[PATCH v2 16/50] image: Add Kconfig options for FIT in the host build

Alex G mr.nuke.me at gmail.com
Wed May 19 17:49:57 CEST 2021 


On 5/17/21 8:23 PM, AKASHI Takahiro wrote:
> On Mon, May 17, 2021 at 05:29:44PM -0500, Alex G. wrote:
>> On 5/12/21 12:14 PM, Tom Rini wrote:
>>> On Wed, May 12, 2021 at 11:19:52AM -0500, Alex G. wrote:
>>>>
>>>>
>>>> On 5/12/21 10:52 AM, Simon Glass wrote:
>>
>> [snip]
>>
>>>>> We have a NO_SDL build-time control. Perhaps have a NO_SSL one as well?
>>>>
>>>> It could be a config option instead of an environment variable. I think it
>>>> can be independent of target options, since we don't sign images in the
>>>> buildsystem anyway -- we can enable FIT verification, but mkimage without
>>>> openssl.
>>>
>>> As people point out from time to time, "NO_SDL" is very non-obvious and
>>> doesn't fit with how the rest of U-Boot is configured.  So I would
>>> rather not see NO_SSL added.
>>
>> FYI, I have a proof-of-concept for the NO_SSL idea using Kconfig [1] instead
>> of environment variahles. It's not yet ready for publication.
>>
>> [1] https://github.com/mrnuke/u-boot/commit/c054c546a8de54e41d3802fe60ad9389095e673b
> 
> 
> FYI,
> I have posted a patch[1] for a similar *signing* tool using OpenSSL.
> Basically, I'd like to follow the way agreed here about how OpenSSL
> be handled in host tools.
> So please keep in mind that there can be another use case of this kind
> of host Kconfig option.
> 
> [1] https://lists.denx.de/pipermail/u-boot/2021-May/449572.html

I can't ask you to change your patch based on my ideas, as I my changes 
have not yet been submitted for review. However, should you want to 
anticipate, make sure that there's one and only one variable that 
determines if OpenSSL is linked.

I also suspect Tom would be quite thrilled if your patch started using 
gnutls instead of openssl. I'm not sure how sane things would look 
having both gnutls and openssl dependencies; however, I suspect it might 
be acceptable as long as it's temporary.

These decisions haven't been made yet. I don't want to send you on a 
wild goose refactoring chase, only to have the rug pulled from under you 
later. I think it's okay to continue with your patch as submitted. I'll 
update my patch accordingly when yours gets merged first -- looks easy 
enough.

Alex

More information about the U-Boot mailing list