diff options
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/bootloaders.scm | 66 | ||||
-rw-r--r-- | gnu/packages/patches/u-boot-build-without-libcrypto.patch | 123 |
2 files changed, 32 insertions, 157 deletions
diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm index e6d83d5329..0de5055e9c 100644 --- a/gnu/packages/bootloaders.scm +++ b/gnu/packages/bootloaders.scm @@ -54,6 +54,7 @@ #:use-module (gnu packages gcc) #:use-module (gnu packages gettext) #:use-module (gnu packages guile) + #:use-module (gnu packages efi) #:use-module (gnu packages linux) #:use-module (gnu packages llvm) #:use-module (gnu packages man) @@ -755,26 +756,22 @@ tree binary files. These are board description files used by Linux and BSD.") ;; https://lists.denx.de/pipermail/u-boot/2021-October/462728.html (search-patch "u-boot-allow-disabling-openssl.patch")) -(define %u-boot-build-without-libcrypto-patch - ;; Upstream commit to fix Amlogic builds in u-boot 2024.01. - (search-patch "u-boot-build-without-libcrypto.patch")) - (define u-boot (package (name "u-boot") - (version "2024.01") + (version "2024.10") (source (origin (patches (list %u-boot-rockchip-inno-usb-patch - %u-boot-build-without-libcrypto-patch %u-boot-allow-disabling-openssl-patch)) - (method url-fetch) - (uri (string-append - "https://ftp.denx.de/pub/u-boot/" - "u-boot-" version ".tar.bz2")) + (method git-fetch) + (uri (git-reference + (url "https://source.denx.de/u-boot/u-boot.git") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) (sha256 (base32 - "1czmpszalc6b8cj9j7q6cxcy19lnijv3916w3dag6yr3xpqi35mr")))) + "0yrhb0izihv47p781dc4cp0znc5g225ayl7anz23c6jdrmfbpz2h")))) (build-system gnu-build-system) (native-inputs (list bison @@ -873,9 +870,11 @@ Info manual."))) (("\\./tools/patman/patman") (which "true")) ;; FIXME: test fails, needs further investiation (("run_test \"binman\"") "# run_test \"binman\"") - ;; FIXME: test_spl fails, needs further investiation - (("test_ofplatdata or test_handoff or test_spl") - "test_ofplatdata or test_handoff") + ;; FIXME: tests fail without kwbimage, i.e. openssl. + (("run_test \"sandbox_noinst\"") + "# run_test \"sandbox_noinst\"") + (("run_test \"sandbox_vpl\"") + "# run_test \"sandbox_vpl\"") ;; FIXME: code coverage not working (("run_test \"binman code coverage\"") "# run_test \"binman code coverage\"") @@ -898,14 +897,16 @@ def test_ctrl_c")) (("CONFIG_FIT_SIGNATURE=y") "CONFIG_FIT_SIGNATURE=n CONFIG_UT_LIB_ASN1=n -CONFIG_TOOLS_LIBCRYPTO=n") +CONFIG_TOOLS_LIBCRYPTO=n +CONFIG_TOOLS_KWBIMAGE=n") ;; Catch instances of implied CONFIG_FIG_SIGNATURE ;; with VPL targets (("CONFIG_SANDBOX_VPL=y") "CONFIG_SANDBOX_VPL=y CONFIG_FIT_SIGNATURE=n CONFIG_VPL_FIT_SIGNATURE=n -CONFIG_TOOLS_LIBCRYPTO=n") +CONFIG_TOOLS_LIBCRYPTO=n +CONFIG_TOOLS_KWBIMAGE=n") ;; This test requires a sound system, which is un-used ;; in u-boot-tools. (("CONFIG_SOUND=y") "CONFIG_SOUND=n"))) @@ -971,6 +972,13 @@ CONFIG_TOOLS_LIBCRYPTO=n") (add-after 'unpack 'chdir (lambda _ (chdir "tools/u_boot_pylib"))) + (add-after 'chdir 'list-package + (lambda _ + (let ((port (open-file "pyproject.toml" "a"))) + (display "[tool.setuptools.packages.find]\n" port) + (display "where = [\"..\"]\n" port) + (display "include = [\"u_boot_pylib*\"]" port) + (close-port port)))) (replace 'check (lambda* (#:key tests? #:allow-other-keys) (when tests? @@ -1117,7 +1125,8 @@ U-Boot must be used." (lambda _ (substitute* ".config" (("CONFIG_TOOLS_LIBCRYPTO=.*$") - "CONFIG_TOOLS_LIBCRYPTO=n")))) + "CONFIG_TOOLS_LIBCRYPTO=n +CONFIG_TOOLS_KWBIMAGE=n")))) (replace 'install (lambda _ (let ((libexec (string-append #$output "/libexec")) @@ -1325,21 +1334,10 @@ partition.")) (define-public u-boot-sandbox (let ((base (make-u-boot-package "sandbox" #f ;build for the native system - ;; Disable CONFIG_TOOLS_LIBCRYPTO, CONFIG_FIT_SIGNATURE and - ;; CONFIG_FIT_CIPHER and their selectors as these features - ;; require OpenSSL, which is incompatible with the GPLv2-only - ;; parts of U-boot. The options below replicate the changes - ;; that disabling the above features in 'make menuconfig' then - ;; refreshing the defconfig with 'make savedefconfig' would do. - #:configs (list "# CONFIG_FIT_RSASSA_PSS is not set" - "# CONFIG_FIT_CIPHER is not set" - "# CONFIG_LEGACY_IMAGE_FORMAT is not set" - "# CONFIG_IMAGE_PRE_LOAD is not set" - "# CONFIG_IMAGE_PRE_LOAD_SIG is not set" - "# CONFIG_CMD_BOOTM_PRE_LOAD is not set" - "CONFIG_RSA=y" - "# CONFIG_EFI_SECURE_BOOT is not set" - "# CONFIG_TOOLS_LIBCRYPTO is not set") + ;; These disabled features require OpenSSL, which is + ;; incompatible with the GPLv2-only parts of U-boot. + #:configs (map (cut string-append "# CONFIG_" <> " is not set") + '("FIT_CIPHER")) #:append-description "The sandbox configuration of U-Boot provides a @command{u-boot} command that runs as a normal user space application. It can @@ -1359,8 +1357,9 @@ Documentation} for more information (for example by running @samp{info (mkdir (string-append #$output "/bin")) (symlink (search-input-file outputs "libexec/u-boot") (string-append #$output "/bin/u-boot")))))))) + ;; cert-to-efi-sig-list from efitools creates the EFI capsule ESL. (inputs (modify-inputs (package-inputs base) - (append sdl2)))))) + (append efitools sdl2)))))) (define-public u-boot-sifive-unleashed (let ((base (make-u-boot-package "sifive_unleashed" "riscv64-linux-gnu"))) @@ -1460,7 +1459,6 @@ Documentation} for more information (for example by running @samp{info "CONFIG_SATA_SIL=y" "CONFIG_SCSI=y" "CONFIG_SCSI_AHCI=y" - "CONFIG_DM_SCSI=y" ;; Disable SPL FIT signatures, ;; due to GPLv2 and Openssl ;; license incompatibilities diff --git a/gnu/packages/patches/u-boot-build-without-libcrypto.patch b/gnu/packages/patches/u-boot-build-without-libcrypto.patch deleted file mode 100644 index d56588941c..0000000000 --- a/gnu/packages/patches/u-boot-build-without-libcrypto.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 03e598263e3878b6f5d58f5525577903edadc644 Mon Sep 17 00:00:00 2001 -From: Paul-Erwan Rio <paulerwan.rio@gmail.com> -Date: Thu, 21 Dec 2023 08:26:11 +0100 -Subject: [PATCH] tools: fix build without LIBCRYPTO support - -Commit cb9faa6f98ae ("tools: Use a single target-independent config to -enable OpenSSL") introduced a target-independent configuration to build -crypto features in host tools. - -But since commit 2c21256b27d7 ("hash: Use Kconfig to enable hashing in -host tools and SPL") the build without OpenSSL is broken, due to FIT -signature/encryption features. Add missing conditional compilation -tokens to fix this. - -Signed-off-by: Paul-Erwan Rio <paulerwan.rio@gmail.com> -Tested-by: Alexander Dahl <ada@thorsis.com> -Cc: Simon Glass <sjg@chromium.org> -Reviewed-by: Tom Rini <trini@konsulko.com> -Reviewed-by: Simon Glass <sjg@chromium.org> ---- - include/image.h | 2 +- - tools/Kconfig | 1 + - tools/fit_image.c | 2 +- - tools/image-host.c | 4 ++++ - tools/mkimage.c | 5 +++-- - 5 files changed, 10 insertions(+), 4 deletions(-) - -diff --git a/include/image.h b/include/image.h -index 432ec927b1..21de70f0c9 100644 ---- a/include/image.h -+++ b/include/image.h -@@ -1465,7 +1465,7 @@ int calculate_hash(const void *data, int data_len, const char *algo, - * device - */ - #if defined(USE_HOSTCC) --# if defined(CONFIG_FIT_SIGNATURE) -+# if CONFIG_IS_ENABLED(FIT_SIGNATURE) - # define IMAGE_ENABLE_SIGN 1 - # define FIT_IMAGE_ENABLE_VERIFY 1 - # include <openssl/evp.h> -diff --git a/tools/Kconfig b/tools/Kconfig -index f8632cd59d..f01ed783e6 100644 ---- a/tools/Kconfig -+++ b/tools/Kconfig -@@ -51,6 +51,7 @@ config TOOLS_FIT_RSASSA_PSS - Support the rsassa-pss signature scheme in the tools builds - - config TOOLS_FIT_SIGNATURE -+ depends on TOOLS_LIBCRYPTO - def_bool y - help - Enable signature verification of FIT uImages in the tools builds -diff --git a/tools/fit_image.c b/tools/fit_image.c -index 71e031c855..beef1fa86e 100644 ---- a/tools/fit_image.c -+++ b/tools/fit_image.c -@@ -61,7 +61,7 @@ static int fit_add_file_data(struct image_tool_params *params, size_t size_inc, - ret = fit_set_timestamp(ptr, 0, time); - } - -- if (!ret) -+ if (CONFIG_IS_ENABLED(FIT_SIGNATURE) && !ret) - ret = fit_pre_load_data(params->keydir, dest_blob, ptr); - - if (!ret) { -diff --git a/tools/image-host.c b/tools/image-host.c -index ca4950312f..90bc9f905f 100644 ---- a/tools/image-host.c -+++ b/tools/image-host.c -@@ -14,8 +14,10 @@ - #include <image.h> - #include <version.h> - -+#if CONFIG_IS_ENABLED(FIT_SIGNATURE) - #include <openssl/pem.h> - #include <openssl/evp.h> -+#endif - - /** - * fit_set_hash_value - set hash value in requested has node -@@ -1131,6 +1133,7 @@ static int fit_config_add_verification_data(const char *keydir, - return 0; - } - -+#if CONFIG_IS_ENABLED(FIT_SIGNATURE) - /* - * 0) open file (open) - * 1) read certificate (PEM_read_X509) -@@ -1239,6 +1242,7 @@ int fit_pre_load_data(const char *keydir, void *keydest, void *fit) - out: - return ret; - } -+#endif - - int fit_cipher_data(const char *keydir, void *keydest, void *fit, - const char *comment, int require_keys, -diff --git a/tools/mkimage.c b/tools/mkimage.c -index 6dfe3e1d42..ac62ebbde9 100644 ---- a/tools/mkimage.c -+++ b/tools/mkimage.c -@@ -115,7 +115,7 @@ static void usage(const char *msg) - " -B => align size in hex for FIT structure and header\n" - " -b => append the device tree binary to the FIT\n" - " -t => update the timestamp in the FIT\n"); --#ifdef CONFIG_FIT_SIGNATURE -+#if CONFIG_IS_ENABLED(FIT_SIGNATURE) - fprintf(stderr, - "Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine]\n" - " -k => set directory containing private keys\n" -@@ -130,8 +130,9 @@ static void usage(const char *msg) - " -o => algorithm to use for signing\n"); - #else - fprintf(stderr, -- "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); -+ "Signing / verified boot not supported (CONFIG_TOOLS_FIT_SIGNATURE undefined)\n"); - #endif -+ - fprintf(stderr, " %s -V ==> print version information and exit\n", - params.cmdname); - fprintf(stderr, "Use '-T list' to see a list of available image types\n"); --- -2.41.0 - |