[PATCH 1/1] configs: add mkeficapsule to tools-only_defconfig

Heinrich Schuchardt xypron.glpk at gmx.de
Thu Sep 9 14:31:18 CEST 2021



On 9/9/21 1:46 PM, Tom Rini wrote:
> On Thu, Sep 09, 2021 at 05:30:36PM +0900, AKASHI Takahiro wrote:
>> On Thu, Sep 09, 2021 at 09:27:50AM +0200, Heinrich Schuchardt wrote:
>>> On 9/9/21 8:09 AM, AKASHI Takahiro wrote:
>>>> On Thu, Sep 09, 2021 at 07:27:10AM +0200, Heinrich Schuchardt wrote:
>>>>> mkeficapsule is used to create capsules for UEFI firmware update.
>>>>> To ease inclusion into U-Boot tools packages of Linux distributions we
>>>>> should add it to the tools-only_defconfig.
>>>>>
>>>>> Provide dummy values for CONFIG_AVB_BUF_ADDR, CONFIG_AVB_BUF_SIZE to
>>>>> satisfy Kconfig.
>>>>>
>>>>> Suggested-by: Vagrant Cascadian <vagrant at debian.org>
>>>>> Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
>>>>> ---
>>>>>    configs/tools-only_defconfig | 7 ++++++-
>>>>>    1 file changed, 6 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/configs/tools-only_defconfig b/configs/tools-only_defconfig
>>>>> index f54bc1802c..8a20d3fb05 100644
>>>>> --- a/configs/tools-only_defconfig
>>>>> +++ b/configs/tools-only_defconfig
>>>>> @@ -5,6 +5,8 @@ CONFIG_ANDROID_BOOT_IMAGE=y
>>>>>    CONFIG_FIT=y
>>>>>    CONFIG_FIT_SIGNATURE=y
>>>>>    CONFIG_MISC_INIT_F=y
>>>>> +CONFIG_AVB_BUF_ADDR=0x0
>>>>> +CONFIG_AVB_BUF_SIZE=0x8192
>>>>>    # CONFIG_CMD_BOOTD is not set
>>>>>    # CONFIG_CMD_BOOTM is not set
>>>>>    # CONFIG_CMD_ELF is not set
>>>>> @@ -29,4 +31,7 @@ CONFIG_SYSRESET=y
>>>>>    # CONFIG_VIRTIO_MMIO is not set
>>>>>    # CONFIG_VIRTIO_PCI is not set
>>>>>    # CONFIG_VIRTIO_SANDBOX is not set
>>>>> -# CONFIG_EFI_LOADER is not set
>>>>> +CONFIG_EFI_CAPSULE_ON_DISK=y
>>>>> +CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y
>>>>> +CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
>>>>> +CONFIG_EFI_CAPSULE_AUTHENTICATE=y
>>>>
>>>> I think that we should use the way that I suggested in my patch[1].
>>>>
>>>> -Takahiro Akashi
>>>>
>>>> [1] https://lists.denx.de/pipermail/u-boot/2021-August/459349.html
>>>
>>> Your patch [1] still requires some rework:
>>> https://patchwork.ozlabs.org/project/uboot/patch/20210831024659.53464-2-takahiro.akashi@linaro.org/
>>>
>>> [1] changes what mkeficapsule looks like and this patch makes it
>>> available in tools-only_defconfig?
>>>
>>> Aren't these two patches complementary?
>>
>> With my patch applied, the only option we need to compile mkeficapsule is:
>>     CONFIG_TOOLS_MKEFICAPSULE
>>     (and optionally CONFIG_TOOLS_LIBCRYPTO)
>>
>> There is no target-config dependency as you have expected.
>
> There's two issues.  First, the general one is that when just building
> host tools (typically to package up in a distribution of some sort), it
> shouldn't depend on how "U-Boot" was configured (set aside the default
> environment problem).  CONFIG_TOOLS_LIBCRYPTO is the exception here as

Agreed. That is why in response to [1] I asked Takahiro to change the
patch such that it covers both signed and unsigned capsules. I don't
want two different versions.

Currently the tool is not build at all if
CONFIG_EFI_HAVE_CAPSULE_SUPPORT is not selected. Do I understand you
right that this dependency should be lifted?

> it's how we make things reproducible at least, with respect to libcrypto
> related requirements.  The second is that "tools-only_defconfig" is
> what's used when configuring U-Boot (as tools care about
> CONFIG_TOOLS_LIBCRYPTO but also LOCALVERSION).
>
> That said, I would like to know why AVB stuff comes in for building
> mkeficapsule.  Is there shared code?  If so, are these dummy variables
> OK and not going to cause a problem?
>

AVB_VERIFY is implied by SANDBOX and depends on PARTITION_UUIDS.
CONFIG_EFI_HAVE_CAPSULE_SUPPORT requires EFI_LOADER.
EFI_LOADER selects PARTITION_UUIDS.

Best regards

Heinrich


More information about the U-Boot mailing list