[PATCH] tools: Use a single target-independent config to enable OpenSSL
Simon Glass
sjg at chromium.org
Tue Jun 22 15:31:23 CEST 2021
On Mon, 24 May 2021 at 14:23, Alexandru Gagniuc <mr.nuke.me at gmail.com> wrote:
>
> Host tool features, such as mkimage's ability to sign FIT images were
> enabled or disabled based on the target configuration. However, this
> misses the point of a target-agnostic host tool.
>
> A target's ability to verify FIT signatures is independent of
> mkimage's ability to create those signatures. In fact, u-boot's build
> system doesn't sign images. The target code can be successfully built
> without relying on any ability to sign such code.
>
> Conversely, mkimage's ability to sign images does not require that
> those images will only work on targets which support FIT verification.
> Linking mkimage cryptographic features to target support for FIT
> verification is misguided.
>
> Without loss of generality, we can say that host features are and
> should be independent of target features.
>
> While we prefer that a host tool always supports the same feature set,
> we recognize the following
> - some users prefer to build u-boot without a dependency on OpenSSL.
> - some distros prefer to ship mkimage without linking to OpenSSL
>
> To allow these use cases, introduce a host-only Kconfig which is used
> to select or deselect libcrypto support. Some mkimage features or some
> host tools might not be available, but this shouldn't affect the
> u-boot build.
>
> I also considered setting the default of this config based on
> FIT_SIGNATURE. While it would preserve the old behaviour it's also
> contrary to the goals of this change. I decided to enable it by
> default, so that the default build yields the most feature-complete
> mkimage.
>
> Signed-off-by: Alexandru Gagniuc <mr.nuke.me at gmail.com>
> ---
>
> This patch is designed to apply on top of
> [PATCH v2 00/18] image: Reduce #ifdef abuse in image code
>
>
>
> tools/Kconfig | 11 +++++++++++
> tools/Makefile | 46 ++++++++++++++++++++++++++++++----------------
> 2 files changed, 41 insertions(+), 16 deletions(-)
Reviewed-by: Simon Glass <sjg at chromium.org>
See below
>
> diff --git a/tools/Kconfig b/tools/Kconfig
> index b2f5012240..214932ae30 100644
> --- a/tools/Kconfig
> +++ b/tools/Kconfig
> @@ -9,4 +9,15 @@ config MKIMAGE_DTC_PATH
> some cases the system dtc may not support all required features
> and the path to a different version should be given here.
>
> +config TOOLS_USE_LIBCRYPTO
would HOST_LIBCRYPTO be better?
> + bool "Use OpenSSL's libcrypto library for host tools"
> + default y
> + help
> + Cryptographic signature, verification, and encryption of images is
> + provided by host tools using OpenSSL's libcrypto. Select 'n' here if
> + you wish to build host tools without OpenSSL. mkimage will not have
> + the ability to sign images.
> + This selection does not affect target features, such as runtime FIT
> + signature verification.
Regards,
Simon
More information about the U-Boot
mailing list