Some users want to build with CONFIG_TOOLS_LIBCRYPTO disabled, which in general is possible for at least some boards. 32-bit mvebu however requires kwbimage for building SPL, and kwbimage has a hard dependency to host OpenSSL.

The new symbol CONFIG_TOOLS_KWBIMAGE allows disabling kwbimage build on non-mvebu platforms, and thus building without host libcrypto from OpenSSL.

Based on previous work and discussions, see links below.

Link: https://lore.kernel.org/u-boot/20211021093304.25399-1-pali@kernel.org/ Link: https://lore.kernel.org/u-boot/20220111153120.1276641-1-marex@denx.de/ Link: https://lore.kernel.org/u-boot/20230121154743.667253-2-paulerwan.rio@gmail.c... Cc: Marek Vasut marex@denx.de Cc: Paul-Erwan Rio paulerwan.rio@gmail.com Signed-off-by: Alexander Dahl ada@thorsis.com Reviewed-by: Simon Glass sjg@chromium.org ---

Notes: This is more or less a mashup of the patches of Pali and Marek, but considering the feedback given by Samuel on Pali's patch and considering what I thought was the preferred style in other parts of the Makefile.

Link: https://lore.kernel.org/u-boot/f4660467-9d25-dc46-9e60-b2f7f09236c2@sholland...

v1 -> v2: * removed a useless new newline added in v1 * collected tags

arch/arm/mach-mvebu/Kconfig | 1 + tools/Kconfig | 5 +++++ tools/Makefile | 4 +++- 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/arch/arm/mach-mvebu/Kconfig b/arch/arm/mach-mvebu/Kconfig index c80d8587b14..2058c95ca2d 100644 --- a/arch/arm/mach-mvebu/Kconfig +++ b/arch/arm/mach-mvebu/Kconfig @@ -15,6 +15,7 @@ config ARMADA_32BIT select SUPPORT_SPL select SYS_L2_PL310 if !SYS_L2CACHE_OFF select TRANSLATION_OFFSET + select TOOLS_KWBIMAGE if SPL select SPL_SYS_NO_VECTOR_TABLE if SPL select ARCH_VERY_EARLY_INIT

diff --git a/tools/Kconfig b/tools/Kconfig index 6e23f44d550..f8632cd59d0 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -25,6 +25,11 @@ config TOOLS_LIBCRYPTO This selection does not affect target features, such as runtime FIT signature verification.

+config TOOLS_KWBIMAGE + bool "Enable kwbimage support in host tools" + default y + select TOOLS_LIBCRYPTO + config TOOLS_FIT def_bool y help diff --git a/tools/Makefile b/tools/Makefile index 1aa1e36137b..6a4280e3668 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -94,6 +94,8 @@ LIBCRYPTO_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := \ generated/lib/fdt-libcrypto.o \ sunxi_toc0.o

+KWB_IMAGE_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := kwbimage.o + ROCKCHIP_OBS = generated/lib/rc4.o rkcommon.o rkimage.o rksd.o rkspi.o

# common objs for dumpimage and mkimage @@ -114,7 +116,7 @@ dumpimage-mkimage-objs := aisimage.o \ imximage.o \ imx8image.o \ imx8mimage.o \ - kwbimage.o \ + $(KWB_IMAGE_OBJS-y) \ generated/lib/md5.o \ lpc32xximage.o \ mxsimage.o \

From: Paul-Erwan Rio paulerwan.rio@gmail.com

Commit cb9faa6f98ae ("tools: Use a single target-independent config to enable OpenSSL") introduced a target-independent configuration to build crypto features in host tools.

But since commit 2c21256b27d7 ("hash: Use Kconfig to enable hashing in host tools and SPL") the build without OpenSSL is broken, due to FIT signature/encryption features. Add missing conditional compilation tokens to fix this.

Signed-off-by: Paul-Erwan Rio paulerwan.rio@gmail.com Tested-by: Alexander Dahl ada@thorsis.com Cc: Simon Glass sjg@chromium.org Reviewed-by: Tom Rini trini@konsulko.com ---

Notes: Added another guard around the header includes and slightly reworded the commit message. Otherwise it's the same patch as before, so I kept the author as is and only added my Tested-by: I removed the Reviewed-by: from Simon from this patch, because of the changes mentioned and because the patch was based on an U-Boot three or four releases ago.

v1 -> v2: * collected tags

include/image.h | 2 +- tools/Kconfig | 1 + tools/fit_image.c | 2 +- tools/image-host.c | 4 ++++ tools/mkimage.c | 5 +++-- 5 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/include/image.h b/include/image.h index 2e3cf839ee3..48b8a8995a4 100644 --- a/include/image.h +++ b/include/image.h @@ -1391,7 +1391,7 @@ int calculate_hash(const void *data, int data_len, const char *algo, * device */ #if defined(USE_HOSTCC) -# if defined(CONFIG_FIT_SIGNATURE) +# if CONFIG_IS_ENABLED(FIT_SIGNATURE) # define IMAGE_ENABLE_SIGN 1 # define FIT_IMAGE_ENABLE_VERIFY 1 # include <openssl/evp.h> diff --git a/tools/Kconfig b/tools/Kconfig index f8632cd59d0..f01ed783e6f 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -51,6 +51,7 @@ config TOOLS_FIT_RSASSA_PSS Support the rsassa-pss signature scheme in the tools builds

config TOOLS_FIT_SIGNATURE + depends on TOOLS_LIBCRYPTO def_bool y help Enable signature verification of FIT uImages in the tools builds diff --git a/tools/fit_image.c b/tools/fit_image.c index 71e031c8550..beef1fa86e2 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -61,7 +61,7 @@ static int fit_add_file_data(struct image_tool_params *params, size_t size_inc, ret = fit_set_timestamp(ptr, 0, time); }

- if (!ret) + if (CONFIG_IS_ENABLED(FIT_SIGNATURE) && !ret) ret = fit_pre_load_data(params->keydir, dest_blob, ptr);

if (!ret) { diff --git a/tools/image-host.c b/tools/image-host.c index ca4950312f9..90bc9f905f3 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -14,8 +14,10 @@ #include <image.h> #include <version.h>

+#if CONFIG_IS_ENABLED(FIT_SIGNATURE) #include <openssl/pem.h> #include <openssl/evp.h> +#endif

/** * fit_set_hash_value - set hash value in requested has node @@ -1131,6 +1133,7 @@ static int fit_config_add_verification_data(const char *keydir, return 0; }

+#if CONFIG_IS_ENABLED(FIT_SIGNATURE) /* * 0) open file (open) * 1) read certificate (PEM_read_X509) @@ -1239,6 +1242,7 @@ int fit_pre_load_data(const char *keydir, void *keydest, void *fit) out: return ret; } +#endif

int fit_cipher_data(const char *keydir, void *keydest, void *fit, const char *comment, int require_keys, diff --git a/tools/mkimage.c b/tools/mkimage.c index 6dfe3e1d42d..ac62ebbde9b 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -115,7 +115,7 @@ static void usage(const char *msg) " -B => align size in hex for FIT structure and header\n" " -b => append the device tree binary to the FIT\n" " -t => update the timestamp in the FIT\n"); -#ifdef CONFIG_FIT_SIGNATURE +#if CONFIG_IS_ENABLED(FIT_SIGNATURE) fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine]\n" " -k => set directory containing private keys\n" @@ -130,8 +130,9 @@ static void usage(const char *msg) " -o => algorithm to use for signing\n"); #else fprintf(stderr, - "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); + "Signing / verified boot not supported (CONFIG_TOOLS_FIT_SIGNATURE undefined)\n"); #endif + fprintf(stderr, " %s -V ==> print version information and exit\n", params.cmdname); fprintf(stderr, "Use '-T list' to see a list of available image types\n");