[PATCH v2 16/50] image: Add Kconfig options for FIT in the host build
AKASHI Takahiro
takahiro.akashi at linaro.org
Tue May 18 03:23:18 CEST 2021
On Mon, May 17, 2021 at 05:29:44PM -0500, Alex G. wrote:
> On 5/12/21 12:14 PM, Tom Rini wrote:
> > On Wed, May 12, 2021 at 11:19:52AM -0500, Alex G. wrote:
> > >
> > >
> > > On 5/12/21 10:52 AM, Simon Glass wrote:
>
> [snip]
>
> > > > We have a NO_SDL build-time control. Perhaps have a NO_SSL one as well?
> > >
> > > It could be a config option instead of an environment variable. I think it
> > > can be independent of target options, since we don't sign images in the
> > > buildsystem anyway -- we can enable FIT verification, but mkimage without
> > > openssl.
> >
> > As people point out from time to time, "NO_SDL" is very non-obvious and
> > doesn't fit with how the rest of U-Boot is configured. So I would
> > rather not see NO_SSL added.
>
> FYI, I have a proof-of-concept for the NO_SSL idea using Kconfig [1] instead
> of environment variahles. It's not yet ready for publication.
>
> [1] https://github.com/mrnuke/u-boot/commit/c054c546a8de54e41d3802fe60ad9389095e673b
FYI,
I have posted a patch[1] for a similar *signing* tool using OpenSSL.
Basically, I'd like to follow the way agreed here about how OpenSSL
be handled in host tools.
So please keep in mind that there can be another use case of this kind
of host Kconfig option.
[1] https://lists.denx.de/pipermail/u-boot/2021-May/449572.html
-Takahiro Akashi
>
> > Frankly, given everything else that's
> > needed to build today, I don't think just enabling the support for
> > verified boot in mkimage by default and making it a bit odd to turn off
> > is a problem. But given:
> > https://lists.denx.de/pipermail/u-boot/2017-December/313742.html
> > I would really like to see the switch to gnutls or some other clearly
> > compatibly licensed library first.
>
> Might be interesting to switch to gnutls, even if only because it doesn't
> burn your eyes looking at function names and variable types. I wouldn't mind
> looking into this, but I just don't have the bandwidth nowadays.
>
> Alex
More information about the U-Boot
mailing list