[PATCH v2 16/50] image: Add Kconfig options for FIT in the host build

Alex G. mr.nuke.me at gmail.com
Tue May 11 21:57:03 CEST 2021 

On 5/6/21 9:24 AM, Simon Glass wrote:
> In preparation for enabling CONFIG_IS_ENABLED() on the host build, add
> some options to enable the various FIT options expected in these tools.
> This will ensure that the code builds correctly when CONFIG_HOST_xxx
> is distinct from CONFIG_xxx.
> 
> Signed-off-by: Simon Glass <sjg at chromium.org>

Reviewed-by: Alexandru Gagniuc <mr.nuke.me at gmail.com>

This makes me wonder whether we should just always enable host features. 
Right now, each defconfig can have a different mkimage config. So we 
should really have mkimage-imx8, mkimage-stm32mp, etc, which support 
different feature sets. This doesn't make much sense.

The alternative is to get rid of all these configs and always enable 
mkimage features. The disadvantage is that we'd require openssl for 
building target code.

A second alternative is to have a mkimage-nossl that gets built and used 
when openssl isn't available. It's really just openssl that causes such 
a schism.

Alex

> ---
> 
> (no changes since v1)
> 
>   common/image-fit-sig.c |  3 ++-
>   common/image-fit.c     |  4 ++--
>   tools/Kconfig          | 25 +++++++++++++++++++++++++
>   tools/Makefile         | 18 +++++++++---------
>   4 files changed, 38 insertions(+), 12 deletions(-)
> 
> diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c
> index 55ddf1879ed..12a6745c642 100644
> --- a/common/image-fit-sig.c
> +++ b/common/image-fit-sig.c
> @@ -72,11 +72,12 @@ static int fit_image_setup_verify(struct image_sign_info *info,
>   	char *algo_name;
>   	const char *padding_name;
>   
> +#ifndef USE_HOSTCC
>   	if (fdt_totalsize(fit) > CONFIG_FIT_SIGNATURE_MAX_SIZE) {
>   		*err_msgp = "Total size too large";
>   		return 1;
>   	}
> -
> +#endif
>   	if (fit_image_hash_get_algo(fit, noffset, &algo_name)) {
>   		*err_msgp = "Can't get hash algo property";
>   		return -1;
> diff --git a/common/image-fit.c b/common/image-fit.c
> index e614643fe39..a16e2dd54a5 100644
> --- a/common/image-fit.c
> +++ b/common/image-fit.c
> @@ -165,7 +165,7 @@ int fit_get_subimage_count(const void *fit, int images_noffset)
>   	return count;
>   }
>   
> -#if CONFIG_IS_ENABLED(FIT_PRINT) || CONFIG_IS_ENABLED(SPL_FIT_PRINT)
> +#if CONFIG_IS_ENABLED(FIT_PRINT)
>   /**
>    * fit_image_print_data() - prints out the hash node details
>    * @fit: pointer to the FIT format image header
> @@ -573,7 +573,7 @@ void fit_image_print(const void *fit, int image_noffset, const char *p)
>   #else
>   void fit_print_contents(const void *fit) { }
>   void fit_image_print(const void *fit, int image_noffset, const char *p) { }
> -#endif /* CONFIG_IS_ENABLED(FIR_PRINT) || CONFIG_IS_ENABLED(SPL_FIT_PRINT) */
> +#endif /* CONFIG_IS_ENABLED(FIT_PRINT) */
>   
>   /**
>    * fit_get_desc - get node description property
> diff --git a/tools/Kconfig b/tools/Kconfig
> index b2f5012240c..f00ab661135 100644
> --- a/tools/Kconfig
> +++ b/tools/Kconfig
> @@ -9,4 +9,29 @@ config MKIMAGE_DTC_PATH
>   	  some cases the system dtc may not support all required features
>   	  and the path to a different version should be given here.
>   
> +config HOST_FIT
> +	def_bool y
> +	help
> +	  Enable FIT support in the host build.

Don't we always want to enable this for mkimage?

> +
> +config HOST_FIT_FULL_CHECK
> +	def_bool y
> +	help
> +	  Do a full check of the FIT before using it in the host build

How would this be used? FIT vs FIT_FULL is mostly an SPL distinction. I 
don't think we should have it in host tools.

> +
> +config HOST_FIT_PRINT
> +	def_bool y
> +	help
> +	  Print the content of the FIT verbosely in the host build

This option also doesn't make sense.This seems to do what 'mkimage -l' 
already supports.

> +
> +config HOST_FIT_SIGNATURE
> +	def_bool y
> +	help
> +	  Enable signature verification of FIT uImages in the host build

s/verification/signing and verification/

> +
> +config HOST_FIT_SIGNATURE_MAX_SIZE
> +	hex
> +	depends on HOST_FIT_SIGNATURE
> +	default 0x10000000
> +

The only use of FIT_SIGNATURE_MAX_SIZE is under "#ifndef USE_HOSTCC". So 
this wouldn't make any sense for the host.

>   endmenu
> diff --git a/tools/Makefile b/tools/Makefile
> index 2b4bc547abd..d143198f7c9 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -53,12 +53,12 @@ hostprogs-y += mkenvimage
>   mkenvimage-objs := mkenvimage.o os_support.o lib/crc32.o
>   
>   hostprogs-y += dumpimage mkimage
> -hostprogs-$(CONFIG_FIT_SIGNATURE) += fit_info fit_check_sign
> +hostprogs-$(CONFIG_HOST_FIT_SIGNATURE) += fit_info fit_check_sign
>   
>   hostprogs-$(CONFIG_CMD_BOOTEFI_SELFTEST) += file2include
>   
> -FIT_OBJS-$(CONFIG_FIT) := fit_common.o fit_image.o image-host.o common/image-fit.o
> -FIT_SIG_OBJS-$(CONFIG_FIT_SIGNATURE) := common/image-sig.o common/image-fit-sig.o
> +FIT_OBJS-$(CONFIG_HOST_FIT) := fit_common.o fit_image.o image-host.o common/image-fit.o
> +FIT_SIG_OBJS-$(CONFIG_HOST_FIT_SIGNATURE) := common/image-sig.o common/image-fit-sig.o
>   FIT_CIPHER_OBJS-$(CONFIG_FIT_CIPHER) := common/image-cipher.o
>   
>   # The following files are synced with upstream DTC.
> @@ -66,17 +66,17 @@ FIT_CIPHER_OBJS-$(CONFIG_FIT_CIPHER) := common/image-cipher.o
>   LIBFDT_OBJS := $(addprefix libfdt/, fdt.o fdt_ro.o fdt_wip.o fdt_sw.o fdt_rw.o \
>   		fdt_strerror.o fdt_empty_tree.o fdt_addresses.o fdt_overlay.o)
>   
> -RSA_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/rsa/, \
> +RSA_OBJS-$(CONFIG_HOST_FIT_SIGNATURE) := $(addprefix lib/rsa/, \
>   					rsa-sign.o rsa-verify.o \
>   					rsa-mod-exp.o)
>   
> -ECDSA_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/ecdsa/, ecdsa-libcrypto.o)
> +ECDSA_OBJS-$(CONFIG_HOST_FIT_SIGNATURE) := $(addprefix lib/ecdsa/, ecdsa-libcrypto.o)
>   
>   AES_OBJS-$(CONFIG_FIT_CIPHER) := $(addprefix lib/aes/, \
>   					aes-encrypt.o aes-decrypt.o)
>   
>   # Cryptographic helpers that depend on openssl/libcrypto
> -LIBCRYPTO_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/, \
> +LIBCRYPTO_OBJS-$(CONFIG_HOST_FIT_SIGNATURE) := $(addprefix lib/, \
>   					fdt-libcrypto.o)
>   
>   ROCKCHIP_OBS = lib/rc4.o rkcommon.o rkimage.o rksd.o rkspi.o
> @@ -137,13 +137,13 @@ fit_info-objs   := $(dumpimage-mkimage-objs) fit_info.o
>   fit_check_sign-objs   := $(dumpimage-mkimage-objs) fit_check_sign.o
>   file2include-objs := file2include.o
>   
> -ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_FIT_SIGNATURE),)
> +ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_HOST_FIT_SIGNATURE),)
>   # Add CONFIG_MXS into host CFLAGS, so we can check whether or not register
>   # the mxsimage support within tools/mxsimage.c .
>   HOSTCFLAGS_mxsimage.o += -DCONFIG_MXS
>   endif
>   
> -ifdef CONFIG_FIT_SIGNATURE
> +ifdef CONFIG_HOST_FIT_SIGNATURE
>   # This affects include/image.h, but including the board config file
>   # is tricky, so manually define this options here.
>   HOST_EXTRACFLAGS	+= -DCONFIG_FIT_SIGNATURE
> @@ -165,7 +165,7 @@ HOSTCFLAGS_kwbimage.o += -DCONFIG_KWB_SECURE
>   endif
>   
>   # MXSImage needs LibSSL
> -ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_FIT_SIGNATURE)$(CONFIG_FIT_CIPHER),)
> +ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_HOST_FIT_SIGNATURE)$(CONFIG_FIT_CIPHER),)
>   HOSTCFLAGS_kwbimage.o += \
>   	$(shell pkg-config --cflags libssl libcrypto 2> /dev/null || echo "")
>   HOSTLDLIBS_mkimage += \
>

More information about the U-Boot mailing list