M gnu/local.mk => gnu/local.mk +0 -1
@@ 2274,7 2274,6 @@ dist_patch_DATA = \
%D%/packages/patches/tuxpaint-stamps-path.patch \
%D%/packages/patches/twinkle-bcg729.patch \
%D%/packages/patches/u-boot-allow-disabling-openssl.patch \
- %D%/packages/patches/u-boot-build-without-libcrypto.patch \
%D%/packages/patches/u-boot-nintendo-nes-serial.patch \
%D%/packages/patches/u-boot-rockchip-inno-usb.patch \
%D%/packages/patches/ucx-tcp-iface-ioctl.patch \
M gnu/packages/bootloaders.scm => gnu/packages/bootloaders.scm +32 -34
@@ 54,6 54,7 @@
#:use-module (gnu packages gcc)
#:use-module (gnu packages gettext)
#:use-module (gnu packages guile)
+ #:use-module (gnu packages efi)
#:use-module (gnu packages linux)
#:use-module (gnu packages llvm)
#:use-module (gnu packages man)
@@ 755,26 756,22 @@ tree binary files. These are board description files used by Linux and BSD.")
;; https://lists.denx.de/pipermail/u-boot/2021-October/462728.html
(search-patch "u-boot-allow-disabling-openssl.patch"))
-(define %u-boot-build-without-libcrypto-patch
- ;; Upstream commit to fix Amlogic builds in u-boot 2024.01.
- (search-patch "u-boot-build-without-libcrypto.patch"))
-
(define u-boot
(package
(name "u-boot")
- (version "2024.01")
+ (version "2024.10")
(source (origin
(patches
(list %u-boot-rockchip-inno-usb-patch
- %u-boot-build-without-libcrypto-patch
%u-boot-allow-disabling-openssl-patch))
- (method url-fetch)
- (uri (string-append
- "https://ftp.denx.de/pub/u-boot/"
- "u-boot-" version ".tar.bz2"))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://source.denx.de/u-boot/u-boot.git")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
(sha256
(base32
- "1czmpszalc6b8cj9j7q6cxcy19lnijv3916w3dag6yr3xpqi35mr"))))
+ "0yrhb0izihv47p781dc4cp0znc5g225ayl7anz23c6jdrmfbpz2h"))))
(build-system gnu-build-system)
(native-inputs
(list bison
@@ 873,9 870,11 @@ Info manual.")))
(("\\./tools/patman/patman") (which "true"))
;; FIXME: test fails, needs further investiation
(("run_test \"binman\"") "# run_test \"binman\"")
- ;; FIXME: test_spl fails, needs further investiation
- (("test_ofplatdata or test_handoff or test_spl")
- "test_ofplatdata or test_handoff")
+ ;; FIXME: tests fail without kwbimage, i.e. openssl.
+ (("run_test \"sandbox_noinst\"")
+ "# run_test \"sandbox_noinst\"")
+ (("run_test \"sandbox_vpl\"")
+ "# run_test \"sandbox_vpl\"")
;; FIXME: code coverage not working
(("run_test \"binman code coverage\"")
"# run_test \"binman code coverage\"")
@@ 898,14 897,16 @@ def test_ctrl_c"))
(("CONFIG_FIT_SIGNATURE=y")
"CONFIG_FIT_SIGNATURE=n
CONFIG_UT_LIB_ASN1=n
-CONFIG_TOOLS_LIBCRYPTO=n")
+CONFIG_TOOLS_LIBCRYPTO=n
+CONFIG_TOOLS_KWBIMAGE=n")
;; Catch instances of implied CONFIG_FIG_SIGNATURE
;; with VPL targets
(("CONFIG_SANDBOX_VPL=y")
"CONFIG_SANDBOX_VPL=y
CONFIG_FIT_SIGNATURE=n
CONFIG_VPL_FIT_SIGNATURE=n
-CONFIG_TOOLS_LIBCRYPTO=n")
+CONFIG_TOOLS_LIBCRYPTO=n
+CONFIG_TOOLS_KWBIMAGE=n")
;; This test requires a sound system, which is un-used
;; in u-boot-tools.
(("CONFIG_SOUND=y") "CONFIG_SOUND=n")))
@@ 971,6 972,13 @@ CONFIG_TOOLS_LIBCRYPTO=n")
(add-after 'unpack 'chdir
(lambda _
(chdir "tools/u_boot_pylib")))
+ (add-after 'chdir 'list-package
+ (lambda _
+ (let ((port (open-file "pyproject.toml" "a")))
+ (display "[tool.setuptools.packages.find]\n" port)
+ (display "where = [\"..\"]\n" port)
+ (display "include = [\"u_boot_pylib*\"]" port)
+ (close-port port))))
(replace 'check
(lambda* (#:key tests? #:allow-other-keys)
(when tests?
@@ 1117,7 1125,8 @@ U-Boot must be used."
(lambda _
(substitute* ".config"
(("CONFIG_TOOLS_LIBCRYPTO=.*$")
- "CONFIG_TOOLS_LIBCRYPTO=n"))))
+ "CONFIG_TOOLS_LIBCRYPTO=n
+CONFIG_TOOLS_KWBIMAGE=n"))))
(replace 'install
(lambda _
(let ((libexec (string-append #$output "/libexec"))
@@ 1325,21 1334,10 @@ partition."))
(define-public u-boot-sandbox
(let ((base (make-u-boot-package
"sandbox" #f ;build for the native system
- ;; Disable CONFIG_TOOLS_LIBCRYPTO, CONFIG_FIT_SIGNATURE and
- ;; CONFIG_FIT_CIPHER and their selectors as these features
- ;; require OpenSSL, which is incompatible with the GPLv2-only
- ;; parts of U-boot. The options below replicate the changes
- ;; that disabling the above features in 'make menuconfig' then
- ;; refreshing the defconfig with 'make savedefconfig' would do.
- #:configs (list "# CONFIG_FIT_RSASSA_PSS is not set"
- "# CONFIG_FIT_CIPHER is not set"
- "# CONFIG_LEGACY_IMAGE_FORMAT is not set"
- "# CONFIG_IMAGE_PRE_LOAD is not set"
- "# CONFIG_IMAGE_PRE_LOAD_SIG is not set"
- "# CONFIG_CMD_BOOTM_PRE_LOAD is not set"
- "CONFIG_RSA=y"
- "# CONFIG_EFI_SECURE_BOOT is not set"
- "# CONFIG_TOOLS_LIBCRYPTO is not set")
+ ;; These disabled features require OpenSSL, which is
+ ;; incompatible with the GPLv2-only parts of U-boot.
+ #:configs (map (cut string-append "# CONFIG_" <> " is not set")
+ '("FIT_CIPHER"))
#:append-description
"The sandbox configuration of U-Boot provides a
@command{u-boot} command that runs as a normal user space application. It can
@@ 1359,8 1357,9 @@ Documentation} for more information (for example by running @samp{info
(mkdir (string-append #$output "/bin"))
(symlink (search-input-file outputs "libexec/u-boot")
(string-append #$output "/bin/u-boot"))))))))
+ ;; cert-to-efi-sig-list from efitools creates the EFI capsule ESL.
(inputs (modify-inputs (package-inputs base)
- (append sdl2))))))
+ (append efitools sdl2))))))
(define-public u-boot-sifive-unleashed
(let ((base (make-u-boot-package "sifive_unleashed" "riscv64-linux-gnu")))
@@ 1460,7 1459,6 @@ Documentation} for more information (for example by running @samp{info
"CONFIG_SATA_SIL=y"
"CONFIG_SCSI=y"
"CONFIG_SCSI_AHCI=y"
- "CONFIG_DM_SCSI=y"
;; Disable SPL FIT signatures,
;; due to GPLv2 and Openssl
;; license incompatibilities
D gnu/packages/patches/u-boot-build-without-libcrypto.patch => gnu/packages/patches/u-boot-build-without-libcrypto.patch +0 -123
@@ 1,123 0,0 @@
-From 03e598263e3878b6f5d58f5525577903edadc644 Mon Sep 17 00:00:00 2001
-From: Paul-Erwan Rio <paulerwan.rio@gmail.com>
-Date: Thu, 21 Dec 2023 08:26:11 +0100
-Subject: [PATCH] tools: fix build without LIBCRYPTO support
-
-Commit cb9faa6f98ae ("tools: Use a single target-independent config to
-enable OpenSSL") introduced a target-independent configuration to build
-crypto features in host tools.
-
-But since commit 2c21256b27d7 ("hash: Use Kconfig to enable hashing in
-host tools and SPL") the build without OpenSSL is broken, due to FIT
-signature/encryption features. Add missing conditional compilation
-tokens to fix this.
-
-Signed-off-by: Paul-Erwan Rio <paulerwan.rio@gmail.com>
-Tested-by: Alexander Dahl <ada@thorsis.com>
-Cc: Simon Glass <sjg@chromium.org>
-Reviewed-by: Tom Rini <trini@konsulko.com>
-Reviewed-by: Simon Glass <sjg@chromium.org>
----
- include/image.h | 2 +-
- tools/Kconfig | 1 +
- tools/fit_image.c | 2 +-
- tools/image-host.c | 4 ++++
- tools/mkimage.c | 5 +++--
- 5 files changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/include/image.h b/include/image.h
-index 432ec927b1..21de70f0c9 100644
---- a/include/image.h
-+++ b/include/image.h
-@@ -1465,7 +1465,7 @@ int calculate_hash(const void *data, int data_len, const char *algo,
- * device
- */
- #if defined(USE_HOSTCC)
--# if defined(CONFIG_FIT_SIGNATURE)
-+# if CONFIG_IS_ENABLED(FIT_SIGNATURE)
- # define IMAGE_ENABLE_SIGN 1
- # define FIT_IMAGE_ENABLE_VERIFY 1
- # include <openssl/evp.h>
-diff --git a/tools/Kconfig b/tools/Kconfig
-index f8632cd59d..f01ed783e6 100644
---- a/tools/Kconfig
-+++ b/tools/Kconfig
-@@ -51,6 +51,7 @@ config TOOLS_FIT_RSASSA_PSS
- Support the rsassa-pss signature scheme in the tools builds
-
- config TOOLS_FIT_SIGNATURE
-+ depends on TOOLS_LIBCRYPTO
- def_bool y
- help
- Enable signature verification of FIT uImages in the tools builds
-diff --git a/tools/fit_image.c b/tools/fit_image.c
-index 71e031c855..beef1fa86e 100644
---- a/tools/fit_image.c
-+++ b/tools/fit_image.c
-@@ -61,7 +61,7 @@ static int fit_add_file_data(struct image_tool_params *params, size_t size_inc,
- ret = fit_set_timestamp(ptr, 0, time);
- }
-
-- if (!ret)
-+ if (CONFIG_IS_ENABLED(FIT_SIGNATURE) && !ret)
- ret = fit_pre_load_data(params->keydir, dest_blob, ptr);
-
- if (!ret) {
-diff --git a/tools/image-host.c b/tools/image-host.c
-index ca4950312f..90bc9f905f 100644
---- a/tools/image-host.c
-+++ b/tools/image-host.c
-@@ -14,8 +14,10 @@
- #include <image.h>
- #include <version.h>
-
-+#if CONFIG_IS_ENABLED(FIT_SIGNATURE)
- #include <openssl/pem.h>
- #include <openssl/evp.h>
-+#endif
-
- /**
- * fit_set_hash_value - set hash value in requested has node
-@@ -1131,6 +1133,7 @@ static int fit_config_add_verification_data(const char *keydir,
- return 0;
- }
-
-+#if CONFIG_IS_ENABLED(FIT_SIGNATURE)
- /*
- * 0) open file (open)
- * 1) read certificate (PEM_read_X509)
-@@ -1239,6 +1242,7 @@ int fit_pre_load_data(const char *keydir, void *keydest, void *fit)
- out:
- return ret;
- }
-+#endif
-
- int fit_cipher_data(const char *keydir, void *keydest, void *fit,
- const char *comment, int require_keys,
-diff --git a/tools/mkimage.c b/tools/mkimage.c
-index 6dfe3e1d42..ac62ebbde9 100644
---- a/tools/mkimage.c
-+++ b/tools/mkimage.c
-@@ -115,7 +115,7 @@ static void usage(const char *msg)
- " -B => align size in hex for FIT structure and header\n"
- " -b => append the device tree binary to the FIT\n"
- " -t => update the timestamp in the FIT\n");
--#ifdef CONFIG_FIT_SIGNATURE
-+#if CONFIG_IS_ENABLED(FIT_SIGNATURE)
- fprintf(stderr,
- "Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine]\n"
- " -k => set directory containing private keys\n"
-@@ -130,8 +130,9 @@ static void usage(const char *msg)
- " -o => algorithm to use for signing\n");
- #else
- fprintf(stderr,
-- "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
-+ "Signing / verified boot not supported (CONFIG_TOOLS_FIT_SIGNATURE undefined)\n");
- #endif
-+
- fprintf(stderr, " %s -V ==> print version information and exit\n",
- params.cmdname);
- fprintf(stderr, "Use '-T list' to see a list of available image types\n");
---
-2.41.0
-