diff mbox series

[v3,19/19] tools: Use a single target-independent config to enable OpenSSL

Message ID 20210714220547.170371-20-mr.nuke.me@gmail.com
State Accepted
Commit cb9faa6f98ae56d70d59505dad290dd3d381cb7b
Delegated to: Tom Rini
Headers show
Series tools: Use a single config for Host OpenSSL (plus dependent patches) | expand

Commit Message

Alex G. July 14, 2021, 10:05 p.m. UTC 
Host tool features, such as mkimage's ability to sign FIT images were
enabled or disabled based on the target configuration. However, this
misses the point of a target-agnostic host tool.

A target's ability to verify FIT signatures is independent of
mkimage's ability to create those signatures. In fact, u-boot's build
system doesn't sign images. The target code can be successfully built
without relying on any ability to sign such code.

Conversely, mkimage's ability to sign images does not require that
those images will only work on targets which support FIT verification.
Linking mkimage cryptographic features to target support for FIT
verification is misguided.

Without loss of generality, we can say that host features are and
should be independent of target features.

While we prefer that a host tool always supports the same feature set,
we recognize the following
  - some users prefer to build u-boot without a dependency on OpenSSL.
  - some distros prefer to ship mkimage without linking to OpenSSL

To allow these use cases, introduce a host-only Kconfig which is used
to select or deselect libcrypto support. Some mkimage features or some
host tools might not be available, but this shouldn't affect the
u-boot build.

I also considered setting the default of this config based on
FIT_SIGNATURE. While it would preserve the old behaviour it's also
contrary to the goals of this change. I decided to enable it by
default, so that the default build yields the most feature-complete
mkimage.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
---
 tools/Kconfig  | 11 +++++++++++
 tools/Makefile | 48 +++++++++++++++++++++++++++++++-----------------
 2 files changed, 42 insertions(+), 17 deletions(-)

Comments

Heiko Thiery July 27, 2021, 9:59 a.m. UTC | #1 
Hi all,

Am Do., 15. Juli 2021 um 00:09 Uhr schrieb Alexandru Gagniuc
<mr.nuke.me@gmail.com>:
>
> Host tool features, such as mkimage's ability to sign FIT images were
> enabled or disabled based on the target configuration. However, this
> misses the point of a target-agnostic host tool.
>
> A target's ability to verify FIT signatures is independent of
> mkimage's ability to create those signatures. In fact, u-boot's build
> system doesn't sign images. The target code can be successfully built
> without relying on any ability to sign such code.
>
> Conversely, mkimage's ability to sign images does not require that
> those images will only work on targets which support FIT verification.
> Linking mkimage cryptographic features to target support for FIT
> verification is misguided.
>
> Without loss of generality, we can say that host features are and
> should be independent of target features.
>
> While we prefer that a host tool always supports the same feature set,
> we recognize the following
>   - some users prefer to build u-boot without a dependency on OpenSSL.
>   - some distros prefer to ship mkimage without linking to OpenSSL
>
> To allow these use cases, introduce a host-only Kconfig which is used
> to select or deselect libcrypto support. Some mkimage features or some
> host tools might not be available, but this shouldn't affect the
> u-boot build.
>
> I also considered setting the default of this config based on
> FIT_SIGNATURE. While it would preserve the old behaviour it's also
> contrary to the goals of this change. I decided to enable it by
> default, so that the default build yields the most feature-complete
> mkimage.
>
> Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>

Since this patch was applied to master the build target "flash.bin"
for e.g. the imx8mq_evk_defconfig fails.

--- 8< ---

MKIMAGE u-boot.itb
u-boot.its:7.11-15.5: Warning (unit_address_vs_reg): /images/uboot@1:
node has a unit name, but no reg property
u-boot.its:16.9-21.5: Warning (unit_address_vs_reg): /images/fdt@1:
node has a unit name, but no reg property
u-boot.its:22.9-31.5: Warning (unit_address_vs_reg): /images/atf@1:
node has a unit name, but no reg property
u-boot.its:36.12-41.5: Warning (unit_address_vs_reg):
/configurations/config@1: node has a unit name, but no reg property
./tools/mkimage: verify_header failed for FIT Image support with exit code 1
make: *** [Makefile:1440: u-boot.itb] Error 1
make: *** Deleting file 'u-boot.itb'
make: *** Waiting for unfinished jobs....

--- 8< ---

Does I miss here something?
Alex G. July 27, 2021, 2:34 p.m. UTC | #2 
On 7/27/21 4:59 AM, Heiko Thiery wrote:
> Hi all,
> 
> Am Do., 15. Juli 2021 um 00:09 Uhr schrieb Alexandru Gagniuc
> <mr.nuke.me@gmail.com>:
>>
>> Host tool features, such as mkimage's ability to sign FIT images were
>> enabled or disabled based on the target configuration. However, this
>> misses the point of a target-agnostic host tool.
>>
>> A target's ability to verify FIT signatures is independent of
>> mkimage's ability to create those signatures. In fact, u-boot's build
>> system doesn't sign images. The target code can be successfully built
>> without relying on any ability to sign such code.
>>
>> Conversely, mkimage's ability to sign images does not require that
>> those images will only work on targets which support FIT verification.
>> Linking mkimage cryptographic features to target support for FIT
>> verification is misguided.
>>
>> Without loss of generality, we can say that host features are and
>> should be independent of target features.
>>
>> While we prefer that a host tool always supports the same feature set,
>> we recognize the following
>>    - some users prefer to build u-boot without a dependency on OpenSSL.
>>    - some distros prefer to ship mkimage without linking to OpenSSL
>>
>> To allow these use cases, introduce a host-only Kconfig which is used
>> to select or deselect libcrypto support. Some mkimage features or some
>> host tools might not be available, but this shouldn't affect the
>> u-boot build.
>>
>> I also considered setting the default of this config based on
>> FIT_SIGNATURE. While it would preserve the old behaviour it's also
>> contrary to the goals of this change. I decided to enable it by
>> default, so that the default build yields the most feature-complete
>> mkimage.
>>
>> Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
> 
> Since this patch was applied to master the build target "flash.bin"
> for e.g. the imx8mq_evk_defconfig fails.
> 
> --- 8< ---
> 
> MKIMAGE u-boot.itb
> u-boot.its:7.11-15.5: Warning (unit_address_vs_reg): /images/uboot@1:
> node has a unit name, but no reg property
> u-boot.its:16.9-21.5: Warning (unit_address_vs_reg): /images/fdt@1:
> node has a unit name, but no reg property
> u-boot.its:22.9-31.5: Warning (unit_address_vs_reg): /images/atf@1:
> node has a unit name, but no reg property
> u-boot.its:36.12-41.5: Warning (unit_address_vs_reg):
> /configurations/config@1: node has a unit name, but no reg property
> ./tools/mkimage: verify_header failed for FIT Image support with exit code 1
> make: *** [Makefile:1440: u-boot.itb] Error 1
> make: *** Deleting file 'u-boot.itb'
> make: *** Waiting for unfinished jobs....
> 
> --- 8< ---
> 
> Does I miss here something?


Are you sure it's this patch? I don't see how this change affects this 
issue, but I did notice invalid FIT node names [1] in your build.

Alex

[1] 
https://source.denx.de/u-boot/u-boot/-/commit/3f04db891a353f4b127ed57279279f851c6b4917
Heiko Thiery July 27, 2021, 7:51 p.m. UTC | #3 
Hi Alex,

Am Di., 27. Juli 2021 um 16:34 Uhr schrieb Alex G. <mr.nuke.me@gmail.com>:
>
>
>
> On 7/27/21 4:59 AM, Heiko Thiery wrote:
> > Hi all,
> >
> > Am Do., 15. Juli 2021 um 00:09 Uhr schrieb Alexandru Gagniuc
> > <mr.nuke.me@gmail.com>:
> >>
> >> Host tool features, such as mkimage's ability to sign FIT images were
> >> enabled or disabled based on the target configuration. However, this
> >> misses the point of a target-agnostic host tool.
> >>
> >> A target's ability to verify FIT signatures is independent of
> >> mkimage's ability to create those signatures. In fact, u-boot's build
> >> system doesn't sign images. The target code can be successfully built
> >> without relying on any ability to sign such code.
> >>
> >> Conversely, mkimage's ability to sign images does not require that
> >> those images will only work on targets which support FIT verification.
> >> Linking mkimage cryptographic features to target support for FIT
> >> verification is misguided.
> >>
> >> Without loss of generality, we can say that host features are and
> >> should be independent of target features.
> >>
> >> While we prefer that a host tool always supports the same feature set,
> >> we recognize the following
> >>    - some users prefer to build u-boot without a dependency on OpenSSL.
> >>    - some distros prefer to ship mkimage without linking to OpenSSL
> >>
> >> To allow these use cases, introduce a host-only Kconfig which is used
> >> to select or deselect libcrypto support. Some mkimage features or some
> >> host tools might not be available, but this shouldn't affect the
> >> u-boot build.
> >>
> >> I also considered setting the default of this config based on
> >> FIT_SIGNATURE. While it would preserve the old behaviour it's also
> >> contrary to the goals of this change. I decided to enable it by
> >> default, so that the default build yields the most feature-complete
> >> mkimage.
> >>
> >> Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
> >
> > Since this patch was applied to master the build target "flash.bin"
> > for e.g. the imx8mq_evk_defconfig fails.
> >
> > --- 8< ---
> >
> > MKIMAGE u-boot.itb
> > u-boot.its:7.11-15.5: Warning (unit_address_vs_reg): /images/uboot@1:
> > node has a unit name, but no reg property
> > u-boot.its:16.9-21.5: Warning (unit_address_vs_reg): /images/fdt@1:
> > node has a unit name, but no reg property
> > u-boot.its:22.9-31.5: Warning (unit_address_vs_reg): /images/atf@1:
> > node has a unit name, but no reg property
> > u-boot.its:36.12-41.5: Warning (unit_address_vs_reg):
> > /configurations/config@1: node has a unit name, but no reg property
> > ./tools/mkimage: verify_header failed for FIT Image support with exit code 1
> > make: *** [Makefile:1440: u-boot.itb] Error 1
> > make: *** Deleting file 'u-boot.itb'
> > make: *** Waiting for unfinished jobs....
> >
> > --- 8< ---
> >
> > Does I miss here something?
>
>
> Are you sure it's this patch? I don't see how this change affects this
> issue, but I did notice invalid FIT node names [1] in your build.

Indeed, when fixing the FIT nodes the build issue is gone.

> Alex
>
> [1]
> https://source.denx.de/u-boot/u-boot/-/commit/3f04db891a353f4b127ed57279279f851c6b4917

Thank you
diff mbox series

Patch

diff --git a/tools/Kconfig b/tools/Kconfig
index b2f5012240..d6f82cd949 100644
--- a/tools/Kconfig
+++ b/tools/Kconfig
@@ -9,4 +9,15 @@  config MKIMAGE_DTC_PATH
 	  some cases the system dtc may not support all required features
 	  and the path to a different version should be given here.
 
+config TOOLS_LIBCRYPTO
+	bool "Use OpenSSL's libcrypto library for host tools"
+	default y
+	help
+	  Cryptographic signature, verification, and encryption of images is
+	  provided by host tools using OpenSSL's libcrypto. Select 'n' here if
+	  you wish to build host tools without OpenSSL. mkimage will not have
+	  the ability to sign images.
+	  This selection does not affect target features, such as runtime FIT
+	  signature verification.
+
 endmenu
diff --git a/tools/Makefile b/tools/Makefile
index 722355e984..bae3f95c49 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -3,6 +3,25 @@ 
 # (C) Copyright 2000-2006
 # Wolfgang Denk, DENX Software Engineering, wd@denx.de.
 
+# A note on target vs host configuration:
+#
+# Host tools can be used across multiple targets, or different configurations
+# of the same target. Thus, host tools must be able to handle any combination
+# of target configurations. To prevent having different variations of the same
+# tool, the tool build options may not depend on target configuration.
+#
+# Some linux distributions package these utilities as u-boot-tools, and it
+# would be unmaintainable to have a different tool variation for each
+# arch or configuration.
+#
+# A couple of simple rules:
+#
+# 1) Do not use target CONFIG_* options to enable or disable features in host
+#    tools. Only use the configs from tools/Kconfig
+# 2) It's okay to use target configs to disable building specific tools.
+#    That's as long as the features of those tools aren't modified.
+#
+
 # Enable all the config-independent tools
 ifneq ($(HOST_TOOLS_ALL),)
 CONFIG_ARCH_KIRKWOOD = y
@@ -53,30 +72,30 @@  hostprogs-y += mkenvimage
 mkenvimage-objs := mkenvimage.o os_support.o lib/crc32.o
 
 hostprogs-y += dumpimage mkimage
-hostprogs-$(CONFIG_FIT_SIGNATURE) += fit_info fit_check_sign
+hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += fit_info fit_check_sign
 
 hostprogs-$(CONFIG_CMD_BOOTEFI_SELFTEST) += file2include
 
-FIT_OBJS-$(CONFIG_FIT) := fit_common.o fit_image.o image-host.o common/image-fit.o
-FIT_SIG_OBJS-$(CONFIG_FIT_SIGNATURE) := image-sig-host.o common/image-fit-sig.o
-FIT_CIPHER_OBJS-$(CONFIG_FIT_CIPHER) := common/image-cipher.o
+FIT_OBJS-y := fit_common.o fit_image.o image-host.o common/image-fit.o
+FIT_SIG_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := image-sig-host.o common/image-fit-sig.o
+FIT_CIPHER_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := common/image-cipher.o
 
 # The following files are synced with upstream DTC.
 # Use synced versions from scripts/dtc/libfdt/.
 LIBFDT_OBJS := $(addprefix libfdt/, fdt.o fdt_ro.o fdt_wip.o fdt_sw.o fdt_rw.o \
 		fdt_strerror.o fdt_empty_tree.o fdt_addresses.o fdt_overlay.o)
 
-RSA_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/rsa/, \
+RSA_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/rsa/, \
 					rsa-sign.o rsa-verify.o \
 					rsa-mod-exp.o)
 
-ECDSA_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/ecdsa/, ecdsa-libcrypto.o)
+ECDSA_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/ecdsa/, ecdsa-libcrypto.o)
 
-AES_OBJS-$(CONFIG_FIT_CIPHER) := $(addprefix lib/aes/, \
+AES_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/aes/, \
 					aes-encrypt.o aes-decrypt.o)
 
 # Cryptographic helpers that depend on openssl/libcrypto
-LIBCRYPTO_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/, \
+LIBCRYPTO_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/, \
 					fdt-libcrypto.o)
 
 ROCKCHIP_OBS = lib/rc4.o rkcommon.o rkimage.o rksd.o rkspi.o
@@ -136,22 +155,17 @@  fit_info-objs   := $(dumpimage-mkimage-objs) fit_info.o
 fit_check_sign-objs   := $(dumpimage-mkimage-objs) fit_check_sign.o
 file2include-objs := file2include.o
 
-ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_FIT_SIGNATURE),)
+ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_TOOLS_LIBCRYPTO),)
 # Add CONFIG_MXS into host CFLAGS, so we can check whether or not register
 # the mxsimage support within tools/mxsimage.c .
 HOSTCFLAGS_mxsimage.o += -DCONFIG_MXS
 endif
 
-ifdef CONFIG_FIT_SIGNATURE
+ifdef CONFIG_TOOLS_LIBCRYPTO
 # This affects include/image.h, but including the board config file
 # is tricky, so manually define this options here.
 HOST_EXTRACFLAGS	+= -DCONFIG_FIT_SIGNATURE
-HOST_EXTRACFLAGS	+= -DCONFIG_FIT_SIGNATURE_MAX_SIZE=$(CONFIG_FIT_SIGNATURE_MAX_SIZE)
-endif
-
-ifdef CONFIG_FIT_CIPHER
-# This affects include/image.h, but including the board config file
-# is tricky, so manually define this options here.
+HOST_EXTRACFLAGS	+= -DCONFIG_FIT_SIGNATURE_MAX_SIZE=0xffffffff
 HOST_EXTRACFLAGS	+= -DCONFIG_FIT_CIPHER
 endif
 
@@ -164,7 +178,7 @@  HOSTCFLAGS_kwbimage.o += -DCONFIG_KWB_SECURE
 endif
 
 # MXSImage needs LibSSL
-ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_FIT_SIGNATURE)$(CONFIG_FIT_CIPHER),)
+ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_TOOLS_LIBCRYPTO),)
 HOSTCFLAGS_kwbimage.o += \
 	$(shell pkg-config --cflags libssl libcrypto 2> /dev/null || echo "")
 HOSTLDLIBS_mkimage += \