Hi all, Am Do., 15. Juli 2021 um 00:09 Uhr schrieb Alexandru Gagniuc <mr.nuke...@gmail.com>: > > Host tool features, such as mkimage's ability to sign FIT images were > enabled or disabled based on the target configuration. However, this > misses the point of a target-agnostic host tool. > > A target's ability to verify FIT signatures is independent of > mkimage's ability to create those signatures. In fact, u-boot's build > system doesn't sign images. The target code can be successfully built > without relying on any ability to sign such code. > > Conversely, mkimage's ability to sign images does not require that > those images will only work on targets which support FIT verification. > Linking mkimage cryptographic features to target support for FIT > verification is misguided. > > Without loss of generality, we can say that host features are and > should be independent of target features. > > While we prefer that a host tool always supports the same feature set, > we recognize the following > - some users prefer to build u-boot without a dependency on OpenSSL. > - some distros prefer to ship mkimage without linking to OpenSSL > > To allow these use cases, introduce a host-only Kconfig which is used > to select or deselect libcrypto support. Some mkimage features or some > host tools might not be available, but this shouldn't affect the > u-boot build. > > I also considered setting the default of this config based on > FIT_SIGNATURE. While it would preserve the old behaviour it's also > contrary to the goals of this change. I decided to enable it by > default, so that the default build yields the most feature-complete > mkimage. > > Signed-off-by: Alexandru Gagniuc <mr.nuke...@gmail.com>
Since this patch was applied to master the build target "flash.bin" for e.g. the imx8mq_evk_defconfig fails. --- 8< --- MKIMAGE u-boot.itb u-boot.its:7.11-15.5: Warning (unit_address_vs_reg): /images/uboot@1: node has a unit name, but no reg property u-boot.its:16.9-21.5: Warning (unit_address_vs_reg): /images/fdt@1: node has a unit name, but no reg property u-boot.its:22.9-31.5: Warning (unit_address_vs_reg): /images/atf@1: node has a unit name, but no reg property u-boot.its:36.12-41.5: Warning (unit_address_vs_reg): /configurations/config@1: node has a unit name, but no reg property ./tools/mkimage: verify_header failed for FIT Image support with exit code 1 make: *** [Makefile:1440: u-boot.itb] Error 1 make: *** Deleting file 'u-boot.itb' make: *** Waiting for unfinished jobs.... --- 8< --- Does I miss here something? -- Heiko > --- > tools/Kconfig | 11 +++++++++++ > tools/Makefile | 48 +++++++++++++++++++++++++++++++----------------- > 2 files changed, 42 insertions(+), 17 deletions(-) > > diff --git a/tools/Kconfig b/tools/Kconfig > index b2f5012240..d6f82cd949 100644 > --- a/tools/Kconfig > +++ b/tools/Kconfig > @@ -9,4 +9,15 @@ config MKIMAGE_DTC_PATH > some cases the system dtc may not support all required features > and the path to a different version should be given here. > > +config TOOLS_LIBCRYPTO > + bool "Use OpenSSL's libcrypto library for host tools" > + default y > + help > + Cryptographic signature, verification, and encryption of images is > + provided by host tools using OpenSSL's libcrypto. Select 'n' here if > + you wish to build host tools without OpenSSL. mkimage will not have > + the ability to sign images. > + This selection does not affect target features, such as runtime FIT > + signature verification. > + > endmenu > diff --git a/tools/Makefile b/tools/Makefile > index 722355e984..bae3f95c49 100644 > --- a/tools/Makefile > +++ b/tools/Makefile > @@ -3,6 +3,25 @@ > # (C) Copyright 2000-2006 > # Wolfgang Denk, DENX Software Engineering, w...@denx.de. > > +# A note on target vs host configuration: > +# > +# Host tools can be used across multiple targets, or different configurations > +# of the same target. Thus, host tools must be able to handle any combination > +# of target configurations. To prevent having different variations of the > same > +# tool, the tool build options may not depend on target configuration. > +# > +# Some linux distributions package these utilities as u-boot-tools, and it > +# would be unmaintainable to have a different tool variation for each > +# arch or configuration. > +# > +# A couple of simple rules: > +# > +# 1) Do not use target CONFIG_* options to enable or disable features in host > +# tools. Only use the configs from tools/Kconfig > +# 2) It's okay to use target configs to disable building specific tools. > +# That's as long as the features of those tools aren't modified. > +# > + > # Enable all the config-independent tools > ifneq ($(HOST_TOOLS_ALL),) > CONFIG_ARCH_KIRKWOOD = y > @@ -53,30 +72,30 @@ hostprogs-y += mkenvimage > mkenvimage-objs := mkenvimage.o os_support.o lib/crc32.o > > hostprogs-y += dumpimage mkimage > -hostprogs-$(CONFIG_FIT_SIGNATURE) += fit_info fit_check_sign > +hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += fit_info fit_check_sign > > hostprogs-$(CONFIG_CMD_BOOTEFI_SELFTEST) += file2include > > -FIT_OBJS-$(CONFIG_FIT) := fit_common.o fit_image.o image-host.o > common/image-fit.o > -FIT_SIG_OBJS-$(CONFIG_FIT_SIGNATURE) := image-sig-host.o > common/image-fit-sig.o > -FIT_CIPHER_OBJS-$(CONFIG_FIT_CIPHER) := common/image-cipher.o > +FIT_OBJS-y := fit_common.o fit_image.o image-host.o common/image-fit.o > +FIT_SIG_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := image-sig-host.o > common/image-fit-sig.o > +FIT_CIPHER_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := common/image-cipher.o > > # The following files are synced with upstream DTC. > # Use synced versions from scripts/dtc/libfdt/. > LIBFDT_OBJS := $(addprefix libfdt/, fdt.o fdt_ro.o fdt_wip.o fdt_sw.o > fdt_rw.o \ > fdt_strerror.o fdt_empty_tree.o fdt_addresses.o fdt_overlay.o) > > -RSA_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/rsa/, \ > +RSA_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/rsa/, \ > rsa-sign.o rsa-verify.o \ > rsa-mod-exp.o) > > -ECDSA_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/ecdsa/, > ecdsa-libcrypto.o) > +ECDSA_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/ecdsa/, > ecdsa-libcrypto.o) > > -AES_OBJS-$(CONFIG_FIT_CIPHER) := $(addprefix lib/aes/, \ > +AES_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/aes/, \ > aes-encrypt.o aes-decrypt.o) > > # Cryptographic helpers that depend on openssl/libcrypto > -LIBCRYPTO_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/, \ > +LIBCRYPTO_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/, \ > fdt-libcrypto.o) > > ROCKCHIP_OBS = lib/rc4.o rkcommon.o rkimage.o rksd.o rkspi.o > @@ -136,22 +155,17 @@ fit_info-objs := $(dumpimage-mkimage-objs) fit_info.o > fit_check_sign-objs := $(dumpimage-mkimage-objs) fit_check_sign.o > file2include-objs := file2include.o > > -ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_FIT_SIGNATURE),) > +ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_TOOLS_LIBCRYPTO),) > # Add CONFIG_MXS into host CFLAGS, so we can check whether or not register > # the mxsimage support within tools/mxsimage.c . > HOSTCFLAGS_mxsimage.o += -DCONFIG_MXS > endif > > -ifdef CONFIG_FIT_SIGNATURE > +ifdef CONFIG_TOOLS_LIBCRYPTO > # This affects include/image.h, but including the board config file > # is tricky, so manually define this options here. > HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE > -HOST_EXTRACFLAGS += > -DCONFIG_FIT_SIGNATURE_MAX_SIZE=$(CONFIG_FIT_SIGNATURE_MAX_SIZE) > -endif > - > -ifdef CONFIG_FIT_CIPHER > -# This affects include/image.h, but including the board config file > -# is tricky, so manually define this options here. > +HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE_MAX_SIZE=0xffffffff > HOST_EXTRACFLAGS += -DCONFIG_FIT_CIPHER > endif > > @@ -164,7 +178,7 @@ HOSTCFLAGS_kwbimage.o += -DCONFIG_KWB_SECURE > endif > > # MXSImage needs LibSSL > -ifneq > ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_FIT_SIGNATURE)$(CONFIG_FIT_CIPHER),) > +ifneq > ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_TOOLS_LIBCRYPTO),) > HOSTCFLAGS_kwbimage.o += \ > $(shell pkg-config --cflags libssl libcrypto 2> /dev/null || echo "") > HOSTLDLIBS_mkimage += \ > -- > 2.31.1 >