Hi Tom,
On Thu, Jun 27, 2013 at 5:50 AM, Tom Rini trini@ti.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/27/2013 02:44 AM, Simon Glass wrote:
Hi Masahiro,
On Wed, Jun 26, 2013 at 9:08 PM, Masahiro Yamada <yamada.m@jp.panasonic.com mailto:yamada.m@jp.panasonic.com> wrote:
Hello, Simon.
When compiling the master branch, I got an error while a tools/mkimage build.
u-boot/lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No such file or directory
I think this erorr is caused by commit 19c402a.
I searched and installed the necessary package and I could resolve this error.
$ apt-file search openssl/rsa.h libssl-dev: /usr/include/openssl/rsa.h $ sudo apt-get install libssl-dev
Let me ask a question.
Going forward do we always need the openssl development package for creating mkimage tool? Or is it possible to disable RSA feature by some CONFIG option?
This is to support verified boot using FIT. Yes it would be possible to make it an option. I had it that way for a while, but then I worried that it would create two versions of mkimage, one of which is incapable of signing images. That means that mkimage would need to be built for a board with verified boot enabled in order to get full functionality.
Perhaps another way would be to check for the header and (if not present), silently build without signing support?
Hurk, dang it.. Yes, I think we need to build and go with an error message on attempted use. Skimming the code, we can't rely on CONFIG_FIT_SIGNATURE being inherited from the config, on the host side, yes?
Yes I can make this check CONFIG_FIT_SIGNATURE - as mentioned I had it that way originally but worred about creating different versions of mkimage.
There is actually code there for this which we can use:
#ifdef CONFIG_FIT_SIGNATURE fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-r]\n" " -k => set directory containing private keys\n" " -K => write public keys to this .dtb file\n" " -c => add comment in signature node\n" " -F => re-sign existing FIT image\n" " -r => mark keys used as 'required' in dtb\n"); #else fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); #endif
Let me know if this is the preferred option and I will prepare a patch.
Regards, Simon