Hi Tom, On Thu, Jun 27, 2013 at 5:50 AM, Tom Rini <tr...@ti.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 06/27/2013 02:44 AM, Simon Glass wrote: > > Hi Masahiro, > > > > On Wed, Jun 26, 2013 at 9:08 PM, Masahiro Yamada > > <yamad...@jp.panasonic.com <mailto:yamad...@jp.panasonic.com>> > > wrote: > > > > Hello, Simon. > > > > > > When compiling the master branch, I got an error while a > > tools/mkimage build. > > > > > > u-boot/lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No > > such file or directory > > > > > > I think this erorr is caused by commit 19c402a. > > > > > > I searched and installed the necessary package and I could resolve > > this error. > > > > $ apt-file search openssl/rsa.h libssl-dev: > > /usr/include/openssl/rsa.h $ sudo apt-get install libssl-dev > > > > > > Let me ask a question. > > > > Going forward do we always need the openssl development package > > for creating mkimage tool? Or is it possible to disable RSA feature > > by some CONFIG option? > > > > > > This is to support verified boot using FIT. Yes it would be > > possible to make it an option. I had it that way for a while, but > > then I worried that it would create two versions of mkimage, one > > of which is incapable of signing images. That means that mkimage > > would need to be built for a board with verified boot enabled in > > order to get full functionality. > > > > Perhaps another way would be to check for the header and (if not > > present), silently build without signing support? > > Hurk, dang it.. Yes, I think we need to build and go with an error > message on attempted use. Skimming the code, we can't rely on > CONFIG_FIT_SIGNATURE being inherited from the config, on the host > side, yes? > Yes I can make this check CONFIG_FIT_SIGNATURE - as mentioned I had it that way originally but worred about creating different versions of mkimage. There is actually code there for this which we can use: #ifdef CONFIG_FIT_SIGNATURE fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-r]\n" " -k => set directory containing private keys\n" " -K => write public keys to this .dtb file\n" " -c => add comment in signature node\n" " -F => re-sign existing FIT image\n" " -r => mark keys used as 'required' in dtb\n"); #else fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); #endif Let me know if this is the preferred option and I will prepare a patch. Regards, Simon
_______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
