On Mon, Jun 21, 2021 at 04:43:00PM +0100, Andre Przywara wrote:
On Sun, 20 Jun 2021 21:55:51 -0500 Samuel Holland samuel@sholland.org wrote:
(CC:ing Tom and Simon for the compatibility problem below)
Hi,
This series adds support for the TOC0 image format used by the Allwinner secure boot ROM (SBROM). This series has been tested on the following SoCs/boards, with the eFuse burnt to enable secure mode:
- A64: Pine A64 Plus
- H5: Orange Pi Zero Plus
- H6: Pine H64 Model B
- H616: Orange Pi Zero 2
many thanks for sending this. In general this looks good (will do a more thorough review soon), just one thing that bothered me:
This requires OpenSLL 1.1.x. There is nothing really wrong about this, but my (admittedly not the freshest) Slackware, but also long term distros like RHEL/CentOS (<=7), still come with 1.0.x (headers) only.
I was wondering how important this is? I have the impression that embedded developers sometimes use old^Wstable systems, so some people might be bitten by it. I think in this case it will affect all user trying to build mkimage, regardless of the target platform?
So I wanted to know what to do here?
- Can we provide some kind of compatibility support? OpenSSL seems to provide something:
https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes#Compatibility_Layer Haven't tested that fully yet, just downloading that tarball does not seem to cut it (or is missing files?). I guess one needs to copy&paste some code from the Wiki?
- Shall we detect missing v1.1.x support (via #if OPENSSL_VERSION_NUMBER < 0x10100000L) and disable just sunxi_toc0 support in this case?
There's two things. First, the series should be on top of (sorry!) https://patchwork.ozlabs.org/project/uboot/patch/20210524202317.1492578-1-mr... which adds a similar Kconfig option to make building tools easier.
Second, while I think not supporting openssl 1.0.x is fine, I would like to again ask for someone to spend the time looking at switching to one of the GPL-compatible libraries as I'm pretty sure it's been raised a few times that we can't link with openssl like we do. This isn't a blocker for the series, just an ask for help with a known problem. Thanks!