On 4/24/21 2:43 AM, Lim, Elly Siew Chin wrote:
Add this discussion to denx mailing list.
[snip]
I can think of two enhancement to fix this: (1) Add separate CONFIG to gate ECDSA algorithm. This enhancement benefits all use cases. I assume not all user need ECDSA algorithm when FIT_SIGNATURE is used. (2) Enhance spl/spl_fit.c to support verification of data integrity based on hash(es) in FIT image instead of based on FIT_SIGNATURE.
What do you think? If you agree: For (1), can we ask Alex's help to change it? For (2), who will be the right person to change this kind of common code?
FYI, I proposed a change to decouple OpenSSL from FIT_SIGNATURE [1]
[1] https://patchwork.ozlabs.org/project/uboot/patch/20210524202317.1492578-1-mr...
That would enable you to have FIT_SIGNATURE, but not need OpenSSL support in mkimage.
Alex