[PATCH v2 0/2] tools: Fix build without host OpenSSL
Hei hei,
every now and then some user wants to build without having to install OpenSSL development libraries on the build host for different reasons. This is not possible for all boards supported by U-Boot and not for all configurations, but at least for some. And U-Boot has an option for that, which currently does not work.
The topic was discussed multiple times and multiple patches were proposed to fix things, but to my knowledge none got applied. I'm aware of at least the discussions listed below.
This series is based on the work done by Paul-Erwan Rio earlier this year, but replacing the first of two patches by a new patch based on two older approaches from 2021 and 2022 and the feedback they got. Because of that, I gave it the v2 right away.
I added some notes to both patches for further explanations on my decisions.
I tested this with and without libssl-dev installed on a Debian GNU/Linux 12 (bookworm) host (amd64 arch), with buildman and the following options:
buildman -b master..mybranch -a '~CONFIG_TOOLS_KWBIMAGE' -a '~CONFIG_TOOLS_LIBCRYPTO' atmel
And with libssl-dev installed this:
buildman -b master..mybranch atmel buildman -b master..mybranch turris
Building 'turris' without libssl-dev installed fails as expected.
The series solves _my_ immediate problem (building a recent U-Boot for an at91 based board _without_ FIT images and/or signing, in a BSP from 2018 which we can not update, and which does not handle host openssl correctly), but I did not investigate other combinations, except those listed above. Test on real hardware was only on our at91 based boards.
Please test and let me know what you think. I can imagine having CI testing builds with and without CONFIG_TOOLS_LIBCRYPTO set might be difficult, because building without won't work for every board. It can not, because some boards require it while others don't.
Greets Alex
Cc: Marek Vasut marex@denx.de Cc: Paul-Erwan Rio paulerwan.rio@gmail.com Cc: Simon Glass sjg@chromium.org Cc: Stefan Roese sr@denx.de Link: https://lore.kernel.org/u-boot/20211021093304.25399-1-pali@kernel.org/ Link: https://lore.kernel.org/u-boot/20220111153120.1276641-1-marex@denx.de/ Link: https://lore.kernel.org/u-boot/1884029.XjOfZupGQm@ada/ Link: https://lore.kernel.org/u-boot/20230121154743.667253-1-paulerwan.rio@gmail.c... Link: https://lore.kernel.org/u-boot/AM6PR04MB61521B84F78571B282FE1D828FD5A@AM6PR0...
Alexander Dahl (1): tools: kwbimage: Allow disabling build on non-mvebu platforms
Paul-Erwan Rio (1): tools: fix build without LIBCRYPTO support
arch/arm/mach-mvebu/Kconfig | 1 + include/image.h | 2 +- tools/Kconfig | 6 ++++++ tools/Makefile | 5 ++++- tools/fit_image.c | 2 +- tools/image-host.c | 4 ++++ tools/mkimage.c | 5 +++-- 7 files changed, 20 insertions(+), 5 deletions(-)
base-commit: 27089f1e4d11fd7e0619097b59258d0428cde2ac
Some users want to build with CONFIG_TOOLS_LIBCRYPTO disabled, which in general is possible for at least some boards. 32-bit mvebu however requires kwbimage for building SPL, and kwbimage has a hard dependency to host OpenSSL.
The new symbol CONFIG_TOOLS_KWBIMAGE allows disabling kwbimage build on non-mvebu platforms, and thus building without host libcrypto from OpenSSL.
Based on previous work and discussions, see links below.
Link: https://lore.kernel.org/u-boot/20211021093304.25399-1-pali@kernel.org/ Link: https://lore.kernel.org/u-boot/20220111153120.1276641-1-marex@denx.de/ Link: https://lore.kernel.org/u-boot/20230121154743.667253-2-paulerwan.rio@gmail.c... Cc: Marek Vasut marex@denx.de Cc: Paul-Erwan Rio paulerwan.rio@gmail.com Signed-off-by: Alexander Dahl ada@thorsis.com ---
Notes: This is more or less a mashup of the patches of Pali and Marek, but considering the feedback given by Samuel on Pali's patch and considering what I thought was the preferred style in other parts of the Makefile.
Link: https://lore.kernel.org/u-boot/f4660467-9d25-dc46-9e60-b2f7f09236c2@sholland...
arch/arm/mach-mvebu/Kconfig | 1 + tools/Kconfig | 5 +++++ tools/Makefile | 5 ++++- 3 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/arch/arm/mach-mvebu/Kconfig b/arch/arm/mach-mvebu/Kconfig index c80d8587b14..2058c95ca2d 100644 --- a/arch/arm/mach-mvebu/Kconfig +++ b/arch/arm/mach-mvebu/Kconfig @@ -15,6 +15,7 @@ config ARMADA_32BIT select SUPPORT_SPL select SYS_L2_PL310 if !SYS_L2CACHE_OFF select TRANSLATION_OFFSET + select TOOLS_KWBIMAGE if SPL select SPL_SYS_NO_VECTOR_TABLE if SPL select ARCH_VERY_EARLY_INIT
diff --git a/tools/Kconfig b/tools/Kconfig index 6e23f44d550..f8632cd59d0 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -25,6 +25,11 @@ config TOOLS_LIBCRYPTO This selection does not affect target features, such as runtime FIT signature verification.
+config TOOLS_KWBIMAGE + bool "Enable kwbimage support in host tools" + default y + select TOOLS_LIBCRYPTO + config TOOLS_FIT def_bool y help diff --git a/tools/Makefile b/tools/Makefile index 1aa1e36137b..fd3b207eb96 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -94,8 +94,11 @@ LIBCRYPTO_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := \ generated/lib/fdt-libcrypto.o \ sunxi_toc0.o
+KWB_IMAGE_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := kwbimage.o + ROCKCHIP_OBS = generated/lib/rc4.o rkcommon.o rkimage.o rksd.o rkspi.o
+ # common objs for dumpimage and mkimage dumpimage-mkimage-objs := aisimage.o \ atmelimage.o \ @@ -114,7 +117,7 @@ dumpimage-mkimage-objs := aisimage.o \ imximage.o \ imx8image.o \ imx8mimage.o \ - kwbimage.o \ + $(KWB_IMAGE_OBJS-y) \ generated/lib/md5.o \ lpc32xximage.o \ mxsimage.o \
On Thu, 14 Dec 2023 at 05:11, Alexander Dahl ada@thorsis.com wrote:
Some users want to build with CONFIG_TOOLS_LIBCRYPTO disabled, which in general is possible for at least some boards. 32-bit mvebu however requires kwbimage for building SPL, and kwbimage has a hard dependency to host OpenSSL.
The new symbol CONFIG_TOOLS_KWBIMAGE allows disabling kwbimage build on non-mvebu platforms, and thus building without host libcrypto from OpenSSL.
Based on previous work and discussions, see links below.
Link: https://lore.kernel.org/u-boot/20211021093304.25399-1-pali@kernel.org/ Link: https://lore.kernel.org/u-boot/20220111153120.1276641-1-marex@denx.de/ Link: https://lore.kernel.org/u-boot/20230121154743.667253-2-paulerwan.rio@gmail.c... Cc: Marek Vasut marex@denx.de Cc: Paul-Erwan Rio paulerwan.rio@gmail.com Signed-off-by: Alexander Dahl ada@thorsis.com
Notes: This is more or less a mashup of the patches of Pali and Marek, but considering the feedback given by Samuel on Pali's patch and considering what I thought was the preferred style in other parts of the Makefile.
Link: https://lore.kernel.org/u-boot/f4660467-9d25-dc46-9e60-b2f7f09236c2@sholland.org/arch/arm/mach-mvebu/Kconfig | 1 + tools/Kconfig | 5 +++++ tools/Makefile | 5 ++++- 3 files changed, 10 insertions(+), 1 deletion(-)
Reviewed-by: Simon Glass sjg@chromium.org
But please drop the whitespace changes
diff --git a/arch/arm/mach-mvebu/Kconfig b/arch/arm/mach-mvebu/Kconfig index c80d8587b14..2058c95ca2d 100644 --- a/arch/arm/mach-mvebu/Kconfig +++ b/arch/arm/mach-mvebu/Kconfig @@ -15,6 +15,7 @@ config ARMADA_32BIT select SUPPORT_SPL select SYS_L2_PL310 if !SYS_L2CACHE_OFF select TRANSLATION_OFFSET
select TOOLS_KWBIMAGE if SPL select SPL_SYS_NO_VECTOR_TABLE if SPL select ARCH_VERY_EARLY_INITdiff --git a/tools/Kconfig b/tools/Kconfig index 6e23f44d550..f8632cd59d0 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -25,6 +25,11 @@ config TOOLS_LIBCRYPTO This selection does not affect target features, such as runtime FIT signature verification.
+config TOOLS_KWBIMAGE
bool "Enable kwbimage support in host tools"default yselect TOOLS_LIBCRYPTOconfig TOOLS_FIT def_bool y help diff --git a/tools/Makefile b/tools/Makefile index 1aa1e36137b..fd3b207eb96 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -94,8 +94,11 @@ LIBCRYPTO_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := \ generated/lib/fdt-libcrypto.o \ sunxi_toc0.o
+KWB_IMAGE_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := kwbimage.o
ROCKCHIP_OBS = generated/lib/rc4.o rkcommon.o rkimage.o rksd.o rkspi.o
# common objs for dumpimage and mkimage dumpimage-mkimage-objs := aisimage.o \ atmelimage.o \ @@ -114,7 +117,7 @@ dumpimage-mkimage-objs := aisimage.o \ imximage.o \ imx8image.o \ imx8mimage.o \
kwbimage.o \
$(KWB_IMAGE_OBJS-y) \ generated/lib/md5.o \ lpc32xximage.o \ mxsimage.o \-- 2.39.2
From: Paul-Erwan Rio paulerwan.rio@gmail.com
Commit cb9faa6f98ae ("tools: Use a single target-independent config to enable OpenSSL") introduced a target-independent configuration to build crypto features in host tools.
But since commit 2c21256b27d7 ("hash: Use Kconfig to enable hashing in host tools and SPL") the build without OpenSSL is broken, due to FIT signature/encryption features. Add missing conditional compilation tokens to fix this.
Signed-off-by: Paul-Erwan Rio paulerwan.rio@gmail.com Tested-by: Alexander Dahl ada@thorsis.com Cc: Simon Glass sjg@chromium.org ---
Notes: Added another guard around the header includes and slightly reworded the commit message. Otherwise it's the same patch as before, so I kept the author as is and only added my Tested-by: I removed the Reviewed-by: from Simon from this patch, because of the changes mentioned and because the patch was based on an U-Boot three or four releases ago.
include/image.h | 2 +- tools/Kconfig | 1 + tools/fit_image.c | 2 +- tools/image-host.c | 4 ++++ tools/mkimage.c | 5 +++-- 5 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/include/image.h b/include/image.h index 2e3cf839ee3..48b8a8995a4 100644 --- a/include/image.h +++ b/include/image.h @@ -1391,7 +1391,7 @@ int calculate_hash(const void *data, int data_len, const char *algo, * device */ #if defined(USE_HOSTCC) -# if defined(CONFIG_FIT_SIGNATURE) +# if CONFIG_IS_ENABLED(FIT_SIGNATURE) # define IMAGE_ENABLE_SIGN 1 # define FIT_IMAGE_ENABLE_VERIFY 1 # include <openssl/evp.h> diff --git a/tools/Kconfig b/tools/Kconfig index f8632cd59d0..f01ed783e6f 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -51,6 +51,7 @@ config TOOLS_FIT_RSASSA_PSS Support the rsassa-pss signature scheme in the tools builds
config TOOLS_FIT_SIGNATURE + depends on TOOLS_LIBCRYPTO def_bool y help Enable signature verification of FIT uImages in the tools builds diff --git a/tools/fit_image.c b/tools/fit_image.c index 71e031c8550..beef1fa86e2 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -61,7 +61,7 @@ static int fit_add_file_data(struct image_tool_params *params, size_t size_inc, ret = fit_set_timestamp(ptr, 0, time); }
- if (!ret) + if (CONFIG_IS_ENABLED(FIT_SIGNATURE) && !ret) ret = fit_pre_load_data(params->keydir, dest_blob, ptr);
if (!ret) { diff --git a/tools/image-host.c b/tools/image-host.c index ca4950312f9..90bc9f905f3 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -14,8 +14,10 @@ #include <image.h> #include <version.h>
+#if CONFIG_IS_ENABLED(FIT_SIGNATURE) #include <openssl/pem.h> #include <openssl/evp.h> +#endif
/** * fit_set_hash_value - set hash value in requested has node @@ -1131,6 +1133,7 @@ static int fit_config_add_verification_data(const char *keydir, return 0; }
+#if CONFIG_IS_ENABLED(FIT_SIGNATURE) /* * 0) open file (open) * 1) read certificate (PEM_read_X509) @@ -1239,6 +1242,7 @@ int fit_pre_load_data(const char *keydir, void *keydest, void *fit) out: return ret; } +#endif
int fit_cipher_data(const char *keydir, void *keydest, void *fit, const char *comment, int require_keys, diff --git a/tools/mkimage.c b/tools/mkimage.c index 6dfe3e1d42d..ac62ebbde9b 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -115,7 +115,7 @@ static void usage(const char *msg) " -B => align size in hex for FIT structure and header\n" " -b => append the device tree binary to the FIT\n" " -t => update the timestamp in the FIT\n"); -#ifdef CONFIG_FIT_SIGNATURE +#if CONFIG_IS_ENABLED(FIT_SIGNATURE) fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine]\n" " -k => set directory containing private keys\n" @@ -130,8 +130,9 @@ static void usage(const char *msg) " -o => algorithm to use for signing\n"); #else fprintf(stderr, - "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); + "Signing / verified boot not supported (CONFIG_TOOLS_FIT_SIGNATURE undefined)\n"); #endif + fprintf(stderr, " %s -V ==> print version information and exit\n", params.cmdname); fprintf(stderr, "Use '-T list' to see a list of available image types\n");
On Thu, Dec 14, 2023 at 01:11:36PM +0100, Alexander Dahl wrote:
From: Paul-Erwan Rio paulerwan.rio@gmail.com
Commit cb9faa6f98ae ("tools: Use a single target-independent config to enable OpenSSL") introduced a target-independent configuration to build crypto features in host tools.
But since commit 2c21256b27d7 ("hash: Use Kconfig to enable hashing in host tools and SPL") the build without OpenSSL is broken, due to FIT signature/encryption features. Add missing conditional compilation tokens to fix this.
Signed-off-by: Paul-Erwan Rio paulerwan.rio@gmail.com Tested-by: Alexander Dahl ada@thorsis.com Cc: Simon Glass sjg@chromium.org
Reviewed-by: Tom Rini trini@konsulko.com
participants (3)
-
Alexander Dahl -
Simon Glass -
Tom Rini