYPTO_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := \
 			generated/lib/fdt-libcrypto.o \
 			sunxi_toc0.o
 
+KWB_IMAGE_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := kwbimage.o
+
 ROCKCHIP_OBS = generated/lib/rc4.o rkcommon.o rkimage.o rksd.o rkspi.o
 
 # common objs for dumpimage and mkimage
@@ -114,7 +116,7 @@ dumpimage-mkimage-objs := aisimage.o \
 			imximage.o \
 			imx8image.o \
 			imx8mimage.o \
-			kwbimage.o \
+			$(KWB_IMAGE_OBJS-y) \
 			generated/lib/md5.o \
 			lpc32xximage.o \
 			mxsimage.o \
-- 
2.39.2

[PATCH v3 2/2] tools: fix build without LIBCRYPTO support

[Alexander Dahl]

From: Paul-Erwan Rio <paulerwan.rio@gmail.com>

Commit cb9faa6f98ae ("tools: Use a single target-independent config to
enable OpenSSL") introduced a target-independent configuration to build
crypto features in host tools.

But since commit 2c21256b27d7 ("hash: Use Kconfig to enable hashing in
host tools and SPL") the build without OpenSSL is broken, due to FIT
signature/encryption features. Add missing conditional compilation
tokens to fix this.

Signed-off-by: Paul-Erwan Rio <paulerwan.rio@gmail.com>
Tested-by: Alexander Dahl <ada@thorsis.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
---

Notes:
    Added another guard around the header includes and slightly reworded the
    commit message.  Otherwise it's the same patch as before, so I kept the
    author as is and only added my Tested-by:
    I removed the Reviewed-by: from Simon from this patch, because of the
    changes mentioned and because the patch was based on an U-Boot three or
    four releases ago.
    
    v1 -> v2:
    * collected tags

 include/image.h    | 2 +-
 tools/Kconfig      | 1 +
 tools/fit_image.c  | 2 +-
 tools/image-host.c | 4 ++++
 tools/mkimage.c    | 5 +++--
 5 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/include/image.h b/include/image.h
index 2e3cf839ee3..48b8a8995a4 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1391,7 +1391,7 @@ int calculate_hash(const void *data, int data_len, const char *algo,
  * device
  */
 #if defined(USE_HOSTCC)
-# if defined(CONFIG_FIT_SIGNATURE)
+# if CONFIG_IS_ENABLED(FIT_SIGNATURE)
 #  define IMAGE_ENABLE_SIGN	1
 #  define FIT_IMAGE_ENABLE_VERIFY	1
 #  include <openssl/evp.h>
diff --git a/tools/Kconfig b/tools/Kconfig
index f8632cd59d0..f01ed783e6f 100644
--- a/tools/Kconfig
+++ b/tools/Kconfig
@@ -51,6 +51,7 @@ config TOOLS_FIT_RSASSA_PSS
 	  Support the rsassa-pss signature scheme in the tools builds
 
 config TOOLS_FIT_SIGNATURE
+	depends on TOOLS_LIBCRYPTO
 	def_bool y
 	help
 	  Enable signature verification of FIT uImages in the tools builds
diff --git a/tools/fit_image.c b/tools/fit_image.c
index 71e031c8550..beef1fa86e2 100644
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -61,7 +61,7 @@ static int fit_add_file_data(struct image_tool_params *params, size_t size_inc,
 		ret = fit_set_timestamp(ptr, 0, time);
 	}
 
-	if (!ret)
+	if (CONFIG_IS_ENABLED(FIT_SIGNATURE) && !ret)
 		ret = fit_pre_load_data(params->keydir, dest_blob, ptr);
 
 	if (!ret) {
diff --git a/tools/image-host.c b/tools/image-host.c
index ca4950312f9..90bc9f905f3 100644
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -14,8 +14,10 @@
 #include <image.h>
 #include <version.h>
 
+#if CONFIG_IS_ENABLED(FIT_SIGNATURE)
 #include <openssl/pem.h>
 #include <openssl/evp.h>
+#endif
 
 /**
  * fit_set_hash_value - set hash value in requested has node
@@ -1131,6 +1133,7 @@ static int fit_config_add_verification_data(const char *keydir,
 	return 0;
 }
 
+#if CONFIG_IS_ENABLED(FIT_SIGNATURE)
 /*
  * 0) open file (open)
  * 1) read certificate (PEM_read_X509)
@@ -1239,6 +1242,7 @@ int fit_pre_load_data(const char *keydir, void *keydest, void *fit)
  out:
 	return ret;
 }
+#endif
 
 int fit_cipher_data(const char *keydir, void *keydest, void *fit,
 		    const char *comment, int require_keys,
diff --git a/tools/mkimage.c b/tools/mkimage.c
index 6dfe3e1d42d..ac62ebbde9b 100644
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -115,7 +115,7 @@ static void usage(const char *msg)
 		"          -B => align size in hex for FIT structure and header\n"
 		"          -b => append the device tree binary to the FIT\n"
 		"          -t => update the timestamp in the FIT\n");
-#ifdef CONFIG_FIT_SIGNATURE
+#if CONFIG_IS_ENABLED(FIT_SIGNATURE)
 	fprintf(stderr,
 		"Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine]\n"
 		"          -k => set directory containing private keys\n"
@@ -130,8 +130,9 @@ static void usage(const char *msg)
 		"          -o => algorithm to use for signing\n");
 #else
 	fprintf(stderr,
-		"Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
+		"Signing / verified boot not supported (CONFIG_TOOLS_FIT_SIGNATURE undefined)\n");
 #endif
+
 	fprintf(stderr, "       %s -V ==> print version information and exit\n",
 		params.cmdname);
 	fprintf(stderr, "Use '-T list' to see a list of available image types\n");
-- 
2.39.2

Re: [PATCH v3 0/2] tools: Fix build without host OpenSSL

[Alexander Dahl]

Hello,

Am Thu, Dec 21, 2023 at 08:26:09AM +0100 schrieb Alexander Dahl:
> Hei hei,
> 
> both patches of the series got a review and this is my last work day of
> the year, so I just incorporated the feedback, collected the tags, and
> send this out before returning to office in January.
> 
> Link to v2 with whole motivation text:
> https://lore.kernel.org/u-boot/20231214121136.3286703-1-ada@thorsis.com/
> 
> Have some peaceful days everyone.
> 
> Greets
> Alex
> 
> v2 -> v3:
> * Rebased on v2024.01-rc5
> * Removed a superflous new newline introduced in v1

This change was in v2 of course.  I made the same mistake in the
changelogs of the patches, where it should have been v2 -> v3 instead.
Sorry for the confusion.

Greets
Alex

> * Collected tags
> 
> Cc: Marek Vasut <marex@denx.de>
> Cc: Paul-Erwan Rio <paulerwan.rio@gmail.com>
> Cc: Simon Glass <sjg@chromium.org>
> Cc: Stefan Roese <sr@denx.de>
> Cc: Tom Rini <trini@konsulko.com>
> Link: https://lore.kernel.org/u-boot/20211021093304.25399-1-pali@kernel.org/
> Link: https://lore.kernel.org/u-boot/20220111153120.1276641-1-marex@denx.de/
> Link: https://lore.kernel.org/u-boot/1884029.XjOfZupGQm@ada/
> Link: https://lore.kernel.org/u-boot/20230121154743.667253-1-paulerwan.rio@gmail.com/
> Link: https://lore.kernel.org/u-boot/AM6PR04MB61521B84F78571B282FE1D828FD5A@AM6PR04MB6152.eurprd04.prod.outlook.com/
> 
> 
> Alexander Dahl (1):
>   tools: kwbimage: Allow disabling build on non-mvebu platforms
> 
> Paul-Erwan Rio (1):
>   tools: fix build without LIBCRYPTO support
> 
>  arch/arm/mach-mvebu/Kconfig | 1 +
>  include/image.h             | 2 +-
>  tools/Kconfig               | 6 ++++++
>  tools/Makefile              | 4 +++-
>  tools/fit_image.c           | 2 +-
>  tools/image-host.c          | 4 ++++
>  tools/mkimage.c             | 5 +++--
>  7 files changed, 19 insertions(+), 5 deletions(-)
> 
> 
> base-commit: 97a897444235921ce19b4f8a3b27de6f5a9ab367
> -- 
> 2.39.2
> 

Re: [PATCH v3 2/2] tools: fix build without LIBCRYPTO support

[Simon Glass]

On Thu, Dec 21, 2023 at 7:26 AM Alexander Dahl <ada@thorsis.com> wrote:
>
> From: Paul-Erwan Rio <paulerwan.rio@gmail.com>
>
> Commit cb9faa6f98ae ("tools: Use a single target-independent config to
> enable OpenSSL") introduced a target-independent configuration to build
> crypto features in host tools.
>
> But since commit 2c21256b27d7 ("hash: Use Kconfig to enable hashing in
> host tools and SPL") the build without OpenSSL is broken, due to FIT
> signature/encryption features. Add missing conditional compilation
> tokens to fix this.
>
> Signed-off-by: Paul-Erwan Rio <paulerwan.rio@gmail.com>
> Tested-by: Alexander Dahl <ada@thorsis.com>
> Cc: Simon Glass <sjg@chromium.org>
> Reviewed-by: Tom Rini <trini@konsulko.com>
> ---
>
> Notes:
>     Added another guard around the header includes and slightly reworded the
>     commit message.  Otherwise it's the same patch as before, so I kept the
>     author as is and only added my Tested-by:
>     I removed the Reviewed-by: from Simon from this patch, because of the
>     changes mentioned and because the patch was based on an U-Boot three or
>     four releases ago.
>
>     v1 -> v2:
>     * collected tags
>
>  include/image.h    | 2 +-
>  tools/Kconfig      | 1 +
>  tools/fit_image.c  | 2 +-
>  tools/image-host.c | 4 ++++
>  tools/mkimage.c    | 5 +++--
>  5 files changed, 10 insertions(+), 4 deletions(-)
>

Reviewed-by: Simon Glass <sjg@chromium.org>

Re: [PATCH v3 1/2] tools: kwbimage: Allow disabling build on non-mvebu platforms

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 1015 bytes --]

On Thu, Dec 21, 2023 at 08:26:10AM +0100, Alexander Dahl wrote:

> Some users want to build with CONFIG_TOOLS_LIBCRYPTO disabled, which in
> general is possible for at least some boards.  32-bit mvebu however
> requires kwbimage for building SPL, and kwbimage has a hard dependency
> to host OpenSSL.
> 
> The new symbol CONFIG_TOOLS_KWBIMAGE allows disabling kwbimage build on
> non-mvebu platforms, and thus building without host libcrypto from
> OpenSSL.
> 
> Based on previous work and discussions, see links below.
> 
> Link: https://lore.kernel.org/u-boot/20211021093304.25399-1-pali@kernel.org/
> Link: https://lore.kernel.org/u-boot/20220111153120.1276641-1-marex@denx.de/
> Link: https://lore.kernel.org/u-boot/20230121154743.667253-2-paulerwan.rio@gmail.com/
> Cc: Marek Vasut <marex@denx.de>
> Cc: Paul-Erwan Rio <paulerwan.rio@gmail.com>
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/master, thanks!

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: [PATCH v3 2/2] tools: fix build without LIBCRYPTO support

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 837 bytes --]

On Thu, Dec 21, 2023 at 08:26:11AM +0100, Alexander Dahl wrote:

> From: Paul-Erwan Rio <paulerwan.rio@gmail.com>
> 
> Commit cb9faa6f98ae ("tools: Use a single target-independent config to
> enable OpenSSL") introduced a target-independent configuration to build
> crypto features in host tools.
> 
> But since commit 2c21256b27d7 ("hash: Use Kconfig to enable hashing in
> host tools and SPL") the build without OpenSSL is broken, due to FIT
> signature/encryption features. Add missing conditional compilation
> tokens to fix this.
> 
> Signed-off-by: Paul-Erwan Rio <paulerwan.rio@gmail.com>
> Tested-by: Alexander Dahl <ada@thorsis.com>
> Cc: Simon Glass <sjg@chromium.org>
> Reviewed-by: Tom Rini <trini@konsulko.com>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/master, thanks!

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]