[PATCH 1/1] configs: add mkeficapsule to tools-only_defconfig

Tom Rini trini at konsulko.com
Thu Sep 9 14:44:50 CEST 2021 

On Thu, Sep 09, 2021 at 02:31:18PM +0200, Heinrich Schuchardt wrote:
> On 9/9/21 1:46 PM, Tom Rini wrote:
> > On Thu, Sep 09, 2021 at 05:30:36PM +0900, AKASHI Takahiro wrote:
> > > On Thu, Sep 09, 2021 at 09:27:50AM +0200, Heinrich Schuchardt wrote:
> > > > On 9/9/21 8:09 AM, AKASHI Takahiro wrote:
> > > > > On Thu, Sep 09, 2021 at 07:27:10AM +0200, Heinrich Schuchardt wrote:
> > > > > > mkeficapsule is used to create capsules for UEFI firmware update.
> > > > > > To ease inclusion into U-Boot tools packages of Linux distributions we
> > > > > > should add it to the tools-only_defconfig.
> > > > > > 
> > > > > > Provide dummy values for CONFIG_AVB_BUF_ADDR, CONFIG_AVB_BUF_SIZE to
> > > > > > satisfy Kconfig.
> > > > > > 
> > > > > > Suggested-by: Vagrant Cascadian <vagrant at debian.org>
> > > > > > Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
> > > > > > ---
> > > > > >    configs/tools-only_defconfig | 7 ++++++-
> > > > > >    1 file changed, 6 insertions(+), 1 deletion(-)
> > > > > > 
> > > > > > diff --git a/configs/tools-only_defconfig b/configs/tools-only_defconfig
> > > > > > index f54bc1802c..8a20d3fb05 100644
> > > > > > --- a/configs/tools-only_defconfig
> > > > > > +++ b/configs/tools-only_defconfig
> > > > > > @@ -5,6 +5,8 @@ CONFIG_ANDROID_BOOT_IMAGE=y
> > > > > >    CONFIG_FIT=y
> > > > > >    CONFIG_FIT_SIGNATURE=y
> > > > > >    CONFIG_MISC_INIT_F=y
> > > > > > +CONFIG_AVB_BUF_ADDR=0x0
> > > > > > +CONFIG_AVB_BUF_SIZE=0x8192
> > > > > >    # CONFIG_CMD_BOOTD is not set
> > > > > >    # CONFIG_CMD_BOOTM is not set
> > > > > >    # CONFIG_CMD_ELF is not set
> > > > > > @@ -29,4 +31,7 @@ CONFIG_SYSRESET=y
> > > > > >    # CONFIG_VIRTIO_MMIO is not set
> > > > > >    # CONFIG_VIRTIO_PCI is not set
> > > > > >    # CONFIG_VIRTIO_SANDBOX is not set
> > > > > > -# CONFIG_EFI_LOADER is not set
> > > > > > +CONFIG_EFI_CAPSULE_ON_DISK=y
> > > > > > +CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y
> > > > > > +CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
> > > > > > +CONFIG_EFI_CAPSULE_AUTHENTICATE=y
> > > > > 
> > > > > I think that we should use the way that I suggested in my patch[1].
> > > > > 
> > > > > -Takahiro Akashi
> > > > > 
> > > > > [1] https://lists.denx.de/pipermail/u-boot/2021-August/459349.html
> > > > 
> > > > Your patch [1] still requires some rework:
> > > > https://patchwork.ozlabs.org/project/uboot/patch/20210831024659.53464-2-takahiro.akashi@linaro.org/
> > > > 
> > > > [1] changes what mkeficapsule looks like and this patch makes it
> > > > available in tools-only_defconfig?
> > > > 
> > > > Aren't these two patches complementary?
> > > 
> > > With my patch applied, the only option we need to compile mkeficapsule is:
> > >     CONFIG_TOOLS_MKEFICAPSULE
> > >     (and optionally CONFIG_TOOLS_LIBCRYPTO)
> > > 
> > > There is no target-config dependency as you have expected.
> > 
> > There's two issues.  First, the general one is that when just building
> > host tools (typically to package up in a distribution of some sort), it
> > shouldn't depend on how "U-Boot" was configured (set aside the default
> > environment problem).  CONFIG_TOOLS_LIBCRYPTO is the exception here as
> 
> Agreed. That is why in response to [1] I asked Takahiro to change the
> patch such that it covers both signed and unsigned capsules. I don't
> want two different versions.
> 
> Currently the tool is not build at all if
> CONFIG_EFI_HAVE_CAPSULE_SUPPORT is not selected. Do I understand you
> right that this dependency should be lifted?

I went and re-read the rules on how we enable host tools.  I think it's
fine to leave that part as-is (and then yes, I've been mistaken in what
I've said above, a few more options are also relevant).

> > it's how we make things reproducible at least, with respect to libcrypto
> > related requirements.  The second is that "tools-only_defconfig" is
> > what's used when configuring U-Boot (as tools care about
> > CONFIG_TOOLS_LIBCRYPTO but also LOCALVERSION).
> > 
> > That said, I would like to know why AVB stuff comes in for building
> > mkeficapsule.  Is there shared code?  If so, are these dummy variables
> > OK and not going to cause a problem?
> 
> AVB_VERIFY is implied by SANDBOX and depends on PARTITION_UUIDS.
> CONFIG_EFI_HAVE_CAPSULE_SUPPORT requires EFI_LOADER.
> EFI_LOADER selects PARTITION_UUIDS.

Ah, OK.  I might have gone with turning off AVB in tools-only_defconfig
instead, but it's not a big deal.  I'm going to take a quick poke at
something now in fact.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210909/f1e5999f/attachment.sig>

More information about the U-Boot mailing list