On 5/17/21 8:23 PM, AKASHI Takahiro wrote:
On Mon, May 17, 2021 at 05:29:44PM -0500, Alex G. wrote:
On 5/12/21 12:14 PM, Tom Rini wrote:
On Wed, May 12, 2021 at 11:19:52AM -0500, Alex G. wrote:
On 5/12/21 10:52 AM, Simon Glass wrote:
[snip]
We have a NO_SDL build-time control. Perhaps have a NO_SSL one as well?
It could be a config option instead of an environment variable. I think it can be independent of target options, since we don't sign images in the buildsystem anyway -- we can enable FIT verification, but mkimage without openssl.
As people point out from time to time, "NO_SDL" is very non-obvious and doesn't fit with how the rest of U-Boot is configured. So I would rather not see NO_SSL added.
FYI, I have a proof-of-concept for the NO_SSL idea using Kconfig [1] instead of environment variahles. It's not yet ready for publication.
[1] https://github.com/mrnuke/u-boot/commit/c054c546a8de54e41d3802fe60ad9389095e...
FYI, I have posted a patch[1] for a similar *signing* tool using OpenSSL. Basically, I'd like to follow the way agreed here about how OpenSSL be handled in host tools. So please keep in mind that there can be another use case of this kind of host Kconfig option.
[1] https://lists.denx.de/pipermail/u-boot/2021-May/449572.html
I can't ask you to change your patch based on my ideas, as I my changes have not yet been submitted for review. However, should you want to anticipate, make sure that there's one and only one variable that determines if OpenSSL is linked.
I also suspect Tom would be quite thrilled if your patch started using gnutls instead of openssl. I'm not sure how sane things would look having both gnutls and openssl dependencies; however, I suspect it might be acceptable as long as it's temporary.
These decisions haven't been made yet. I don't want to send you on a wild goose refactoring chase, only to have the rug pulled from under you later. I think it's okay to continue with your patch as submitted. I'll update my patch accordingly when yours gets merged first -- looks easy enough.
Alex