[U-Boot] [PATCH v3 03/12] image: Add RSA support for image signing

Thu Jun 27 19:04:53 CEST 2013

Hi Tom,

On Thu, Jun 27, 2013 at 8:48 AM, Tom Rini <trini at ti.com> wrote:

> On Thu, Jun 27, 2013 at 08:45:34AM -0700, Simon Glass wrote:
> > Hi Tom,
> >
> > On Thu, Jun 27, 2013 at 5:50 AM, Tom Rini <trini at ti.com> wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > On 06/27/2013 02:44 AM, Simon Glass wrote:
> > > > Hi Masahiro,
> > > >
> > > > On Wed, Jun 26, 2013 at 9:08 PM, Masahiro Yamada
> > > > <yamada.m at jp.panasonic.com <mailto:yamada.m at jp.panasonic.com>>
> > > > wrote:
> > > >
> > > > Hello, Simon.
> > > >
> > > >
> > > > When compiling the master branch, I got an error while a
> > > > tools/mkimage build.
> > > >
> > > >
> > > > u-boot/lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No
> > > > such file or directory
> > > >
> > > >
> > > > I think this erorr is caused by commit 19c402a.
> > > >
> > > >
> > > > I searched and installed the necessary package and I could resolve
> > > > this error.
> > > >
> > > > $ apt-file search openssl/rsa.h libssl-dev:
> > > > /usr/include/openssl/rsa.h $ sudo apt-get install libssl-dev
> > > >
> > > >
> > > > Let me ask a question.
> > > >
> > > > Going forward do we always need the openssl development package
> > > > for creating mkimage tool? Or is it possible to disable RSA feature
> > > > by some CONFIG option?
> > > >
> > > >
> > > > This is to support verified boot using FIT. Yes it would be
> > > > possible to make it an option. I had it that way for a while, but
> > > > then I worried that it would create two versions of mkimage, one
> > > > of which is incapable of signing images. That means that mkimage
> > > > would need to be built for a board with verified boot enabled in
> > > > order to get full functionality.
> > > >
> > > > Perhaps another way would be to check for the header and (if not
> > > > present), silently build without signing support?
> > >
> > > Hurk, dang it.. Yes, I think we need to build and go with an error
> > > message on attempted use.  Skimming the code, we can't rely on
> > > CONFIG_FIT_SIGNATURE being inherited from the config, on the host
> > > side, yes?
> > >
> >
> > Yes I can make this check CONFIG_FIT_SIGNATURE - as mentioned I had it
> that
> > way originally but worred about creating different versions of mkimage.
> >
> > There is actually code there for this which we can use:
> >
> > #ifdef CONFIG_FIT_SIGNATURE
> > fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [
> -c
> > <comment>] [-r]\n"
> > "          -k => set directory containing private keys\n"
> > "          -K => write public keys to this .dtb file\n"
> > "          -c => add comment in signature node\n"
> > "          -F => re-sign existing FIT image\n"
> > "          -r => mark keys used as 'required' in dtb\n");
> > #else
> > fprintf(stderr, "Signing / verified boot not supported
> > (CONFIG_FIT_SIGNATURE undefined)\n");
> > #endif
> >
> > Let me know if this is the preferred option and I will prepare a patch.
>
> The Makefile fragments I saw implied we couldn't use this approach on
> the host.  But if we can, lets.
>

That still seems to work OK. Will send a patch.

Regards,
Simon