[PATCH v4 1/4] tools: Separate image types which depend on OpenSSL

Andre Przywara andre.przywara at arm.com
Fri Oct 22 19:20:49 CEST 2021


On Fri, 22 Oct 2021 09:47:35 -0700
Vagrant Cascadian <vagrant at debian.org> wrote:

Hi,

> On 2021-10-22, Tom Rini wrote:
> > On Fri, Oct 22, 2021 at 04:56:09PM +0100, Andre Przywara wrote:  
> >> On Fri, 22 Oct 2021 11:09:27 -0400
> >> Tom Rini <trini at konsulko.com> wrote:  
> 
> >> > On Fri, Oct 22, 2021 at 04:59:22PM +0200, Marek Behún wrote:  
> >> > > On Fri, 22 Oct 2021 12:09:19 +0200
> >> > > Heinrich Schuchardt <heinrich.schuchardt at canonical.com> wrote:
> >> > >     
> >> > > > On 10/21/21 15:00, Marek Behún wrote:    
> >> > > > > BTW, wouldn't it be enough to simply imply TOOLS_LIBCRYPTO for mvebu
> >> > > > > platform in Kconfig?
> >> > > > >       
> >> > > > 
> >> > > > We should only use 'imply' for suggested settings and never for hard 
> >> > > > requirements. TOOLS_LIBCRYPTO already defaults to 'Y'. So implying it 
> >> > > > for mvebu would be redundant.
> >> > > > 
> >> > > > In an OS distribution we only want to ship a single version of mkimage. 
> >> > > > So it is good to elimate symbol CONFIG_MXS.
> >> > > > 
> >> > > > How mkimage is built should not depend on CONFIG_TOOLS_LIBCRYPTO.
> >> > > > 
> >> > > > Tom wrote regarding this aspect in 
> >> > > > https://lists.denx.de/pipermail/u-boot/2021-September/460251.html:
> >> > > > 
> >> > > > "if we're building a generically useful tool, we don't want another
> >> > > > symbol for it."    
> >> > > 
> >> > > OK, so mkimage and dumpimage should be always generic and always
> >> > > support all platforms, that makes sense, since the tools can be
> >> > > installed as a distribution package.
> >> > > 
> >> > > But I still think it should be possible to cripple these tools if the
> >> > > developer wants to disable libcrypto due to embedded environment.    
> >> 
> >> Well, I don't think this is the real question here, is it?
> >> I think the tools part is clear: distros want to build just mkimage,
> >> supporting as many platforms as possible, and might need to avoid OpenSSL.
> >> This should be covered by TOOLS_LIBCRYPTO=[yn] and "make
> >> tools-only_defconfg && make tools", and Samuel's patch actually fixes the
> >> build (at least somewhat, I still get link errors).  
> >
> > The problem is, are distros doing a tools-only build, for tools, or are
> > they doing it per board?  Like, hey, ugh, OpenEmbedded uses
> > sandbox_defconfig and cross_tools as the targets.  That's not quite what
> > I was hoping to see.  So I want to know everyone else is doing, rather
> > than we hope they're doing.  
> 
> Thanks for bringing this to my attention!
> 
> In Debian, the u-boot-tools package is built using tools-only, and for
> each of the board-specific targets, it still ends up building the
> relevent tools, but we throw them away and do not ship them in any
> packages.
> 
> With 2021.10, the board-specific builds made it harder to avoid openssl
> with the corresponding tools, and I reluctantly added a dependency on
> openssl... (which is technically permitted in Debian, having declared
> openssl as a system library to avoid the GPL incompatibilities, but
> ... meh.)

But this is purely a *build-time* dependency only, right? The resulting
images do not have any openssl code in them, they were just *created*
(signed) using that code.
I don't think this a legal issue? The problems are about *shipping*
openssl code, which you only do for u-boot-tools - where it now can be
disabled.

> I also have been doing some packaging of u-boot for GNU Guix, where I
> suspect the stance wouldn't be as willing to accept such a compromise...
> 
> So... I would *love* an option to be able to build a board-only config
> without any of the tools;

Why is this a problem (see above)? Who is building board builds? It's
either the maintainer when creating the binary package, or a curious user,
right? And they can surely *use* OpenSSL during build time - if it's
needed by the board.

Cheers,
Andre


> do some boards use board-specific tools as
> part of their build processes?
> 
> 
> live well,
>   vagrant



More information about the U-Boot mailing list