On Thu, Jun 27, 2013 at 08:45:34AM -0700, Simon Glass wrote: > Hi Tom, > > On Thu, Jun 27, 2013 at 5:50 AM, Tom Rini <tr...@ti.com> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 06/27/2013 02:44 AM, Simon Glass wrote: > > > Hi Masahiro, > > > > > > On Wed, Jun 26, 2013 at 9:08 PM, Masahiro Yamada > > > <yamad...@jp.panasonic.com <mailto:yamad...@jp.panasonic.com>> > > > wrote: > > > > > > Hello, Simon. > > > > > > > > > When compiling the master branch, I got an error while a > > > tools/mkimage build. > > > > > > > > > u-boot/lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No > > > such file or directory > > > > > > > > > I think this erorr is caused by commit 19c402a. > > > > > > > > > I searched and installed the necessary package and I could resolve > > > this error. > > > > > > $ apt-file search openssl/rsa.h libssl-dev: > > > /usr/include/openssl/rsa.h $ sudo apt-get install libssl-dev > > > > > > > > > Let me ask a question. > > > > > > Going forward do we always need the openssl development package > > > for creating mkimage tool? Or is it possible to disable RSA feature > > > by some CONFIG option? > > > > > > > > > This is to support verified boot using FIT. Yes it would be > > > possible to make it an option. I had it that way for a while, but > > > then I worried that it would create two versions of mkimage, one > > > of which is incapable of signing images. That means that mkimage > > > would need to be built for a board with verified boot enabled in > > > order to get full functionality. > > > > > > Perhaps another way would be to check for the header and (if not > > > present), silently build without signing support? > > > > Hurk, dang it.. Yes, I think we need to build and go with an error > > message on attempted use. Skimming the code, we can't rely on > > CONFIG_FIT_SIGNATURE being inherited from the config, on the host > > side, yes? > > > > Yes I can make this check CONFIG_FIT_SIGNATURE - as mentioned I had it that > way originally but worred about creating different versions of mkimage. > > There is actually code there for this which we can use: > > #ifdef CONFIG_FIT_SIGNATURE > fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c > <comment>] [-r]\n" > " -k => set directory containing private keys\n" > " -K => write public keys to this .dtb file\n" > " -c => add comment in signature node\n" > " -F => re-sign existing FIT image\n" > " -r => mark keys used as 'required' in dtb\n"); > #else > fprintf(stderr, "Signing / verified boot not supported > (CONFIG_FIT_SIGNATURE undefined)\n"); > #endif > > Let me know if this is the preferred option and I will prepare a patch.
The Makefile fragments I saw implied we couldn't use this approach on the host. But if we can, lets. -- Tom
signature.asc
Description: Digital signature
_______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
