[PATCH 0/6] Add preload_check_sign tool

Tom Rini trini at konsulko.com
Mon Feb 24 21:10:07 CET 2025


On Mon, Feb 24, 2025 at 09:07:28PM +0100, Paul HENRYS wrote:
> Hi Tom,
> 
> On 24/02/2025 17:31, Tom Rini wrote:
> > On Fri, Feb 21, 2025 at 11:38:18AM -0600, Tom Rini wrote:
> > 
> > > On Wed, 12 Feb 2025 10:31:20 +0100, Paul HENRYS wrote:
> > > 
> > > > This serie of patches adds a new tool to authenticate files signed
> > > > with a preload header.
> > > > This tool is also used in the tests to actually verify the
> > > > authenticity of the file signed with such a preload header.
> > > > 
> > > > Paul HENRYS (6):
> > > >    rsa: Add rsa_verify_openssl() to use openssl for host builds
> > > >    image: Add an inline declaration of unmap_sysmem()
> > > >    boot: Add support of the pre-load signature for host tools
> > > >    tools: Add preload_check_sign to authenticate images with a pre-load
> > > >    configs: Enable the pre-load signature in tools-only_defconfig
> > > >    binman: Authenticate the image when testing the preload signature
> > > > 
> > > > [...]
> > > Applied to u-boot/next, thanks!
> > Unfortunately this breaks macOS building:
> > https://dev.azure.com/u-boot/u-boot/_build/results?buildId=10614&view=logs&j=35eccd4a-c7e0-5052-1111-1aa0b6b36326&t=e725091b-e4d8-5b5a-ef22-f51d8214ad12
> > 
> > And so I need to revert this from -next, sorry.
> > 
> In the pipeline, I see you seem to be building against openssl 1.1:
> 
> /usr/local/opt/*openssl at 1.1*/include/openssl/x509.h:962:17: note:
> 'EVP_PKEY_get_attr' declared here
> X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc);
> 
> 
> OpenSSL 1.1 is deprecated and I based the implementation on OpenSSL 3 APIs.
> Should I update the implementation to also support OpenSSL 1.1 APIs?

I don't know enough about what is / isn't safe to assume people will do
for macOS to say for sure. We do this to setup the environment:
brew install make ossp-uuid

So if we should instead be saying something else to install a newer ssl
via brew (and update the flags in the build line), that's fine too.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250224/8af00c6a/attachment.sig>


More information about the U-Boot mailing list