Hi Boon Khai Ng, Tom,
On 5/29/26 1:23 PM, Boon Khai Ng wrote:
mkeficapsule tool is automatically enabled when EFI_LOADER is selected,
which introduces a host dependency on libgnutls.
This causes build failures in minimal toolchain environments where
gnutls headers are not installed.
Having had a cursory look at tools/mkeficapsule.c, I think it should be
pretty straightforward (famous last words) to remove the dependency on
gnutls. See changes made in 16abff246b40 ("tools: mkeficapsule: add
firmware image signing") (lots of noise in the patch though, I'm
thinking we only need to ifdef the privkey_file && cert_file if block in
create_fwbin() (and the functions called in that block). The only issue
is to decide when to drop this dependency.
We use pkg-config to detect if the lib is available (I'm hoping that's
enough to assume the header will be available too), but if pkg-config
fails then we still default to -lgnutls, see 31a7688cbe0e ("tools:
mkeficapsule: use pkg-config to get -luuid and -lgnutls"). I'm not sure
if/why we need to keep this fallback but otherwise we could do the same
trick as for pk11 support in gnutls here
https://lore.kernel.org/u-boot/[email protected]/
and set a flag to ifdef the appropriate sections in the code.
Stratix10 SoCFPGA platforms do not use UEFI capsule update workflows
and therefore do not require mkeficapsule.
If you say so :)
Reviewed-by: Quentin Schulz <[email protected]>
Cheers,
Quentin
