[PATCH 0/6] Add preload_check_sign tool
Tom Rini
trini at konsulko.com
Mon Feb 24 21:10:07 CET 2025
On Mon, Feb 24, 2025 at 09:07:28PM +0100, Paul HENRYS wrote:
> Hi Tom,
>
> On 24/02/2025 17:31, Tom Rini wrote:
> > On Fri, Feb 21, 2025 at 11:38:18AM -0600, Tom Rini wrote:
> >
> > > On Wed, 12 Feb 2025 10:31:20 +0100, Paul HENRYS wrote:
> > >
> > > > This serie of patches adds a new tool to authenticate files signed
> > > > with a preload header.
> > > > This tool is also used in the tests to actually verify the
> > > > authenticity of the file signed with such a preload header.
> > > >
> > > > Paul HENRYS (6):
> > > > rsa: Add rsa_verify_openssl() to use openssl for host builds
> > > > image: Add an inline declaration of unmap_sysmem()
> > > > boot: Add support of the pre-load signature for host tools
> > > > tools: Add preload_check_sign to authenticate images with a pre-load
> > > > configs: Enable the pre-load signature in tools-only_defconfig
> > > > binman: Authenticate the image when testing the preload signature
> > > >
> > > > [...]
> > > Applied to u-boot/next, thanks!
> > Unfortunately this breaks macOS building:
> > https://dev.azure.com/u-boot/u-boot/_build/results?buildId=10614&view=logs&j=35eccd4a-c7e0-5052-1111-1aa0b6b36326&t=e725091b-e4d8-5b5a-ef22-f51d8214ad12
> >
> > And so I need to revert this from -next, sorry.
> >
> In the pipeline, I see you seem to be building against openssl 1.1:
>
> /usr/local/opt/*openssl at 1.1*/include/openssl/x509.h:962:17: note:
> 'EVP_PKEY_get_attr' declared here
> X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc);
>
>
> OpenSSL 1.1 is deprecated and I based the implementation on OpenSSL 3 APIs.
> Should I update the implementation to also support OpenSSL 1.1 APIs?
I don't know enough about what is / isn't safe to assume people will do
for macOS to say for sure. We do this to setup the environment:
brew install make ossp-uuid
So if we should instead be saying something else to install a newer ssl
via brew (and update the flags in the build line), that's fine too.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250224/8af00c6a/attachment.sig>
More information about the U-Boot
mailing list