Page MenuHomePhabricator

Premature, forced OpenSSL 3.0 API upgrade.
Open, Needs TriagePublic


Since the TF-A 2.7 release, the tools OpenSSL
API version were upgraded to 3.0+.

The git commit states "compatible with openssl 3.0", but in
fact forces host to upgrade because the new API calls are
obviously not not available in older releases.

I think this is way premature, since 1.1.1 is fully
supported atleast one more year.
And even then, there is no need to force the API upgrade
since that will be supported for an even longer time.

There are a lot of builds/buildenvs out there that might be interested
in a TF-A update, but rely on openssl 1.1.1-series.

I don't see any real benefits beside some code simplification,
which is nice and all, but excludes a lot of envs.
I can't build this on a plain Ubuntu 20.04 (without extra upgrades).

I don't mind TF-A having OpenSSL 3.0 compatibility,
but I don't think a forced API upgrade this early on is the way to go.

Event Timeline

Hi Mirschkym, just acknowledging your ticket. We are working on a response on how best to address your issue.

HI Mirschkym,

As a first step, we've improved our documentation [1] in an attempt to make it easier to build TF-A tools in conjunction with a custom version of OpenSSL 3.0.
In parallel, we're exploring ways to provide backwards compatible for OpenSSL 1.x users and will get back to you on this. In the meantime, you might find this documentation helpful.


Manish Badarkhe