[Buildroot] [PATCH] boot/arm-trusted-firmware: fix the RPATH of fiptool

[Buildroot] [PATCH] boot/arm-trusted-firmware: fix the RPATH of fiptool

[Louis Chauvet via buildroot]

The arm-trusted-firmware package builds a host tool called "fiptool",
which is used during the build process of arm-trusted-firmware
itself. This tool links against the OpenSSL host library, and
therefore needs to be built with the correct RPATH pointing to
$HOST_DIR/lib.

This is why commit a957d9a90ade4194dffe3eb2fc0136bc5d077c28
("boot/arm-trusted-firmware: build fiptool separately with dependency
o n host-openssl") added the ARM_TRUSTED_FIRMWARE_BUILD_FIPTOOL
variable, which builds the fiptool tool first, with the right
variables set, before invoking the full build of TF-A. This ensured
that fiptool was built with the correct RPATH.

However, more recent versions of TF-A have modified their Makefile
machinery, and fiptool is being rebuilt even if it was built
before. Unfortunately, this rebuild is no longer done with the right
flags, so we end up with a fiptool binary that no longer has the right
RPATH, and fiptool fails to find the OpenSSL libraries from
$HOST_DIR/lib.

In order to fix this, we take a different approach: we do not build
fiptool separately first, but we inject the necessary flags through
the HOSTCC variable. Indeed, there's no HOST_LDFLAGS or HOST_LDLIBS
variable or similar that would allow us to pass the -Wl,-rpath flag
that is needed. Shoe-horning this flag into HOSTCC gets the job done,
and actually simplifies our arm-trusted-firmware.mk.

Signed-off-by: Louis Chauvet <louis.chauvet@bootlin.com>
Co-authored-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 .../arm-trusted-firmware/arm-trusted-firmware.mk | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index 049beed36a91..bed873a1821c 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -63,7 +63,8 @@ ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
 	BUILD_STRING=$(ARM_TRUSTED_FIRMWARE_VERSION) \
 	$(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES)) \
 	PLAT=$(ARM_TRUSTED_FIRMWARE_PLATFORM) \
-	TARGET_BOARD=$(ARM_TRUSTED_FIRMWARE_TARGET_BOARD)
+	TARGET_BOARD=$(ARM_TRUSTED_FIRMWARE_TARGET_BOARD) \
+	HOSTCC="$(HOSTCC) $(HOST_LDFLAGS)"
 
 ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP),y)
 ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
@@ -147,18 +148,6 @@ ARM_TRUSTED_FIRMWARE_MAKE_TARGETS = all
 ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP),y)
 ARM_TRUSTED_FIRMWARE_MAKE_TARGETS += fip
 ARM_TRUSTED_FIRMWARE_DEPENDENCIES += host-openssl
-# fiptool only exists in newer (>= 1.3) versions of ATF, so we build
-# it conditionally. We need to explicitly build it as it requires
-# OpenSSL, and therefore needs to be passed proper variables to find
-# the host OpenSSL.
-define ARM_TRUSTED_FIRMWARE_BUILD_FIPTOOL
-	if test -d $(@D)/tools/fiptool; then \
-		$(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D)/tools/fiptool \
-			$(ARM_TRUSTED_FIRMWARE_MAKE_OPTS) \
-			CPPFLAGS="$(HOST_CPPFLAGS)" \
-			LDLIBS="$(HOST_LDFLAGS) -lcrypto" ; \
-	fi
-endef
 endif
 
 ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_RCW),y)
@@ -206,7 +195,6 @@ define ARM_TRUSTED_FIRMWARE_BUILD_CMDS
 	$(if $(ARM_TRUSTED_FIRMWARE_CUSTOM_DTS_PATH),
 		cp -f $(ARM_TRUSTED_FIRMWARE_CUSTOM_DTS_PATH) $(@D)/fdts/
 	)
-	$(ARM_TRUSTED_FIRMWARE_BUILD_FIPTOOL)
 	$(ARM_TRUSTED_FIRMWARE_MAKE_ENV) $(MAKE) -C $(@D) \
 		$(ARM_TRUSTED_FIRMWARE_MAKE_OPTS) \
 		$(ARM_TRUSTED_FIRMWARE_MAKE_TARGETS)
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] boot/arm-trusted-firmware: fix the RPATH of fiptool

[Baruch Siach via buildroot]

Hi Louis,

On Wed, Dec 06 2023, Louis Chauvet via buildroot wrote:
> The arm-trusted-firmware package builds a host tool called "fiptool",
> which is used during the build process of arm-trusted-firmware
> itself. This tool links against the OpenSSL host library, and
> therefore needs to be built with the correct RPATH pointing to
> $HOST_DIR/lib.
>
> This is why commit a957d9a90ade4194dffe3eb2fc0136bc5d077c28
> ("boot/arm-trusted-firmware: build fiptool separately with dependency
> o n host-openssl") added the ARM_TRUSTED_FIRMWARE_BUILD_FIPTOOL
> variable, which builds the fiptool tool first, with the right
> variables set, before invoking the full build of TF-A. This ensured
> that fiptool was built with the correct RPATH.
>
> However, more recent versions of TF-A have modified their Makefile
> machinery, and fiptool is being rebuilt even if it was built
> before. Unfortunately, this rebuild is no longer done with the right
> flags, so we end up with a fiptool binary that no longer has the right
> RPATH, and fiptool fails to find the OpenSSL libraries from
> $HOST_DIR/lib.
>
> In order to fix this, we take a different approach: we do not build
> fiptool separately first, but we inject the necessary flags through
> the HOSTCC variable. Indeed, there's no HOST_LDFLAGS or HOST_LDLIBS
> variable or similar that would allow us to pass the -Wl,-rpath flag
> that is needed. Shoe-horning this flag into HOSTCC gets the job done,
> and actually simplifies our arm-trusted-firmware.mk.

The code this patch removes tries to keep compatibility with TF-A
versions earlier than 1.3. This patch relies on HOSTCC that was only
introduced in TF-A version 1.4 with upstream commit 72610c4102990
("build: Introduce HOSTCC flag"). I guess losing compatibility with
older TF-A is fine, since all Buildroot in-tree configs appear to use
newer versions. But I think this should at least be mentioned in the
commit log.

baruch

>
> Signed-off-by: Louis Chauvet <louis.chauvet@bootlin.com>
> Co-authored-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  .../arm-trusted-firmware/arm-trusted-firmware.mk | 16 ++--------------
>  1 file changed, 2 insertions(+), 14 deletions(-)
>
> diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> index 049beed36a91..bed873a1821c 100644
> --- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> +++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> @@ -63,7 +63,8 @@ ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
>  	BUILD_STRING=$(ARM_TRUSTED_FIRMWARE_VERSION) \
>  	$(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES)) \
>  	PLAT=$(ARM_TRUSTED_FIRMWARE_PLATFORM) \
> -	TARGET_BOARD=$(ARM_TRUSTED_FIRMWARE_TARGET_BOARD)
> +	TARGET_BOARD=$(ARM_TRUSTED_FIRMWARE_TARGET_BOARD) \
> +	HOSTCC="$(HOSTCC) $(HOST_LDFLAGS)"
>  
>  ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP),y)
>  ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
> @@ -147,18 +148,6 @@ ARM_TRUSTED_FIRMWARE_MAKE_TARGETS = all
>  ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP),y)
>  ARM_TRUSTED_FIRMWARE_MAKE_TARGETS += fip
>  ARM_TRUSTED_FIRMWARE_DEPENDENCIES += host-openssl
> -# fiptool only exists in newer (>= 1.3) versions of ATF, so we build
> -# it conditionally. We need to explicitly build it as it requires
> -# OpenSSL, and therefore needs to be passed proper variables to find
> -# the host OpenSSL.
> -define ARM_TRUSTED_FIRMWARE_BUILD_FIPTOOL
> -	if test -d $(@D)/tools/fiptool; then \
> -		$(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D)/tools/fiptool \
> -			$(ARM_TRUSTED_FIRMWARE_MAKE_OPTS) \
> -			CPPFLAGS="$(HOST_CPPFLAGS)" \
> -			LDLIBS="$(HOST_LDFLAGS) -lcrypto" ; \
> -	fi
> -endef
>  endif
>  
>  ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_RCW),y)
> @@ -206,7 +195,6 @@ define ARM_TRUSTED_FIRMWARE_BUILD_CMDS
>  	$(if $(ARM_TRUSTED_FIRMWARE_CUSTOM_DTS_PATH),
>  		cp -f $(ARM_TRUSTED_FIRMWARE_CUSTOM_DTS_PATH) $(@D)/fdts/
>  	)
> -	$(ARM_TRUSTED_FIRMWARE_BUILD_FIPTOOL)
>  	$(ARM_TRUSTED_FIRMWARE_MAKE_ENV) $(MAKE) -C $(@D) \
>  		$(ARM_TRUSTED_FIRMWARE_MAKE_OPTS) \
>  		$(ARM_TRUSTED_FIRMWARE_MAKE_TARGETS)


-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] boot/arm-trusted-firmware: fix the RPATH of fiptool

[Louis Chauvet via buildroot]

Hi Baruch,

Le 06/12/23 - 19:05, Baruch Siach via buildroot a écrit :
> Hi Louis,
> 
> On Wed, Dec 06 2023, Louis Chauvet via buildroot wrote:
> > The arm-trusted-firmware package builds a host tool called "fiptool",
> > which is used during the build process of arm-trusted-firmware
> > itself. This tool links against the OpenSSL host library, and
> > therefore needs to be built with the correct RPATH pointing to
> > $HOST_DIR/lib.
> >
> > This is why commit a957d9a90ade4194dffe3eb2fc0136bc5d077c28
> > ("boot/arm-trusted-firmware: build fiptool separately with dependency
> > o n host-openssl") added the ARM_TRUSTED_FIRMWARE_BUILD_FIPTOOL
> > variable, which builds the fiptool tool first, with the right
> > variables set, before invoking the full build of TF-A. This ensured
> > that fiptool was built with the correct RPATH.
> >
> > However, more recent versions of TF-A have modified their Makefile
> > machinery, and fiptool is being rebuilt even if it was built
> > before. Unfortunately, this rebuild is no longer done with the right
> > flags, so we end up with a fiptool binary that no longer has the right
> > RPATH, and fiptool fails to find the OpenSSL libraries from
> > $HOST_DIR/lib.
> >
> > In order to fix this, we take a different approach: we do not build
> > fiptool separately first, but we inject the necessary flags through
> > the HOSTCC variable. Indeed, there's no HOST_LDFLAGS or HOST_LDLIBS
> > variable or similar that would allow us to pass the -Wl,-rpath flag
> > that is needed. Shoe-horning this flag into HOSTCC gets the job done,
> > and actually simplifies our arm-trusted-firmware.mk.
> 
> The code this patch removes tries to keep compatibility with TF-A
> versions earlier than 1.3. This patch relies on HOSTCC that was only
> introduced in TF-A version 1.4 with upstream commit 72610c4102990
> ("build: Introduce HOSTCC flag"). I guess losing compatibility with
> older TF-A is fine, since all Buildroot in-tree configs appear to use
> newer versions. But I think this should at least be mentioned in the
> commit log.
> 

Thanks for your feedback. Do you think this is sufficient ?

This patch break the compatibility with version prior to 1.4 (upstream
commit 72610c4102990 ("build: Introduce HOSTCC flag")). v1.4 is very old 
(July 2017), not used anymore in-tree and probably not used anymore 
outside the tree.

-- 
Louis Chauvet, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] boot/arm-trusted-firmware: fix the RPATH of fiptool

[Baruch Siach via buildroot]

Hi Louis,

On Thu, Dec 07 2023, Louis Chauvet wrote:
> Le 06/12/23 - 19:05, Baruch Siach via buildroot a écrit :
>> On Wed, Dec 06 2023, Louis Chauvet via buildroot wrote:
>> > The arm-trusted-firmware package builds a host tool called "fiptool",
>> > which is used during the build process of arm-trusted-firmware
>> > itself. This tool links against the OpenSSL host library, and
>> > therefore needs to be built with the correct RPATH pointing to
>> > $HOST_DIR/lib.
>> >
>> > This is why commit a957d9a90ade4194dffe3eb2fc0136bc5d077c28
>> > ("boot/arm-trusted-firmware: build fiptool separately with dependency
>> > o n host-openssl") added the ARM_TRUSTED_FIRMWARE_BUILD_FIPTOOL
>> > variable, which builds the fiptool tool first, with the right
>> > variables set, before invoking the full build of TF-A. This ensured
>> > that fiptool was built with the correct RPATH.
>> >
>> > However, more recent versions of TF-A have modified their Makefile
>> > machinery, and fiptool is being rebuilt even if it was built
>> > before. Unfortunately, this rebuild is no longer done with the right
>> > flags, so we end up with a fiptool binary that no longer has the right
>> > RPATH, and fiptool fails to find the OpenSSL libraries from
>> > $HOST_DIR/lib.
>> >
>> > In order to fix this, we take a different approach: we do not build
>> > fiptool separately first, but we inject the necessary flags through
>> > the HOSTCC variable. Indeed, there's no HOST_LDFLAGS or HOST_LDLIBS
>> > variable or similar that would allow us to pass the -Wl,-rpath flag
>> > that is needed. Shoe-horning this flag into HOSTCC gets the job done,
>> > and actually simplifies our arm-trusted-firmware.mk.
>> 
>> The code this patch removes tries to keep compatibility with TF-A
>> versions earlier than 1.3. This patch relies on HOSTCC that was only
>> introduced in TF-A version 1.4 with upstream commit 72610c4102990
>> ("build: Introduce HOSTCC flag"). I guess losing compatibility with
>> older TF-A is fine, since all Buildroot in-tree configs appear to use
>> newer versions. But I think this should at least be mentioned in the
>> commit log.
>
> Thanks for your feedback. Do you think this is sufficient ?
>
> This patch break the compatibility with version prior to 1.4 (upstream
> commit 72610c4102990 ("build: Introduce HOSTCC flag")). v1.4 is very old 
> (July 2017), not used anymore in-tree and probably not used anymore 
> outside the tree.

Looks good to me.

baruch

-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] boot/arm-trusted-firmware: fix the RPATH of fiptool

[Köry Maincent via buildroot]

Hello Louis,

On Wed,  6 Dec 2023 17:44:37 +0100
Louis Chauvet <louis.chauvet@bootlin.com> wrote:

> The arm-trusted-firmware package builds a host tool called "fiptool",
> which is used during the build process of arm-trusted-firmware
> itself. This tool links against the OpenSSL host library, and
> therefore needs to be built with the correct RPATH pointing to
> $HOST_DIR/lib.
> 
> This is why commit a957d9a90ade4194dffe3eb2fc0136bc5d077c28
> ("boot/arm-trusted-firmware: build fiptool separately with dependency
> o n host-openssl") added the ARM_TRUSTED_FIRMWARE_BUILD_FIPTOOL
> variable, which builds the fiptool tool first, with the right
> variables set, before invoking the full build of TF-A. This ensured
> that fiptool was built with the correct RPATH.
> 
> However, more recent versions of TF-A have modified their Makefile
> machinery, and fiptool is being rebuilt even if it was built
> before. Unfortunately, this rebuild is no longer done with the right
> flags, so we end up with a fiptool binary that no longer has the right
> RPATH, and fiptool fails to find the OpenSSL libraries from
> $HOST_DIR/lib.
> 
> In order to fix this, we take a different approach: we do not build
> fiptool separately first, but we inject the necessary flags through
> the HOSTCC variable. Indeed, there's no HOST_LDFLAGS or HOST_LDLIBS
> variable or similar that would allow us to pass the -Wl,-rpath flag
> that is needed. Shoe-horning this flag into HOSTCC gets the job done,
> and actually simplifies our arm-trusted-firmware.mk.
> 
> Signed-off-by: Louis Chauvet <louis.chauvet@bootlin.com>
> Co-authored-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  .../arm-trusted-firmware/arm-trusted-firmware.mk | 16 ++--------------
>  1 file changed, 2 insertions(+), 14 deletions(-)

Your patch breaks the build of fiptool.
It can't find the host-openssl headers anymore.
In file included from fiptool.h:16,
                 from fiptool.c:19:
fiptool_platform.h:19:11: fatal error: openssl/sha.h: No such file or directory
   19 | # include <openssl/sha.h>

Tested with the mainline octavo_osd32mp1_red_defconfig and
solidrun_macchiatobin_defconfig on an Ubuntu 20.04. I suppose other configs with
FIP enabled will have the same error.

Weird that you didn't see the issue as you specially tackled the openssl
dependencies.

Regards,
-- 
Köry Maincent, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot