On 5/12/21 12:14 PM, Tom Rini wrote:
On Wed, May 12, 2021 at 11:19:52AM -0500, Alex G. wrote:
On 5/12/21 10:52 AM, Simon Glass wrote:
[snip]
We have a NO_SDL build-time control. Perhaps have a NO_SSL one as well?
It could be a config option instead of an environment variable. I think it can be independent of target options, since we don't sign images in the buildsystem anyway -- we can enable FIT verification, but mkimage without openssl.
As people point out from time to time, "NO_SDL" is very non-obvious and doesn't fit with how the rest of U-Boot is configured. So I would rather not see NO_SSL added.
FYI, I have a proof-of-concept for the NO_SSL idea using Kconfig [1] instead of environment variahles. It's not yet ready for publication.
[1] https://github.com/mrnuke/u-boot/commit/c054c546a8de54e41d3802fe60ad9389095e...
Frankly, given everything else that's needed to build today, I don't think just enabling the support for verified boot in mkimage by default and making it a bit odd to turn off is a problem. But given: https://lists.denx.de/pipermail/u-boot/2017-December/313742.html I would really like to see the switch to gnutls or some other clearly compatibly licensed library first.
Might be interesting to switch to gnutls, even if only because it doesn't burn your eyes looking at function names and variable types. I wouldn't mind looking into this, but I just don't have the bandwidth nowadays.
Alex