From: Alexander Dahl via ptxdist <ptxdist@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Alexander Dahl <ada@thorsis.com>
Subject: [ptxdist] [PATCH v1 1/2] u-boot-tools: Version bump 2020.07 -> 2025.04
Date: Tue, 13 May 2025 16:06:40 +0200 [thread overview]
Message-ID: <20250513140641.4075870-2-ada@thorsis.com> (raw)
In-Reply-To: <20250513140641.4075870-1-ada@thorsis.com>
Apart from bugfixes this is mostly interesting for mkimage ability to
image signing. Option -o for specifying the signing algorithm was added
with v2022.04. Signing 'auto' FITs was added with v2022.10, support for
signed configurations in 'auto' FIT was added in v2023.04, proper pkcs11
uri support was added with v2024.01 and fixed with v2024.04, and finally
ability to auto sign scripts in fit images came with v2024.10.
Note, without the fix to ptxd_make_fit_image we would get a lot of
warnings like this:
WARNING: Legacy URI specified. Please add 'pkcs11:'.
WARNING: Legacy URI specified. Please add 'pkcs11:'.
WARNING: Legacy URI specified. Please add 'pkcs11:'.
Noteworthy changes:
- v2021.10-rc1-59-g62b27a561c2 ("mkimage: use environment variable MKIMAGE_SIGN_PIN to set pin for OpenSSL Engine")
- v2021.10-730-g6b7b9ff14da ("configs: add mkeficapsule to tools-only_defconfig")
- v2022.01-705-g5902a397d02 ("mkimage: Allow to specify the signature algorithm on the command line")
- v2022.01-818-g2d2384bbaff ("tools: mkimage: Show where signatures/keys are written")
- v2022.04-rc1-326-g9af16cc8f1a ("tools: build mkeficapsule with tools-only_defconfig")
- v2022.04-rc3-43-g5017f9b595d ("mkimage: error handling for FIT image")
- v2022.07-rc1-294-gdeb2638aa09 ("mkimage: Document misc options")
- v2022.07-rc4-74-g87b0af9317c ("mkimage: Support signing 'auto' FITs")
- v2023.01-892-gb93a65209c4 ("mkimage: fit: Support signed configurations in 'auto' FITs")
- v2024.01-rc5-560-gece85cc0202 ("rsa: use pkcs11 uri as defined in rfc7512")
- v2024.01-806-g03e598263e3 ("tools: fix build without LIBCRYPTO support")
- v2024.01-958-g11ad2bbfa2d ("lib: rsa: Fix PKCS11 URI if one is not given in `keydir`)
- v2024.01-959-gf055d6e8f0d ("lib: rsa: Allow legacy URI specification without "pkcs11:"")
- v2024.07-677-g6074f6e8578 ("mkimage: Allow 'auto-conf' signing of scripts")
(zlib license text had one duplicate empty line remove with 2024.10.)
Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
rules/host-u-boot-tools.in | 1 +
rules/u-boot-tools.make | 6 +++---
scripts/lib/ptxd_make_fit_image.sh | 7 -------
3 files changed, 4 insertions(+), 10 deletions(-)
diff --git a/rules/host-u-boot-tools.in b/rules/host-u-boot-tools.in
index 55fc9f56e..0cf37ed66 100644
--- a/rules/host-u-boot-tools.in
+++ b/rules/host-u-boot-tools.in
@@ -2,5 +2,6 @@
config HOST_U_BOOT_TOOLS
tristate
+ select HOST_GNUTLS
select HOST_OPENSSL
default y if ALLYES
diff --git a/rules/u-boot-tools.make b/rules/u-boot-tools.make
index 597ea5e30..f71219d88 100644
--- a/rules/u-boot-tools.make
+++ b/rules/u-boot-tools.make
@@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_U_BOOT_TOOLS) += u-boot-tools
#
# Paths and names
#
-U_BOOT_TOOLS_VERSION := 2020.07
-U_BOOT_TOOLS_MD5 := 86e51eeccd15e658ad1df943a0edf622
+U_BOOT_TOOLS_VERSION := 2025.04
+U_BOOT_TOOLS_MD5 := da2cd684d4aa6195015fecd3efb1d0f0
U_BOOT_TOOLS := u-boot-$(U_BOOT_TOOLS_VERSION)
U_BOOT_TOOLS_SUFFIX := tar.bz2
U_BOOT_TOOLS_URL := https://ftp.denx.de/pub/u-boot/$(U_BOOT_TOOLS).$(U_BOOT_TOOLS_SUFFIX)
@@ -25,7 +25,7 @@ U_BOOT_TOOLS_PKGDIR := $(PKGDIR)/u-boot-tools-$(U_BOOT_TOOLS_VERSION)
U_BOOT_TOOLS_LICENSE := GPL-2.0-or-later AND Zlib
U_BOOT_TOOLS_LICENSE_FILES := \
file://Licenses/gpl-2.0.txt;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
- file://include/u-boot/zlib.h;startline=15;endline=43;md5=7c27ae0384929249664da410d539a1dc
+ file://include/u-boot/zlib.h;startline=15;endline=42;md5=0ce30a522a630f7e637ea6d74422b320
# ----------------------------------------------------------------------------
# Prepare
diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh
index 4b99e6fbf..ad9e5bdd3 100644
--- a/scripts/lib/ptxd_make_fit_image.sh
+++ b/scripts/lib/ptxd_make_fit_image.sh
@@ -126,13 +126,6 @@ ptxd_make_image_fit() {
if [ -n "${image_sign_role}" ]; then
pkcs11_uri=$(cs_get_uri "${image_sign_role}")
-
- #
- # It would have been too simple for mkimage to just take a
- # PKCS#11 URI. We must drop the "pkcs11:" prefix which U-Boot
- # then adds again.
- #
- pkcs11_uri=$(echo "${pkcs11_uri}" | sed "s/pkcs11://")
sign_args=( -k "${pkcs11_uri}" )
fi
--
2.39.5
next prev parent reply other threads:[~2025-05-13 14:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 14:06 [ptxdist] [PATCH v1 0/2] u-boot: Add verified boot support Alexander Dahl via ptxdist
2025-05-13 14:06 ` Alexander Dahl via ptxdist [this message]
2025-05-13 14:06 ` [ptxdist] [PATCH v1 2/2] u-boot: Add option to load signed kernel FIT images Alexander Dahl via ptxdist
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250513140641.4075870-2-ada@thorsis.com \
--to=ptxdist@pengutronix.de \
--cc=ada@thorsis.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox