On Wednesday 20 October 2021 14:29:02 Andre Przywara wrote:
On Wed, 20 Oct 2021 09:29:25 +0200 Pali Rohár pali@kernel.org wrote:
Hi,
On Tuesday 19 October 2021 21:44:51 Samuel Holland wrote:
Some image types (kwbimage and mxsimage) always depend on OpenSSL, so they can only be included in mkimage when TOOLS_LIBCRYPTO is selected. Use Makefile logic to conditionally link the files.
Signed-off-by: Samuel Holland samuel@sholland.org
NAK.
As explained in previous email [1], kwbimage is required for building Kirkwood, Dove, A370, AXP, A375, A38x, A39x and MSYS platforms. Therefore it cannot be disabled or hidden behind some user config options for these platforms (and it does not matter if it is crypto option or any other option).
So somehow we need to find a solution between your view and Alex' view of things. First: Pali, do you see any actual problem at the moment? TOOLS_LIBCRYPTO defaults to y, so if I am not mistaken that means that a user would need to deliberately turn that off to trigger build errors? And also: the situation with this patch is not worse as before, isn't it?
I do not think so. Without this patch, kwbimage is always going compiled, which means it is compiled also for mvebu platforms which needs it.
With this patch it is possible via _valid_ config options to disable compilation of kwbimage which would lead to totally bogus and unintuitive behavior and errors. Without this patch compilation fails on exact and clear error = cryto header files (or libs) were not found and user / developer / package maintainer would know what is needed (= mean to install missing dependency).
So if it's just the missing improvement that you are concerned about, I am not sure that should block this patch?
V3 patch was improvement - it enforced required dependencies and I guess it showed some build system error message when dependences were not met. This is improvement from situation without patch when it failed on compiling kwbimage which probably showed error message about missing header files (or libs, depends on which stage it failed). It was not the best choice as in some cases it enforced crypto dependencies also in cases when they were not really required -- but it should have solve the problem that dependences are there for platforms which require them.
v4 patch is not improvement, it is step backward - it started allowing to compile mkimage without required functionality, even on platforms which needs them, and effectively hides issue which is there.
I mean you could always propose your own version of that missing piece, to improve the situation for the boards you care about? And we should have this discussion there?
I think I have written details and some proposed solution in that email. What is needed is to ensure that kwbimage is always compiled for platforms which require it (list of platform are in email 1 in previous email). This can be done as hard dependency like it is currently without this patch (ugly, does not show nice error message and enforce everybody to have crypto dependency, even platforms which do not need it). Other solution could be to define some select symbol which says that kwbimage is required and then kwbimage would be unconditionally compiled when this symbol is selected. And to make error message nice in build system, this symbol could depends on crypto symbol to ensure that all dependencies are met when trying to compile something which needs it. Another option could be to implement required crypto functions directly in u-boot source tree to remove external dependency. I do not know which solution is the best or how hard they are to implement, and neither what can be accepted by other u-boot developers / maintainers. I see an issue here that fixing this problem need to touch more parts of u-boot source code and build system which, which means that u-boot maintainers need to say what they are willing to accept and what not.
As it stands right now, this patch just improves things (just not *everything*), and it is a prerequisite for the rest of the series (unrelated to your problems), so I would like to go ahead on this one.
Well, maybe this patch improves some things about non-mvebu platforms, but makes mvebu platform code / build system worse. And due to this fact I cannot say that I want this change...
Cheers, Andre.
kwbimage must be unconditionally enabled on these platforms like it was before this change, as it is crucial part of build.
[1] - https://lore.kernel.org/u-boot/20211015114735.rig3e4cuc7mn6a7e@pali/
Changes in v4:
- Do not select TOOLS_LIBCRYPTO anywhere
Changes in v3:
- Selected TOOLS_LIBCRYPTO on all platforms that use kwbimage (as best as I can tell, using the suggestions from Pali Rohár)
Changes in v2:
- Refactored the first patch on top of TOOLS_LIBCRYPTO
scripts/config_whitelist.txt | 1 - tools/Makefile | 19 +++++-------------- tools/mxsimage.c | 3 --- 3 files changed, 5 insertions(+), 18 deletions(-)
diff --git a/scripts/config_whitelist.txt b/scripts/config_whitelist.txt index cd94b5777a..affae6875d 100644 --- a/scripts/config_whitelist.txt +++ b/scripts/config_whitelist.txt @@ -828,7 +828,6 @@ CONFIG_MXC_UART_BASE CONFIG_MXC_USB_FLAGS CONFIG_MXC_USB_PORT CONFIG_MXC_USB_PORTSC -CONFIG_MXS CONFIG_MXS_AUART CONFIG_MXS_AUART_BASE CONFIG_MXS_OCOTP diff --git a/tools/Makefile b/tools/Makefile index 999fd46531..a9b3d982d8 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -94,9 +94,11 @@ ECDSA_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/ecdsa/, ecdsa-libcrypto. AES_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/aes/, \ aes-encrypt.o aes-decrypt.o)
-# Cryptographic helpers that depend on openssl/libcrypto -LIBCRYPTO_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/, \
fdt-libcrypto.o)+# Cryptographic helpers and image types that depend on openssl/libcrypto +LIBCRYPTO_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := \
lib/fdt-libcrypto.o \kwbimage.o \mxsimage.oROCKCHIP_OBS = lib/rc4.o rkcommon.o rkimage.o rksd.o rkspi.o
@@ -118,10 +120,8 @@ dumpimage-mkimage-objs := aisimage.o \ imximage.o \ imx8image.o \ imx8mimage.o \
kwbimage.o \ lib/md5.o \ lpc32xximage.o \mxsimage.o \ omapimage.o \ os_support.o \ pblimage.o \@@ -156,22 +156,13 @@ fit_info-objs := $(dumpimage-mkimage-objs) fit_info.o fit_check_sign-objs := $(dumpimage-mkimage-objs) fit_check_sign.o file2include-objs := file2include.o
-ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_TOOLS_LIBCRYPTO),) -# Add CONFIG_MXS into host CFLAGS, so we can check whether or not register -# the mxsimage support within tools/mxsimage.c . -HOSTCFLAGS_mxsimage.o += -DCONFIG_MXS -endif
ifdef CONFIG_TOOLS_LIBCRYPTO # This affects include/image.h, but including the board config file # is tricky, so manually define this options here. HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE_MAX_SIZE=0xffffffff HOST_EXTRACFLAGS += -DCONFIG_FIT_CIPHER -endif
-# MXSImage needs LibSSL -ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_TOOLS_LIBCRYPTO),) HOSTCFLAGS_kwbimage.o += \ $(shell pkg-config --cflags libssl libcrypto 2> /dev/null || echo "") HOSTLDLIBS_mkimage += \ diff --git a/tools/mxsimage.c b/tools/mxsimage.c index 002f4b525a..2bfbb421eb 100644 --- a/tools/mxsimage.c +++ b/tools/mxsimage.c @@ -5,8 +5,6 @@
- Copyright (C) 2012-2013 Marek Vasut marex@denx.de
*/
-#ifdef CONFIG_MXS
#include <errno.h> #include <fcntl.h> #include <stdio.h> @@ -2363,4 +2361,3 @@ U_BOOT_IMAGE_TYPE( NULL, mxsimage_generate );
-#endif
2.32.0