From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2594AC4338F for ; Sun, 22 Aug 2021 02:20:17 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 19B6D61250 for ; Sun, 22 Aug 2021 02:20:15 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 19B6D61250 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=sholland.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A966982B77; Sun, 22 Aug 2021 04:20:08 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sholland.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=sholland.org header.i=@sholland.org header.b="X1zLeQHD"; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="ul3dxb6F"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E857382D13; Sun, 22 Aug 2021 04:20:06 +0200 (CEST) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8C4EB821F0 for ; Sun, 22 Aug 2021 04:20:00 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sholland.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=samuel@sholland.org Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 1BBA55C00AE; Sat, 21 Aug 2021 22:19:59 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Sat, 21 Aug 2021 22:19:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sholland.org; h= to:cc:references:from:subject:message-id:date:mime-version :in-reply-to:content-type:content-transfer-encoding; s=fm3; bh=P CM9ZSganUwc+t69eqSZgojmSIKpoKOYi2prnp6afwo=; b=X1zLeQHDjKdMIPHpb fen9wQVE2z/t6HOrP9mLN+HOLlKrwnkKWa7H5iA0/y20C9qxdqZxQ5DKMBNlC5ou JYzr7U72nsyaYmW3uEBh8lMAbFZ+pmF+HqifMvP/tWoDv2EoDuxRdXy/8TIbW/yZ q4v+JARtaBhQwriMREtlJL+P/d9lgXkITS5ZjtUHauqFEtLHatDAusaYlgG3Km4V +HflBLzTS2dEBNMVXibvqhv/PPBe64DPFLxG5827EhMywxtne1NL3uYk6YrK8fE+ 3MkufIaVn0lX2kY7IAeJGflwRbSMEV4KrsXZKSBTiGtC36mtZoyOA64tPLDG+MQV T5v4w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=PCM9ZSganUwc+t69eqSZgojmSIKpoKOYi2prnp6af wo=; b=ul3dxb6FH7uqH67jk6mMyOiz4YG/NrE4CEAwRDE1Y8VjNbnRusVr56OUd DVlkU/wxmzfNNY3hjjFd8hTMFsbBuQFk0773/QbqH3IFwI4x762VTGw/gBbx2Hcp U34oL0mSDbaX+RuioA1b7cOz/75FhIbcr/2oe+YEYAkh4JBW6Ii3Vvn7dD7zg6/r gyTnYA44mhfV/p7khp4MvxRfkroiCqWOGCogZRpgvHAgaUTsBbUmiRCBs6js6tGY JTPFdKD/cfv8iwEo5KXxlzGLG8GbTIovhtMKDP02+tVMaxc+/sfwvdS1IbBDXI8O M9uQJtL351n8qAnSUY0AQBPGHRNnA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddruddtvddgheekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepvfhfhffukffffgggjggtgfesthekredttdefjeenucfhrhhomhepufgrmhhu vghlucfjohhllhgrnhguuceoshgrmhhuvghlsehshhholhhlrghnugdrohhrgheqnecugg ftrfgrthhtvghrnhepvedvgeekffevteekudeuvdejhfelkeelgfeiveelkeegledvtdek tdfgvedtudelnecuffhomhgrihhnpehophgvnhhsshhlrdhorhhgpdhoiihlrggsshdroh hrghdpvdhurdhithenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhl fhhrohhmpehsrghmuhgvlhesshhhohhllhgrnhgurdhorhhg X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 21 Aug 2021 22:19:57 -0400 (EDT) To: Andre Przywara , Tom Rini Cc: Jagan Teki , Hans de Goede , u-boot@lists.denx.de, Simon Glass , =?UTF-8?Q?Jernej_=c5=a0krabec?= References: <20210621025555.19390-1-samuel@sholland.org> <20210621164300.231e3a11@slackpad.fritz.box> <20210621203537.GN9516@bill-the-cat> <20210622005626.65f27491@slackpad.fritz.box> From: Samuel Holland Subject: Re: [PATCH 0/4] sunxi: TOC0 image type support Message-ID: Date: Sat, 21 Aug 2021 21:19:56 -0500 User-Agent: Mozilla/5.0 (X11; Linux ppc64; rv:78.0) Gecko/20100101 Thunderbird/78.10.2 MIME-Version: 1.0 In-Reply-To: <20210622005626.65f27491@slackpad.fritz.box> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Hi Andre, On 6/21/21 6:56 PM, Andre Przywara wrote: > On Mon, 21 Jun 2021 16:35:37 -0400 > Tom Rini wrote: >> On Mon, Jun 21, 2021 at 04:43:00PM +0100, Andre Przywara wrote: >>> On Sun, 20 Jun 2021 21:55:51 -0500 >>> Samuel Holland wrote: >>> >>> (CC:ing Tom and Simon for the compatibility problem below) >>> >>> Hi, >>> >>>> This series adds support for the TOC0 image format used by the Allwinner >>>> secure boot ROM (SBROM). This series has been tested on the following >>>> SoCs/boards, with the eFuse burnt to enable secure mode: >>>> - A64: Pine A64 Plus >>>> - H5: Orange Pi Zero Plus >>>> - H6: Pine H64 Model B >>>> - H616: Orange Pi Zero 2 >>> >>> many thanks for sending this. In general this looks good (will do a >>> more thorough review soon), just one thing that bothered me: >>> >>> This requires OpenSLL 1.1.x. There is nothing really wrong about this, >>> but my (admittedly not the freshest) Slackware, but also long term >>> distros like RHEL/CentOS (<=7), still come with 1.0.x (headers) only. >>> >>> I was wondering how important this is? I have the impression that >>> embedded developers sometimes use old^Wstable systems, so some people >>> might be bitten by it. I think in this case it will affect all user >>> trying to build mkimage, regardless of the target platform? >>> >>> So I wanted to know what to do here? >>> - Can we provide some kind of compatibility support? OpenSSL seems >>> to provide something: >>> https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes#Compatibility_Layer >>> Haven't tested that fully yet, just downloading that tarball >>> does not seem to cut it (or is missing files?). I guess one needs to >>> copy&paste some code from the Wiki? >>> - Shall we detect missing v1.1.x support (via #if OPENSSL_VERSION_NUMBER >>> < 0x10100000L) and disable just sunxi_toc0 support in this case? >> >> There's two things. First, the series should be on top of (sorry!) >> https://patchwork.ozlabs.org/project/uboot/patch/20210524202317.1492578-1-mr.nuke.me@gmail.com/ >> which adds a similar Kconfig option to make building tools easier. > > So this is on top of Simon's large series? Poor Samuel! Is there a > branch somewhere? Now that all of these have landed, I'm rebasing this series. >> Second, while I think not supporting openssl 1.0.x is fine, > > Well, this was not what I was hoping for ;-) > I followed the advice on the OpenSSL wiki and now have a rather small > compatibility header file, which lets me compile mkimage even against > OpenSSL v1.0.2u. It seems like kwbimage.c has similar provisions in > place, I guess this could be merged into the external header? > Happy to send a patch on top, if this seems useful. Considering the note from the OpenSSL website: > Note: The latest stable version is the 1.1.1 series. This is also > our Long Term Support (LTS) version, supported until 11th September > 2023. All older versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) > are now out of support and should not be used. Users of these older > versions are encouraged to upgrade to 1.1.1 as soon as possible. and the fact that that I don't have access a system with an old OpenSSL, I'm not too interested in spending much effort on it. I will, though, happily test a patch if you do send one. >> I would like >> to again ask for someone to spend the time looking at switching to one >> of the GPL-compatible libraries as I'm pretty sure it's been raised a >> few times that we can't link with openssl like we do. > > Why is that? Because Apache is not compatible with GPLv2? The OpenSSL > webpage says that: > "Can I use OpenSSL with GPL software? > On many systems including the major Linux and BSD distributions, yes > (the GPL does not place restrictions on using libraries that are part > of the normal operating system distribution)." > And for mkimage we just build a regular userspace tool, which is linked > against the system installed OpenSSL library. From my understanding > this is what this quote above means with being permitted? > > And what would be the alternatives? Take one of the smaller ones and > embed them into the code? > Otherwise we would probably need to pick something that is widely > available and shipped with distros, I guess? Like GnuTLS, > libgcrypt, nettle? Maybe LibreSSL? > > Samuel, do you have an insight what would be a good fit? My original code was written against nettle. I switched to OpenSSL because that was already integrated into U-Boot (oops!), and to use the ASN.1 generation library (which the code no longer uses). So nettle would work well here because all we need is SHA256 and plain RSA. I don't know about the other image types. Regards, Samuel