On Mon, 24 May 2021 at 14:23, Alexandru Gagniuc <mr.nuke...@gmail.com> wrote: > > Host tool features, such as mkimage's ability to sign FIT images were > enabled or disabled based on the target configuration. However, this > misses the point of a target-agnostic host tool. > > A target's ability to verify FIT signatures is independent of > mkimage's ability to create those signatures. In fact, u-boot's build > system doesn't sign images. The target code can be successfully built > without relying on any ability to sign such code. > > Conversely, mkimage's ability to sign images does not require that > those images will only work on targets which support FIT verification. > Linking mkimage cryptographic features to target support for FIT > verification is misguided. > > Without loss of generality, we can say that host features are and > should be independent of target features. > > While we prefer that a host tool always supports the same feature set, > we recognize the following > - some users prefer to build u-boot without a dependency on OpenSSL. > - some distros prefer to ship mkimage without linking to OpenSSL > > To allow these use cases, introduce a host-only Kconfig which is used > to select or deselect libcrypto support. Some mkimage features or some > host tools might not be available, but this shouldn't affect the > u-boot build. > > I also considered setting the default of this config based on > FIT_SIGNATURE. While it would preserve the old behaviour it's also > contrary to the goals of this change. I decided to enable it by > default, so that the default build yields the most feature-complete > mkimage. > > Signed-off-by: Alexandru Gagniuc <mr.nuke...@gmail.com> > --- > > This patch is designed to apply on top of > [PATCH v2 00/18] image: Reduce #ifdef abuse in image code > > > > tools/Kconfig | 11 +++++++++++ > tools/Makefile | 46 ++++++++++++++++++++++++++++++---------------- > 2 files changed, 41 insertions(+), 16 deletions(-)
Reviewed-by: Simon Glass <s...@chromium.org> See below > > diff --git a/tools/Kconfig b/tools/Kconfig > index b2f5012240..214932ae30 100644 > --- a/tools/Kconfig > +++ b/tools/Kconfig > @@ -9,4 +9,15 @@ config MKIMAGE_DTC_PATH > some cases the system dtc may not support all required features > and the path to a different version should be given here. > > +config TOOLS_USE_LIBCRYPTO would HOST_LIBCRYPTO be better? > + bool "Use OpenSSL's libcrypto library for host tools" > + default y > + help > + Cryptographic signature, verification, and encryption of images is > + provided by host tools using OpenSSL's libcrypto. Select 'n' here if > + you wish to build host tools without OpenSSL. mkimage will not have > + the ability to sign images. > + This selection does not affect target features, such as runtime FIT > + signature verification. Regards, Simon
