On 5/12/21 12:14 PM, Tom Rini wrote:
On Wed, May 12, 2021 at 11:19:52AM -0500, Alex G. wrote:
On 5/12/21 10:52 AM, Simon Glass wrote:
[snip]
We have a NO_SDL build-time control. Perhaps have a NO_SSL one as well?
It could be a config option instead of an environment variable. I think it
can be independent of target options, since we don't sign images in the
buildsystem anyway -- we can enable FIT verification, but mkimage without
openssl.
As people point out from time to time, "NO_SDL" is very non-obvious and
doesn't fit with how the rest of U-Boot is configured. So I would
rather not see NO_SSL added.
FYI, I have a proof-of-concept for the NO_SSL idea using Kconfig [1]
instead of environment variahles. It's not yet ready for publication.
[1]
https://github.com/mrnuke/u-boot/commit/c054c546a8de54e41d3802fe60ad9389095e673b
Frankly, given everything else that's
needed to build today, I don't think just enabling the support for
verified boot in mkimage by default and making it a bit odd to turn off
is a problem. But given:
https://lists.denx.de/pipermail/u-boot/2017-December/313742.html
I would really like to see the switch to gnutls or some other clearly
compatibly licensed library first.
Might be interesting to switch to gnutls, even if only because it
doesn't burn your eyes looking at function names and variable types. I
wouldn't mind looking into this, but I just don't have the bandwidth
nowadays.
Alex
