Page MenuHomePhabricator

Premature, forced OpenSSL 3.0 API upgrade.
Open, Needs TriagePublic


Since the TF-A 2.7 release, the tools OpenSSL
API version were upgraded to 3.0+.

The git commit states "compatible with openssl 3.0", but in
fact forces host to upgrade because the new API calls are
obviously not not available in older releases.

I think this is way premature, since 1.1.1 is fully
supported atleast one more year.
And even then, there is no need to force the API upgrade
since that will be supported for an even longer time.

There are a lot of builds/buildenvs out there that might be interested
in a TF-A update, but rely on openssl 1.1.1-series.

I don't see any real benefits beside some code simplification,
which is nice and all, but excludes a lot of envs.
I can't build this on a plain Ubuntu 20.04 (without extra upgrades).

I don't mind TF-A having OpenSSL 3.0 compatibility,
but I don't think a forced API upgrade this early on is the way to go.

Event Timeline

Hi Mirschkym, just acknowledging your ticket. We are working on a response on how best to address your issue.

HI Mirschkym,

As a first step, we've improved our documentation [1] in an attempt to make it easier to build TF-A tools in conjunction with a custom version of OpenSSL 3.0.
In parallel, we're exploring ways to provide backwards compatible for OpenSSL 1.x users and will get back to you on this. In the meantime, you might find this documentation helpful.


Manish Badarkhe


it seems there are two existing workarounds related to OpenSSL3 available in different downstream projects.

Trusted Services made a change to add OpenSSL3 build support to the TF-A build system. (See [1].) This is to solve the "missing component" issue in any build environment where OpenSSL3 is not available. (We use an Ubuntu 18.04 based container for our builds.) Notes:

  • This approach adds a special new kind of TPIP to TF-A projects to maintain.
  • This approach is mixing the responsibilities of TF-A project any anyone owning the environment where TF-A is built.

ST is using this patch to solve their OpenSSL3 related problem [2]. (The information comes from @Yann-lms). This change is eliminating some default assumptions the TF-A build system makes about the location of OpenSSL, and as such it is not looking at the backward compatibility issue. Still when a change is made to solve the backwards compatibility in this area alignment might be needed.