From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex G. <mr.nuke.me@gmail.com>
Date: Mon, 17 May 2021 17:29:44 -0500
Subject: [PATCH v2 16/50] image: Add Kconfig options for FIT in the host
 build
In-Reply-To: <20210512171420.GZ17669@bill-the-cat>
References: <20210506142438.1310977-1-sjg@chromium.org>
 <20210506082420.v2.16.I64826ed33219988294468df7b95dfa3fffd7a0a1@changeid>
 <659c76d0-d9aa-e270-0eb8-25cefdc238e9@gmail.com>
 <20210511223427.GW17669@bill-the-cat>
 <066428be-2db4-d143-6029-119bae223aeb@gmail.com>
 <20210512011006.GY17669@bill-the-cat>
 <CAPnjgZ0ZHQUi2-DBzuWrY+muEbM1pcSsei+cuBOO9tEtPGdBvg@mail.gmail.com>
 <795bd8ce-ec5b-edf1-bc4b-6f6fac838018@gmail.com>
 <20210512171420.GZ17669@bill-the-cat>
Message-ID: <bf4d75a3-dd7a-a47a-22a4-2cdaaee51816@gmail.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On 5/12/21 12:14 PM, Tom Rini wrote:
> On Wed, May 12, 2021 at 11:19:52AM -0500, Alex G. wrote:
>>
>>
>> On 5/12/21 10:52 AM, Simon Glass wrote:

[snip]

>>> We have a NO_SDL build-time control. Perhaps have a NO_SSL one as well?
>>
>> It could be a config option instead of an environment variable. I think it
>> can be independent of target options, since we don't sign images in the
>> buildsystem anyway -- we can enable FIT verification, but mkimage without
>> openssl.
> 
> As people point out from time to time, "NO_SDL" is very non-obvious and
> doesn't fit with how the rest of U-Boot is configured.  So I would
> rather not see NO_SSL added. 

FYI, I have a proof-of-concept for the NO_SSL idea using Kconfig [1] 
instead of environment variahles. It's not yet ready for publication.

[1] 
https://github.com/mrnuke/u-boot/commit/c054c546a8de54e41d3802fe60ad9389095e673b


> Frankly, given everything else that's
> needed to build today, I don't think just enabling the support for
> verified boot in mkimage by default and making it a bit odd to turn off
> is a problem.  But given:
> https://lists.denx.de/pipermail/u-boot/2017-December/313742.html
> I would really like to see the switch to gnutls or some other clearly
> compatibly licensed library first.

Might be interesting to switch to gnutls, even if only because it 
doesn't burn your eyes looking at function names and variable types. I 
wouldn't mind looking into this, but I just don't have the bandwidth 
nowadays.

Alex