[Buildroot] [PATCH] boot/arm-trusted-firmware: add patch to fix fiptool link
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Thu Jul 20 21:28:27 UTC 2023
Hello Vincent,
On Wed, 19 Jul 2023 14:53:09 +0200
Vincent Stehlé <vincent.stehle at arm.com> wrote:
> When building a fip firmware (BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y), the
> TF-A build recipe starts by building the host program fiptool with the
> proper build environment variables. Then the main TF-A target firmware
> build step takes place, with the expectation that the fiptool program will
> be used under the hood if necessary.
>
> In TF-A, the build recipe for the host program fiptool has subtly changed
> after v2.7, in commit cf2dd17ddda2 ("refactor(security): add OpenSSL 1.x
> compatibility"). This change has the effect to force re-linking fiptool
> each time.
>
> If we try to build with Buildroot a fip firmware with a TF-A version after
> v2.7 comprising the aforementioned change, the fiptool program is forcibly
> re-linked during the main firmware build step. This happens without the
> proper build environment variables and consequently, if openssl is not
> installed on the host, the libcrypto shared library will not be found by
> the linker and the link will fail with the following error:
>
> /usr/bin/ld: cannot find -lcrypto: No such file or directory
>
> A patch has been integrated into TF-A to avoid re-linking fiptool when not
> necessary, which should solve the problem starting with version v2.10. Add
> that patch in Buildroot for versions v2.8 and v2.9, to repair the build in
> the cases described above.
>
> Signed-off-by: Vincent Stehlé <vincent.stehle at arm.com>
> Cc: Dick Olsson <hi at senzilla.io>
> Cc: Sergey Matyukevich <geomatsi at gmail.com>
> ---
>
>
> Hi,
>
> This can be tested with e.g. tests.boot.test_edk2 in an environment with no
> openssl (libcrypto) installed.
Indeed, which means this commit can have:
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4664845767
As usual, one concern is that your commit is fixing the issue for
people using v2.8 and v2.9 precisely, but anyone using a custom version
based on 2.8 or 2.9 will not benefit from this fix.
One option would be to pass the relevant environment variables also at
build time, so that when fiptool is relinked, it gets relinked
correctly. But it's quite annoying to keep this pretty much forever in
Buildroot. So perhaps your solution with a patch is the most
reasonable, and people affected by the issue will find the patch in
Buildroot and use it for their custom version as well.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
More information about the buildroot
mailing list