[PATCH 1/1] boot: don't select non-existent CONFIG_VPL_CRYPTO

[PATCH 1/1] boot: don't select non-existent CONFIG_VPL_CRYPTO

[Heinrich Schuchardt]

Symbol CONFIG_VPL_CRYPTO does not exist.
Don't select it.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
---
 boot/Kconfig | 1 -
 1 file changed, 1 deletion(-)

diff --git a/boot/Kconfig b/boot/Kconfig
index e5db165424a..e9c8734ecb5 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -386,7 +386,6 @@ config VPL_FIT_SIGNATURE
 	default y
 	select FIT_SIGNATURE
 	select VPL_FIT
-	select VPL_CRYPTO
 	select VPL_HASH
 	imply VPL_RSA
 	imply VPL_RSA_VERIFY
-- 
2.51.0

Re: [PATCH 1/1] boot: don't select non-existent CONFIG_VPL_CRYPTO

[Quentin Schulz]

Hi Heinrich,

On 2/25/26 8:37 AM, Heinrich Schuchardt wrote:
> Symbol CONFIG_VPL_CRYPTO does not exist.

Correct but I have a hunch this was based off of SPL_FIT_SIGNATURE which 
does require crypto support, so I'm assuming VPL would too.

But this symbol indeed never existed, and even if it did, it wouldn't 
compile anything else as far as I can tell since drivers/crypto is 
enabled by default in proper and only if CONFIG_SPL_CRYPTO is set for 
SPL, and only SPL (checking for !TPL and !VPL)... so something feels 
unfinished with VPL here to me.

I'm not sure we're improving anything there but I don't think it makes 
things worse, as such

Fixes: 4218456b3fac ("vbe: Add Kconfig options for VPL")

Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>

Thanks!
Quentin

Re: [PATCH 1/1] boot: don't select non-existent CONFIG_VPL_CRYPTO

[Heinrich Schuchardt]

On 2/25/26 09:37, Quentin Schulz wrote:
> Hi Heinrich,
> 
> On 2/25/26 8:37 AM, Heinrich Schuchardt wrote:
>> Symbol CONFIG_VPL_CRYPTO does not exist.
> 
> Correct but I have a hunch this was based off of SPL_FIT_SIGNATURE which 
> does require crypto support, so I'm assuming VPL would too.
> 
> But this symbol indeed never existed, and even if it did, it wouldn't 
> compile anything else as far as I can tell since drivers/crypto is 
> enabled by default in proper and only if CONFIG_SPL_CRYPTO is set for 
> SPL, and only SPL (checking for !TPL and !VPL)... so something feels 
> unfinished with VPL here to me.
> 
> I'm not sure we're improving anything there but I don't think it makes 
> things worse, as such
> 
> Fixes: 4218456b3fac ("vbe: Add Kconfig options for VPL")
> 
> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
> 
> Thanks!
> Quentin

Thank you for reviewing.

There is a symbol CONFIG_VPL_MBEDTLS_LIB_CRYPTO that might be used but 
then VPL_FIT_SIGNATURE support would have to depend on MBEDTLS.

Maybe Simon can inform us what his design intention was. Adding a 
defconfig actually testing VPL_FIT_SIGNATURE would be helpful.

Best regards

Heinrich

Re: [PATCH 1/1] boot: don't select non-existent CONFIG_VPL_CRYPTO

[Heinrich Schuchardt]

On 2/25/26 10:06, Heinrich Schuchardt wrote:
> On 2/25/26 09:37, Quentin Schulz wrote:
>> Hi Heinrich,
>>
>> On 2/25/26 8:37 AM, Heinrich Schuchardt wrote:
>>> Symbol CONFIG_VPL_CRYPTO does not exist.
>>
>> Correct but I have a hunch this was based off of SPL_FIT_SIGNATURE 
>> which does require crypto support, so I'm assuming VPL would too.
>>
>> But this symbol indeed never existed, and even if it did, it wouldn't 
>> compile anything else as far as I can tell since drivers/crypto is 
>> enabled by default in proper and only if CONFIG_SPL_CRYPTO is set for 
>> SPL, and only SPL (checking for !TPL and !VPL)... so something feels 
>> unfinished with VPL here to me.
>>
>> I'm not sure we're improving anything there but I don't think it makes 
>> things worse, as such
>>
>> Fixes: 4218456b3fac ("vbe: Add Kconfig options for VPL")
>>
>> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
>>
>> Thanks!
>> Quentin
> 
> Thank you for reviewing.
> 
> There is a symbol CONFIG_VPL_MBEDTLS_LIB_CRYPTO that might be used but 
> then VPL_FIT_SIGNATURE support would have to depend on MBEDTLS.
> 
> Maybe Simon can inform us what his design intention was. Adding a 
> defconfig actually testing VPL_FIT_SIGNATURE would be helpful.
> 
> Best regards
> 
> Heinrich

There are more non-existent symbols implied by VPL_FIT_SIGNATURE

         imply VPL_RSA
         imply VPL_RSA_VERIFY

@Tom
I wonder why the VPL feature was suggested if it was never tested or 
used. Should we remove all of VPL?

Best regards

Heinrich

Re: [PATCH 1/1] boot: don't select non-existent CONFIG_VPL_CRYPTO

[Quentin Schulz]

Hi Heinrich,

On 2/25/26 1:21 PM, Heinrich Schuchardt wrote:
> On 2/25/26 10:06, Heinrich Schuchardt wrote:
>> On 2/25/26 09:37, Quentin Schulz wrote:
>>> Hi Heinrich,
>>>
>>> On 2/25/26 8:37 AM, Heinrich Schuchardt wrote:
>>>> Symbol CONFIG_VPL_CRYPTO does not exist.
>>>
>>> Correct but I have a hunch this was based off of SPL_FIT_SIGNATURE 
>>> which does require crypto support, so I'm assuming VPL would too.
>>>
>>> But this symbol indeed never existed, and even if it did, it wouldn't 
>>> compile anything else as far as I can tell since drivers/crypto is 
>>> enabled by default in proper and only if CONFIG_SPL_CRYPTO is set for 
>>> SPL, and only SPL (checking for !TPL and !VPL)... so something feels 
>>> unfinished with VPL here to me.
>>>
>>> I'm not sure we're improving anything there but I don't think it 
>>> makes things worse, as such
>>>
>>> Fixes: 4218456b3fac ("vbe: Add Kconfig options for VPL")
>>>
>>> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
>>>
>>> Thanks!
>>> Quentin
>>
>> Thank you for reviewing.
>>
>> There is a symbol CONFIG_VPL_MBEDTLS_LIB_CRYPTO that might be used but 
>> then VPL_FIT_SIGNATURE support would have to depend on MBEDTLS.
>>
>> Maybe Simon can inform us what his design intention was. Adding a 
>> defconfig actually testing VPL_FIT_SIGNATURE would be helpful.
>>
>> Best regards
>>
>> Heinrich
> 
> There are more non-existent symbols implied by VPL_FIT_SIGNATURE
> 
>          imply VPL_RSA
>          imply VPL_RSA_VERIFY
> 
> @Tom
> I wonder why the VPL feature was suggested if it was never tested or 
> used. Should we remove all of VPL?
> 

As far as I remember, VPL was a necessary step to add support for VBE 
(Verified Boot for Embedded) that Simon was working on. I don't think it 
got realized entirely (upstream I mean) which may explain the current 
state of VPL symbols.

Cheers,
Quentin

Re: [PATCH 1/1] boot: don't select non-existent CONFIG_VPL_CRYPTO

[Simon Glass]

Hi Quentin,

On Thu, 26 Feb 2026 at 07:54, Quentin Schulz <quentin.schulz@cherry.de> wrote:
>
> Hi Heinrich,
>
> On 2/25/26 1:21 PM, Heinrich Schuchardt wrote:
> > On 2/25/26 10:06, Heinrich Schuchardt wrote:
> >> On 2/25/26 09:37, Quentin Schulz wrote:
> >>> Hi Heinrich,
> >>>
> >>> On 2/25/26 8:37 AM, Heinrich Schuchardt wrote:
> >>>> Symbol CONFIG_VPL_CRYPTO does not exist.
> >>>
> >>> Correct but I have a hunch this was based off of SPL_FIT_SIGNATURE
> >>> which does require crypto support, so I'm assuming VPL would too.
> >>>
> >>> But this symbol indeed never existed, and even if it did, it wouldn't
> >>> compile anything else as far as I can tell since drivers/crypto is
> >>> enabled by default in proper and only if CONFIG_SPL_CRYPTO is set for
> >>> SPL, and only SPL (checking for !TPL and !VPL)... so something feels
> >>> unfinished with VPL here to me.
> >>>
> >>> I'm not sure we're improving anything there but I don't think it
> >>> makes things worse, as such
> >>>
> >>> Fixes: 4218456b3fac ("vbe: Add Kconfig options for VPL")
> >>>
> >>> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
> >>>
> >>> Thanks!
> >>> Quentin
> >>
> >> Thank you for reviewing.
> >>
> >> There is a symbol CONFIG_VPL_MBEDTLS_LIB_CRYPTO that might be used but
> >> then VPL_FIT_SIGNATURE support would have to depend on MBEDTLS.
> >>
> >> Maybe Simon can inform us what his design intention was. Adding a
> >> defconfig actually testing VPL_FIT_SIGNATURE would be helpful.
> >>
> >> Best regards
> >>
> >> Heinrich
> >
> > There are more non-existent symbols implied by VPL_FIT_SIGNATURE
> >
> >          imply VPL_RSA
> >          imply VPL_RSA_VERIFY
> >
> > @Tom
> > I wonder why the VPL feature was suggested if it was never tested or
> > used. Should we remove all of VPL?
> >
>
> As far as I remember, VPL was a necessary step to add support for VBE
> (Verified Boot for Embedded) that Simon was working on. I don't think it
> got realized entirely (upstream I mean) which may explain the current
> state of VPL symbols.

Heinrich asked me the same thing this morning. From my understanding,
the penultimate series was applied but later reverted. The final
series was never applied. It's in the Concept tree for now and is
running fine on an rk3399 board:

https://concept.u-boot.org/u-boot/u-boot/-/jobs/300379

If there is any interest in getting these two series in I could resend.

Regards,
Simon

Re: [PATCH 1/1] boot: don't select non-existent CONFIG_VPL_CRYPTO

[Tom Rini]

On Wed, 25 Feb 2026 08:37:11 +0100, Heinrich Schuchardt wrote:

> Symbol CONFIG_VPL_CRYPTO does not exist.
> Don't select it.
> 
> 

Applied to u-boot/next, thanks!

[1/1] boot: don't select non-existent CONFIG_VPL_CRYPTO
      commit: ff1b59c9bd49141efd45d50ddba291820a6ae975
-- 
Tom