Re: [Buildroot] [PATCH] boot/arm-trusted-firmware: add patch to fix fiptool link

From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: "Vincent Stehlé" <vincent.stehle@arm.com>
Cc: Sergey Matyukevich <geomatsi@gmail.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] boot/arm-trusted-firmware: add patch to fix fiptool link
Date: Thu, 20 Jul 2023 23:28:27 +0200	[thread overview]
Message-ID: <20230720232827.09c3094d@windsurf> (raw)
In-Reply-To: <20230719125309.723762-1-vincent.stehle@arm.com>

Hello Vincent,

On Wed, 19 Jul 2023 14:53:09 +0200
Vincent Stehlé <vincent.stehle@arm.com> wrote:

> When building a fip firmware (BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y), the
> TF-A build recipe starts by building the host program fiptool with the
> proper build environment variables. Then the main TF-A target firmware
> build step takes place, with the expectation that the fiptool program will
> be used under the hood if necessary.
> 
> In TF-A, the build recipe for the host program fiptool has subtly changed
> after v2.7, in commit cf2dd17ddda2 ("refactor(security): add OpenSSL 1.x
> compatibility"). This change has the effect to force re-linking fiptool
> each time.
> 
> If we try to build with Buildroot a fip firmware with a TF-A version after
> v2.7 comprising the aforementioned change, the fiptool program is forcibly
> re-linked during the main firmware build step. This happens without the
> proper build environment variables and consequently, if openssl is not
> installed on the host, the libcrypto shared library will not be found by
> the linker and the link will fail with the following error:
> 
>   /usr/bin/ld: cannot find -lcrypto: No such file or directory
> 
> A patch has been integrated into TF-A to avoid re-linking fiptool when not
> necessary, which should solve the problem starting with version v2.10. Add
> that patch in Buildroot for versions v2.8 and v2.9, to repair the build in
> the cases described above.
> 
> Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
> Cc: Dick Olsson <hi@senzilla.io>
> Cc: Sergey Matyukevich <geomatsi@gmail.com>
> ---
> 
> 
> Hi,
> 
> This can be tested with e.g. tests.boot.test_edk2 in an environment with no
> openssl (libcrypto) installed.

Indeed, which means this commit can have:

Fixes:

  https://gitlab.com/buildroot.org/buildroot/-/jobs/4664845767

As usual, one concern is that your commit is fixing the issue for
people using v2.8 and v2.9 precisely, but anyone using a custom version
based on 2.8 or 2.9 will not benefit from this fix.

One option would be to pass the relevant environment variables also at
build time, so that when fiptool is relinked, it gets relinked
correctly. But it's quite annoying to keep this pretty much forever in
Buildroot. So perhaps your solution with a patch is the most
reasonable, and people affected by the issue will find the patch in
Buildroot and use it for their custom version as well.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot