From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 029A1C4338F for ; Tue, 27 Jul 2021 09:59:41 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1984F61390 for ; Tue, 27 Jul 2021 09:59:39 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1984F61390 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D597F8343F; Tue, 27 Jul 2021 11:59:36 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="TdenXKiu"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 1FC3183446; Tue, 27 Jul 2021 11:59:34 +0200 (CEST) Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A8C2782BD7 for ; Tue, 27 Jul 2021 11:59:29 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=heiko.thiery@gmail.com Received: by mail-io1-xd31.google.com with SMTP id h1so15231138iol.9 for ; Tue, 27 Jul 2021 02:59:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b9M+k4i1IchxPZHq7QI8T5+QKHr9tngeICs7GeT4X2g=; b=TdenXKiu7fGzNEdtG7z0QlZvvvHLC7rnHdQ5+JMgEhcDKh9Rtpsd5f/hbHvBS1TZ+J cP2bw9+Ke6OCHVcFOgTVkDyJLOPtovE4jnKF7MaPS14VFrdTV5elV5SAoakfYV72nzFD YQGADuQbORve0PUOcQz3pgMHjpTZWvf1hV5U7ZLfKTj/EM8EXWD4IY4TqlxiEE9dYaLs SU5eKPgEVWVLYOeS1+iqkxhXrabEdEPVMNfFLfL5D3IRuZrHMVJOIYKWxH/YIwZDmT0d RkanUcTB6AL48Dwv1irpzLWr8/cC+w8kMktQLWf21PbvdoHq2YMCmFKC/R6+w6g3vD9o FF7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b9M+k4i1IchxPZHq7QI8T5+QKHr9tngeICs7GeT4X2g=; b=JM+YfD6xqMU5wRw4P7SdRMlmwNOEByMTWTsp12a99/SZMi0M7ZCMc05HKkm0AP+jkk G3/+gNQXCQY/P7l3UM6URH1dnXoRd7R6Yuth0vXsWU4EDZ88SEGnWgEqzqAWgFst22w0 kUI2TSeydfeSHIsMpm7Ny0aOLLZ+yRZ70jR1Thyf10yHydQAkX3clD2dRG5bB9w2oaDt h4uCFHvOisxXHro3mcDv7565jeK7rmisoWmLCPrORl2kL9poz2BSUX8yIt/yHNpB/lG6 jva0q+jMVC3eTospa+hOcibN/yi+KMX1mGDNRL0UJvl1hxNa0xAKaR+Ljb6go+XGUiuf WH1w== X-Gm-Message-State: AOAM533ZxeL5jD0ZrzwYOO4RKT9jkWIewYdSauZOiDylcFh3TVtpKNKH pB1UA7YoUhTiW4jwt0OkxUFZfqKUxpEkf7Xe61c= X-Google-Smtp-Source: ABdhPJyI61b5/IZ9nfFgZfpyrwFB0e1i1AmBAiPlM8FT/dGnQEy5DcsaH6kUoHP6u9foVHG8rhNmZ6FP8pjULEdO5mA= X-Received: by 2002:a05:6638:144f:: with SMTP id l15mr20904550jad.67.1627379968478; Tue, 27 Jul 2021 02:59:28 -0700 (PDT) MIME-Version: 1.0 References: <20210714211138.GA25256@bill-the-cat> <20210714220547.170371-20-mr.nuke.me@gmail.com> In-Reply-To: <20210714220547.170371-20-mr.nuke.me@gmail.com> From: Heiko Thiery Date: Tue, 27 Jul 2021 11:59:17 +0200 Message-ID: Subject: Re: [PATCH v3 19/19] tools: Use a single target-independent config to enable OpenSSL To: Alexandru Gagniuc Cc: u-boot@lists.denx.de, trini@konsulko.com Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Hi all, Am Do., 15. Juli 2021 um 00:09 Uhr schrieb Alexandru Gagniuc : > > Host tool features, such as mkimage's ability to sign FIT images were > enabled or disabled based on the target configuration. However, this > misses the point of a target-agnostic host tool. > > A target's ability to verify FIT signatures is independent of > mkimage's ability to create those signatures. In fact, u-boot's build > system doesn't sign images. The target code can be successfully built > without relying on any ability to sign such code. > > Conversely, mkimage's ability to sign images does not require that > those images will only work on targets which support FIT verification. > Linking mkimage cryptographic features to target support for FIT > verification is misguided. > > Without loss of generality, we can say that host features are and > should be independent of target features. > > While we prefer that a host tool always supports the same feature set, > we recognize the following > - some users prefer to build u-boot without a dependency on OpenSSL. > - some distros prefer to ship mkimage without linking to OpenSSL > > To allow these use cases, introduce a host-only Kconfig which is used > to select or deselect libcrypto support. Some mkimage features or some > host tools might not be available, but this shouldn't affect the > u-boot build. > > I also considered setting the default of this config based on > FIT_SIGNATURE. While it would preserve the old behaviour it's also > contrary to the goals of this change. I decided to enable it by > default, so that the default build yields the most feature-complete > mkimage. > > Signed-off-by: Alexandru Gagniuc Since this patch was applied to master the build target "flash.bin" for e.g. the imx8mq_evk_defconfig fails. --- 8< --- MKIMAGE u-boot.itb u-boot.its:7.11-15.5: Warning (unit_address_vs_reg): /images/uboot@1: node has a unit name, but no reg property u-boot.its:16.9-21.5: Warning (unit_address_vs_reg): /images/fdt@1: node has a unit name, but no reg property u-boot.its:22.9-31.5: Warning (unit_address_vs_reg): /images/atf@1: node has a unit name, but no reg property u-boot.its:36.12-41.5: Warning (unit_address_vs_reg): /configurations/config@1: node has a unit name, but no reg property ./tools/mkimage: verify_header failed for FIT Image support with exit code 1 make: *** [Makefile:1440: u-boot.itb] Error 1 make: *** Deleting file 'u-boot.itb' make: *** Waiting for unfinished jobs.... --- 8< --- Does I miss here something? -- Heiko > --- > tools/Kconfig | 11 +++++++++++ > tools/Makefile | 48 +++++++++++++++++++++++++++++++----------------- > 2 files changed, 42 insertions(+), 17 deletions(-) > > diff --git a/tools/Kconfig b/tools/Kconfig > index b2f5012240..d6f82cd949 100644 > --- a/tools/Kconfig > +++ b/tools/Kconfig > @@ -9,4 +9,15 @@ config MKIMAGE_DTC_PATH > some cases the system dtc may not support all required features > and the path to a different version should be given here. > > +config TOOLS_LIBCRYPTO > + bool "Use OpenSSL's libcrypto library for host tools" > + default y > + help > + Cryptographic signature, verification, and encryption of images is > + provided by host tools using OpenSSL's libcrypto. Select 'n' here if > + you wish to build host tools without OpenSSL. mkimage will not have > + the ability to sign images. > + This selection does not affect target features, such as runtime FIT > + signature verification. > + > endmenu > diff --git a/tools/Makefile b/tools/Makefile > index 722355e984..bae3f95c49 100644 > --- a/tools/Makefile > +++ b/tools/Makefile > @@ -3,6 +3,25 @@ > # (C) Copyright 2000-2006 > # Wolfgang Denk, DENX Software Engineering, wd@denx.de. > > +# A note on target vs host configuration: > +# > +# Host tools can be used across multiple targets, or different configurations > +# of the same target. Thus, host tools must be able to handle any combination > +# of target configurations. To prevent having different variations of the same > +# tool, the tool build options may not depend on target configuration. > +# > +# Some linux distributions package these utilities as u-boot-tools, and it > +# would be unmaintainable to have a different tool variation for each > +# arch or configuration. > +# > +# A couple of simple rules: > +# > +# 1) Do not use target CONFIG_* options to enable or disable features in host > +# tools. Only use the configs from tools/Kconfig > +# 2) It's okay to use target configs to disable building specific tools. > +# That's as long as the features of those tools aren't modified. > +# > + > # Enable all the config-independent tools > ifneq ($(HOST_TOOLS_ALL),) > CONFIG_ARCH_KIRKWOOD = y > @@ -53,30 +72,30 @@ hostprogs-y += mkenvimage > mkenvimage-objs := mkenvimage.o os_support.o lib/crc32.o > > hostprogs-y += dumpimage mkimage > -hostprogs-$(CONFIG_FIT_SIGNATURE) += fit_info fit_check_sign > +hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += fit_info fit_check_sign > > hostprogs-$(CONFIG_CMD_BOOTEFI_SELFTEST) += file2include > > -FIT_OBJS-$(CONFIG_FIT) := fit_common.o fit_image.o image-host.o common/image-fit.o > -FIT_SIG_OBJS-$(CONFIG_FIT_SIGNATURE) := image-sig-host.o common/image-fit-sig.o > -FIT_CIPHER_OBJS-$(CONFIG_FIT_CIPHER) := common/image-cipher.o > +FIT_OBJS-y := fit_common.o fit_image.o image-host.o common/image-fit.o > +FIT_SIG_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := image-sig-host.o common/image-fit-sig.o > +FIT_CIPHER_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := common/image-cipher.o > > # The following files are synced with upstream DTC. > # Use synced versions from scripts/dtc/libfdt/. > LIBFDT_OBJS := $(addprefix libfdt/, fdt.o fdt_ro.o fdt_wip.o fdt_sw.o fdt_rw.o \ > fdt_strerror.o fdt_empty_tree.o fdt_addresses.o fdt_overlay.o) > > -RSA_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/rsa/, \ > +RSA_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/rsa/, \ > rsa-sign.o rsa-verify.o \ > rsa-mod-exp.o) > > -ECDSA_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/ecdsa/, ecdsa-libcrypto.o) > +ECDSA_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/ecdsa/, ecdsa-libcrypto.o) > > -AES_OBJS-$(CONFIG_FIT_CIPHER) := $(addprefix lib/aes/, \ > +AES_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/aes/, \ > aes-encrypt.o aes-decrypt.o) > > # Cryptographic helpers that depend on openssl/libcrypto > -LIBCRYPTO_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/, \ > +LIBCRYPTO_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/, \ > fdt-libcrypto.o) > > ROCKCHIP_OBS = lib/rc4.o rkcommon.o rkimage.o rksd.o rkspi.o > @@ -136,22 +155,17 @@ fit_info-objs := $(dumpimage-mkimage-objs) fit_info.o > fit_check_sign-objs := $(dumpimage-mkimage-objs) fit_check_sign.o > file2include-objs := file2include.o > > -ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_FIT_SIGNATURE),) > +ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_TOOLS_LIBCRYPTO),) > # Add CONFIG_MXS into host CFLAGS, so we can check whether or not register > # the mxsimage support within tools/mxsimage.c . > HOSTCFLAGS_mxsimage.o += -DCONFIG_MXS > endif > > -ifdef CONFIG_FIT_SIGNATURE > +ifdef CONFIG_TOOLS_LIBCRYPTO > # This affects include/image.h, but including the board config file > # is tricky, so manually define this options here. > HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE > -HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE_MAX_SIZE=$(CONFIG_FIT_SIGNATURE_MAX_SIZE) > -endif > - > -ifdef CONFIG_FIT_CIPHER > -# This affects include/image.h, but including the board config file > -# is tricky, so manually define this options here. > +HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE_MAX_SIZE=0xffffffff > HOST_EXTRACFLAGS += -DCONFIG_FIT_CIPHER > endif > > @@ -164,7 +178,7 @@ HOSTCFLAGS_kwbimage.o += -DCONFIG_KWB_SECURE > endif > > # MXSImage needs LibSSL > -ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_FIT_SIGNATURE)$(CONFIG_FIT_CIPHER),) > +ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_TOOLS_LIBCRYPTO),) > HOSTCFLAGS_kwbimage.o += \ > $(shell pkg-config --cflags libssl libcrypto 2> /dev/null || echo "") > HOSTLDLIBS_mkimage += \ > -- > 2.31.1 >