Re: [Buildroot] [PATCH v2] package/uboot-tools: Bump to version 2025.10

From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Fiona Klute <fiona.klute@gmx.de>
Cc: Kory Maincent <kory.maincent@bootlin.com>,
	buildroot@buildroot.org, Julien Olivain <ju.o@free.fr>
Subject: Re: [Buildroot] [PATCH v2] package/uboot-tools: Bump to version 2025.10
Date: Mon, 3 Nov 2025 23:53:56 +0100	[thread overview]
Message-ID: <20251103235356.0b00bb4b@windsurf> (raw)
In-Reply-To: <03c04d13-43b7-45da-a5c5-e8754f861e30@gmx.de>

Hello,

On Mon, 3 Nov 2025 23:46:36 +0100
Fiona Klute <fiona.klute@gmx.de> wrote:

> You might rightly ask why I'm using both, but a) some examples in the 
> U-Boot documentation do [2], and b) that's how I noticed the issue in 
> the previous patch, so I kept it to notice similar issues. Point is, 
> some people might want to use other hash algorithms.
> 
> Enabling CONFIG_TOOLS_CRC32 in autoconf.h the same way as 
> CONFIG_TOOLS_SHA256 works, but U-Boot supports a few more hash 
> algorithms that some people might want to use. Unless I missed 
> something, the full list should be:
> 
> CONFIG_TOOLS_CRC16
> CONFIG_TOOLS_CRC32
> CONFIG_TOOLS_MD5
> CONFIG_TOOLS_SHA1
> CONFIG_TOOLS_SHA256
> CONFIG_TOOLS_SHA384
> CONFIG_TOOLS_SHA512
> 
> Question is: What's the best way to fix this?

If it's host-uboot-tools, just enabling support for everything.

> I can send a simple patch that adds all the (currently available) hash 
> algorithms to autoconf.h. But that feels kind of messy, plus there's the 
> question what else may be broken (just unnoticed so far).
> 
> I see in the commit log that many years ago uboot-tools used KConfig and 
> that was then ripped out in 2015 due to licensing concerns I don't quite 
> understand (commit daf2c705a7252b662afe0100bfe1a3ebf75c1c2f, the 
> licensing concern is stated without explanation in 
> package/uboot-tools/0002-tools-only-in-no-dot-config-targets.patch). 

The licensing concern *may* be out of date.

For some background, read
https://en.wikipedia.org/wiki/OpenSSL#Licensing. Basically, the OpenSSL
1.x license is incompatible with the GPL license, so you can't link
GPLv2 code (U-Boot code) with OpenSSL 1.x. However, the license of
OpenSSL was changed, and as of OpenSSL 3.x, it's released under Apache
2.0, which is compatible with the GPL. Since we're now using OpenSSL
3.x in Buildroot, I believe this licensing concern is moot.

> Interestingly the commit message for 
> 2ebf652589491ac2f8f3825afa5f75156c88b0a0 (2022) states it'd be better to 
> switch (back) to KConfig. Unless someone can explain the license 
> concern, I'm inclined to agree (but also with the statement it'd be a 
> major change).
> 
> We could also add settings in Buildroot config, but that seems like it'd 
> combine the worst of the other two options.

To me it doesn't make sense to add an option for each and every hash.
What should be made optional is the OpenSSL dependency. So for me it's
OK to have uboot-tools built by default without FIT signature support
(doesn't require OpenSSL), and an option to enable FIT signature
support (which needs OpenSSL, and that should enable every possible
hash supported by U-Boot).

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot