[PATCH] tools: Use a single target-independent config to enable OpenSSL

Simon Glass sjg at chromium.org
Tue Jun 22 15:31:23 CEST 2021


On Mon, 24 May 2021 at 14:23, Alexandru Gagniuc <mr.nuke.me at gmail.com> wrote:
>
> Host tool features, such as mkimage's ability to sign FIT images were
> enabled or disabled based on the target configuration. However, this
> misses the point of a target-agnostic host tool.
>
> A target's ability to verify FIT signatures is independent of
> mkimage's ability to create those signatures. In fact, u-boot's build
> system doesn't sign images. The target code can be successfully built
> without relying on any ability to sign such code.
>
> Conversely, mkimage's ability to sign images does not require that
> those images will only work on targets which support FIT verification.
> Linking mkimage cryptographic features to target support for FIT
> verification is misguided.
>
> Without loss of generality, we can say that host features are and
> should be independent of target features.
>
> While we prefer that a host tool always supports the same feature set,
> we recognize the following
>   - some users prefer to build u-boot without a dependency on OpenSSL.
>   - some distros prefer to ship mkimage without linking to OpenSSL
>
> To allow these use cases, introduce a host-only Kconfig which is used
> to select or deselect libcrypto support. Some mkimage features or some
> host tools might not be available, but this shouldn't affect the
> u-boot build.
>
> I also considered setting the default of this config based on
> FIT_SIGNATURE. While it would preserve the old behaviour it's also
> contrary to the goals of this change. I decided to enable it by
> default, so that the default build yields the most feature-complete
> mkimage.
>
> Signed-off-by: Alexandru Gagniuc <mr.nuke.me at gmail.com>
> ---
>
> This patch is designed to apply on top of
>     [PATCH v2 00/18] image: Reduce #ifdef abuse in image code
>
>
>
>  tools/Kconfig  | 11 +++++++++++
>  tools/Makefile | 46 ++++++++++++++++++++++++++++++----------------
>  2 files changed, 41 insertions(+), 16 deletions(-)

Reviewed-by: Simon Glass <sjg at chromium.org>

See below

>
> diff --git a/tools/Kconfig b/tools/Kconfig
> index b2f5012240..214932ae30 100644
> --- a/tools/Kconfig
> +++ b/tools/Kconfig
> @@ -9,4 +9,15 @@ config MKIMAGE_DTC_PATH
>           some cases the system dtc may not support all required features
>           and the path to a different version should be given here.
>
> +config TOOLS_USE_LIBCRYPTO

would HOST_LIBCRYPTO be better?

> +       bool "Use OpenSSL's libcrypto library for host tools"
> +       default y
> +       help
> +         Cryptographic signature, verification, and encryption of images is
> +         provided by host tools using OpenSSL's libcrypto. Select 'n' here if
> +         you wish to build host tools without OpenSSL. mkimage will not have
> +         the ability to sign images.
> +         This selection does not affect target features, such as runtime FIT
> +         signature verification.

Regards,
Simon


More information about the U-Boot mailing list