On 4/24/21 2:43 AM, Lim, Elly Siew Chin wrote:
Add this discussion to denx mailing list.
[snip]
I can think of two enhancement to fix this:
(1) Add separate CONFIG to gate ECDSA algorithm. This enhancement benefits all
use cases. I assume not all user need ECDSA algorithm when FIT_SIGNATURE is
used.
(2) Enhance spl/spl_fit.c to support verification of data integrity based on
hash(es) in FIT image instead of based on FIT_SIGNATURE.
What do you think? If you agree:
For (1), can we ask Alex's help to change it?
For (2), who will be the right person to change this kind of common code?
FYI, I proposed a change to decouple OpenSSL from FIT_SIGNATURE [1]
[1]
https://patchwork.ozlabs.org/project/uboot/patch/20210524202317.1492578-1-mr.nuke...@gmail.com/
That would enable you to have FIT_SIGNATURE, but not need OpenSSL
support in mkimage.
Alex