[PATCH v2 16/50] image: Add Kconfig options for FIT in the host build

Alex G. mr.nuke.me at gmail.com
Tue May 18 00:29:44 CEST 2021


On 5/12/21 12:14 PM, Tom Rini wrote:
> On Wed, May 12, 2021 at 11:19:52AM -0500, Alex G. wrote:
>>
>>
>> On 5/12/21 10:52 AM, Simon Glass wrote:

[snip]

>>> We have a NO_SDL build-time control. Perhaps have a NO_SSL one as well?
>>
>> It could be a config option instead of an environment variable. I think it
>> can be independent of target options, since we don't sign images in the
>> buildsystem anyway -- we can enable FIT verification, but mkimage without
>> openssl.
> 
> As people point out from time to time, "NO_SDL" is very non-obvious and
> doesn't fit with how the rest of U-Boot is configured.  So I would
> rather not see NO_SSL added. 

FYI, I have a proof-of-concept for the NO_SSL idea using Kconfig [1] 
instead of environment variahles. It's not yet ready for publication.

[1] 
https://github.com/mrnuke/u-boot/commit/c054c546a8de54e41d3802fe60ad9389095e673b


> Frankly, given everything else that's
> needed to build today, I don't think just enabling the support for
> verified boot in mkimage by default and making it a bit odd to turn off
> is a problem.  But given:
> https://lists.denx.de/pipermail/u-boot/2017-December/313742.html
> I would really like to see the switch to gnutls or some other clearly
> compatibly licensed library first.

Might be interesting to switch to gnutls, even if only because it 
doesn't burn your eyes looking at function names and variable types. I 
wouldn't mind looking into this, but I just don't have the bandwidth 
nowadays.

Alex


More information about the U-Boot mailing list