[PATCH v4 1/4] tools: Separate image types which depend on OpenSSL
samuel at sholland.org
Wed Oct 20 16:14:11 CEST 2021
On 10/20/21 8:47 AM, Pali Rohár wrote:
> On Wednesday 20 October 2021 14:29:02 Andre Przywara wrote:
>> On Wed, 20 Oct 2021 09:29:25 +0200
>> Pali Rohár <pali at kernel.org> wrote:
>>> On Tuesday 19 October 2021 21:44:51 Samuel Holland wrote:
>>>> Some image types (kwbimage and mxsimage) always depend on OpenSSL, so
>>>> they can only be included in mkimage when TOOLS_LIBCRYPTO is selected.
>>>> Use Makefile logic to conditionally link the files.
>>>> Signed-off-by: Samuel Holland <samuel at sholland.org>
>>> As explained in previous email , kwbimage is required for building
>>> Kirkwood, Dove, A370, AXP, A375, A38x, A39x and MSYS platforms.
>>> Therefore it cannot be disabled or hidden behind some user config
>>> options for these platforms (and it does not matter if it is crypto
>>> option or any other option).
>> So somehow we need to find a solution between your view and Alex' view of
>> First: Pali, do you see any actual problem at the moment? TOOLS_LIBCRYPTO
>> defaults to y, so if I am not mistaken that means that a user would need
>> to deliberately turn that off to trigger build errors?
>> And also: the situation with this patch is not worse as before, isn't it?
> I do not think so. Without this patch, kwbimage is always going
> compiled, which means it is compiled also for mvebu platforms which
> needs it.
> With this patch it is possible via _valid_ config options to disable
> compilation of kwbimage which would lead to totally bogus and
> unintuitive behavior and errors. Without this patch compilation fails on
> exact and clear error = cryto header files (or libs) were not found and
> user / developer / package maintainer would know what is needed (= mean
> to install missing dependency).
Andre is correct. No version of this patch makes *any* change to *any*
in-tree defconfig build, because TOOLS_LIBCRYPTO=y in all defconfigs.
>> So if it's just the missing improvement that you are concerned about, I am
>> not sure that should block this patch?
> V3 patch was improvement - it enforced required dependencies and I guess
> it showed some build system error message when dependences were not met.
> This is improvement from situation without patch when it failed on
> compiling kwbimage which probably showed error message about missing
> header files (or libs, depends on which stage it failed). It was not the
> best choice as in some cases it enforced crypto dependencies also in
> cases when they were not really required -- but it should have solve the
> problem that dependences are there for platforms which require them.
No, you would have seen the exact same error message with v3 as you get
today without any patch. Because all v3 does is enforce that kwbimage.o
gets compiled on certain platforms (whereas today, it is compiled on
> v4 patch is not improvement, it is step backward - it started allowing
> to compile mkimage without required functionality, even on platforms
> which needs them, and effectively hides issue which is there.
Even if I was to accept your assertion that it hides a possible error on
platforms using kwbimage:
1) It does not *create* any errors for those platforms, and
2) It *fixes* possible errors for almost all other platforms.
>> I mean you could always propose
>> your own version of that missing piece, to improve the situation for the
>> boards you care about? And we should have this discussion there?
> I think I have written details and some proposed solution in that email.
Yes, Pali, like I said in response to your comments on v2, you should
really be the one sending the patch here. I know next to nothing about
your platforms, and even giving me a list of SoC families does not tell
me where in the Kconfig you want the change to go. I am not interested
in continuing to play a guessing game (which so far I have been losing).
The TOOLS_LIBCRYPTO option has been around for several months now, so
there is no need to wait for my series to send your patch.
In fact, it was your change which broke the mkimage build with
TOOLS_LIBCRYPTO=n in the first place, so it is all the more
disappointing that, instead of fixing it, you are now trying to block
other people from fixing it.
> What is needed is to ensure that kwbimage is always compiled for
> platforms which require it (list of platform are in email 1 in previous
> email). This can be done as hard dependency like it is currently without
> this patch (ugly, does not show nice error message and enforce everybody
> to have crypto dependency, even platforms which do not need it). Other
> solution could be to define some select symbol which says that kwbimage
> is required and then kwbimage would be unconditionally compiled when
> this symbol is selected. And to make error message nice in build system,
> this symbol could depends on crypto symbol to ensure that all
> dependencies are met when trying to compile something which needs it.
> Another option could be to implement required crypto functions directly
> in u-boot source tree to remove external dependency. I do not know which
> solution is the best or how hard they are to implement, and neither what
> can be accepted by other u-boot developers / maintainers. I see an issue
> here that fixing this problem need to touch more parts of u-boot source
> code and build system which, which means that u-boot maintainers need to
> say what they are willing to accept and what not.
I don't see how "other bugs exist" is a reasonable justification for
NAKing this patch.
>> As it stands right now, this patch just improves things (just not
>> *everything*), and it is a prerequisite for the rest of the series
>> (unrelated to your problems), so I would like to go ahead on this one.
> Well, maybe this patch improves some things about non-mvebu platforms,
> but makes mvebu platform code / build system worse. And due to this fact
> I cannot say that I want this change...
Previously, if I didn't have OpenSSL installed (or was not allowed to
link it for legal reasons):
1) mkimage could not build,
2) U-Boot for mvebu would not build.
With this patch v4, if I don't have OpenSSL installed (or am not allowed
to link it for legal reasons):
1) mkimage could build, with reduced functionality,
2) U-Boot for mvebu would not build.
That doesn't sound worse to me.
>>> kwbimage must be unconditionally enabled on
>>> these platforms like it was before this change, as it is crucial part of
>>>  - https://lore.kernel.org/u-boot/20211015114735.rig3e4cuc7mn6a7e@pali/
>>>> Changes in v4:
>>>> - Do not select TOOLS_LIBCRYPTO anywhere
>>>> Changes in v3:
>>>> - Selected TOOLS_LIBCRYPTO on all platforms that use kwbimage (as best
>>>> as I can tell, using the suggestions from Pali Rohár)
>>>> Changes in v2:
>>>> - Refactored the first patch on top of TOOLS_LIBCRYPTO
>>>> scripts/config_whitelist.txt | 1 -
>>>> tools/Makefile | 19 +++++--------------
>>>> tools/mxsimage.c | 3 ---
>>>> 3 files changed, 5 insertions(+), 18 deletions(-)
>>>> diff --git a/scripts/config_whitelist.txt b/scripts/config_whitelist.txt
>>>> index cd94b5777a..affae6875d 100644
>>>> --- a/scripts/config_whitelist.txt
>>>> +++ b/scripts/config_whitelist.txt
>>>> @@ -828,7 +828,6 @@ CONFIG_MXC_UART_BASE
>>>> diff --git a/tools/Makefile b/tools/Makefile
>>>> index 999fd46531..a9b3d982d8 100644
>>>> --- a/tools/Makefile
>>>> +++ b/tools/Makefile
>>>> @@ -94,9 +94,11 @@ ECDSA_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/ecdsa/, ecdsa-libcrypto.
>>>> AES_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/aes/, \
>>>> aes-encrypt.o aes-decrypt.o)
>>>> -# Cryptographic helpers that depend on openssl/libcrypto
>>>> -LIBCRYPTO_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/, \
>>>> - fdt-libcrypto.o)
>>>> +# Cryptographic helpers and image types that depend on openssl/libcrypto
>>>> +LIBCRYPTO_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := \
>>>> + lib/fdt-libcrypto.o \
>>>> + kwbimage.o \
>>>> + mxsimage.o
>>>> ROCKCHIP_OBS = lib/rc4.o rkcommon.o rkimage.o rksd.o rkspi.o
>>>> @@ -118,10 +120,8 @@ dumpimage-mkimage-objs := aisimage.o \
>>>> imximage.o \
>>>> imx8image.o \
>>>> imx8mimage.o \
>>>> - kwbimage.o \
>>>> lib/md5.o \
>>>> lpc32xximage.o \
>>>> - mxsimage.o \
>>>> omapimage.o \
>>>> os_support.o \
>>>> pblimage.o \
>>>> @@ -156,22 +156,13 @@ fit_info-objs := $(dumpimage-mkimage-objs) fit_info.o
>>>> fit_check_sign-objs := $(dumpimage-mkimage-objs) fit_check_sign.o
>>>> file2include-objs := file2include.o
>>>> -ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_TOOLS_LIBCRYPTO),)
>>>> -# Add CONFIG_MXS into host CFLAGS, so we can check whether or not register
>>>> -# the mxsimage support within tools/mxsimage.c .
>>>> -HOSTCFLAGS_mxsimage.o += -DCONFIG_MXS
>>>> ifdef CONFIG_TOOLS_LIBCRYPTO
>>>> # This affects include/image.h, but including the board config file
>>>> # is tricky, so manually define this options here.
>>>> HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE
>>>> HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE_MAX_SIZE=0xffffffff
>>>> HOST_EXTRACFLAGS += -DCONFIG_FIT_CIPHER
>>>> -# MXSImage needs LibSSL
>>>> -ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_TOOLS_LIBCRYPTO),)
>>>> HOSTCFLAGS_kwbimage.o += \
>>>> $(shell pkg-config --cflags libssl libcrypto 2> /dev/null || echo "")
>>>> HOSTLDLIBS_mkimage += \
>>>> diff --git a/tools/mxsimage.c b/tools/mxsimage.c
>>>> index 002f4b525a..2bfbb421eb 100644
>>>> --- a/tools/mxsimage.c
>>>> +++ b/tools/mxsimage.c
>>>> @@ -5,8 +5,6 @@
>>>> * Copyright (C) 2012-2013 Marek Vasut <marex at denx.de>
>>>> -#ifdef CONFIG_MXS
>>>> #include <errno.h>
>>>> #include <fcntl.h>
>>>> #include <stdio.h>
>>>> @@ -2363,4 +2361,3 @@ U_BOOT_IMAGE_TYPE(
More information about the U-Boot