On Thu, Feb 15, 2024 at 09:29:38AM +0100, Ahmad Fatoum wrote: > Hello Sascha, > > On 15.02.24 09:17, Sascha Hauer wrote: > > On Wed, Feb 14, 2024 at 07:09:16PM +0100, Ahmad Fatoum wrote: > >> Could you make the signing inside the barebox build system optional > >> for HAB? Then we could have a prompt symbol that depends on HABv4, e.g. > >> CONFIG_HAB_SIGN_IMAGES or something and disabling that would require > >> external signing like for AHAB. I think this would improve user experience > >> a fair bit, because HAB and AHAB could be handled the same build-system > >> side and it would be easily discoverable in Kconfig that one supports > >> sigining internally and the other doesn't. > > > > Originally it was a design decision to integrate the signing into > > barebox. I wanted to make barebox self contained and not depend on > > external tools to generate images. > > I am not sure though if anyone really builds signed images without > > the help of a build system. So I had the same thought as well if we > > could let the build system do the signing also for HAB. I haven't looked > > into it what it takes to implement that. One point where it gets > > difficult is our special trick to create signed USB images. We handle > > the DCD table in imx-usb-loader to setup DDR and disable DCD in the > > image. To make that work with signed images we sign an image which > > has the DCD table disabled. > > I am not asking that you implement in-barebox signing for AHAB, rather > that you make it optional for existing HAB, so they can be handled the > same if needed. Yes, I understood that. > Now that you just had AHAB in your hands, it should just > be a finger flexing for you, right? ;) Thanks for the flowers ;) Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
