On 2023-07-15, Maxim Cournoyer wrote:
> Vagrant Cascadian <vagrant@debian.org> writes:
>> On 2023-07-14, Maxim Cournoyer wrote:
>>> vagrant@debian.org writes:
>>>> @@ -1230,7 +1257,8 @@ (define-public u-boot-rockpro64-rk3399
>>>>                                                 "CONFIG_SATA_SIL=y"
>>>>                                                 "CONFIG_SCSI=y"
>>>>                                                 "CONFIG_SCSI_AHCI=y"
>>>> -                                               "CONFIG_DM_SCSI=y"))))
>>>> +                                               "CONFIG_DM_SCSI=y"
>>>> +                                               "# CONFIG_SPL_FIT_SIGNATURE is not set"))))
>>>>      (package
>>>>        (inherit base)
>>>>        (arguments
>>>> @@ -1240,6 +1268,13 @@ (define-public u-boot-rockpro64-rk3399
>>>>                (add-after 'unpack 'set-environment
>>>>                  (lambda* (#:key inputs #:allow-other-keys)
>>>>                    (setenv "BL31" (search-input-file inputs "/bl31.elf"))))
>>>> +              ;; Disable SPL FIT signatures, due to GPLv2 and Openssl license
>>>> +              ;; incompatibilities
>>>> +              (add-after 'unpack 'disable-spl-fit-signature
>>>> +                (lambda _
>>>> +                  (substitute* "configs/rockpro64-rk3399_defconfig"
>>>> +                    (("CONFIG_SPL_FIT_SIGNATURE=y")
>>>> +                     "# CONFIG_SPL_FIT_SIGNATURE is not set"))))
>>>
>>> Are you sure this really disables SPL_FIT_SIGNATURE?  The #:configs
>>> arguments goes through 'verify-config', which ensures an unset value
>>> doesn't get pulled as a dependency of other options, if I recall
>>> correctly.
>>
>> Without this, it spits out a nasty error, I think because
>> CONFIG_SPL_FIT_SIGNATURE is effectively defined multiple times
>> (e.g. "=y" in the defconfig, and "# ... is not set" in the additional
>> guix options?) and maybe verify-config fails in that situation?  Sorry I
>> don't have the error handy, but it was easy enough to trigger by
>> dropping the 'disable-spl-fit-signature phase.
>
> Hm.  In my experience this means some other option is pulling in (by
> means of kconfig dependency resolution) the CONFIG_SPL_FIT_SIGNATURE
> option and would need to also be disabled.  When faced with this problem
> I usually end up navigating the 'make menuconfig' kconfig interface and
> inspecting dependencies for the option at hand.

Only modifying the config in 'disable-spl-fit-signature works alone, if
I recall correctly, but I left in the the stuff with verify-config to
have an extra safety check. Without adding openssl to one of the inputs,
the build should fail regardless, so maybe only including the
'disable-spl-fit-signature is sufficient.


live well,
  vagrant