[U-Boot] [PATCH v3 1/5] sunxi: a64: Enable FIT Signature

[Andre Przywara]

Hi,

On 15/12/17 13:41, Maxime Ripard wrote:
> On Thu, Dec 14, 2017 at 02:03:12PM +0530, Jagan Teki wrote:
>> On Wed, Dec 13, 2017 at 9:09 PM, Maxime Ripard
>> <maxime.ripard at free-electrons.com> wrote:
>>> On Wed, Dec 13, 2017 at 11:33:02AM +0530, Jagan Teki wrote:
>>>> From: Jagan Teki <jagannadh.teki at gmail.com>
>>>>
>>>> Enable FIT_SIGNATURE for sunxi a64.
>>>>
>>>> Signed-off-by: Jagan Teki <jagan at amarulasolutions.com>
>>>> ---
>>>> Changes for v3:
>>>> - Move imply outside block
>>>> Changes for v2:
>>>> - Use imply instead of select
>>>>
>>>>  arch/arm/mach-sunxi/Kconfig | 1 +
>>>>  1 file changed, 1 insertion(+)
>>>>
>>>> diff --git a/arch/arm/mach-sunxi/Kconfig b/arch/arm/mach-sunxi/Kconfig
>>>> index 1fededd..05e2d47 100644
>>>> --- a/arch/arm/mach-sunxi/Kconfig
>>>> +++ b/arch/arm/mach-sunxi/Kconfig
>>>> @@ -179,6 +179,7 @@ config MACH_SUN50I
>>>>       select SUNXI_DRAM_DW_32BIT
>>>>       select FIT
>>>>       select SPL_LOAD_FIT
>>>> +     imply FIT_SIGNATURE
>>>
>>> I'm really not sure we should force it by default. How much code size
>>> is it adding?
>>
>> Why we need to consider u-boot size? (because it may cross the loader2 size?)
>> Here is the delta of u-boot elf
> 
> The same reason than anything else on our arm64 builds lately: we have
> a u-boot binary too big for the size compared to our environment offset.

I agree, and aside from that I don't see how this is useful:
- We don't *need* this for Allwinner boards.
- It is not usable without some more setup (which that other doc patch
describes).
- As Maxime mentioned, this is not very helpful on it's own, due to it
inherent vulnerability without a protected SPL as well.
- No other boards seems to set FIT_SIGNATURE.

So you can happily add this to your private config file (overlay), where
you create U-Boot binaries and pipe them to some encryption chain
afterwards. But I don't think it belongs into the mainline Kconfig.

Cheers,
Andre.