| Message ID | 20220127165419.952245-1-ross.burton@arm.com |
|---|---|
| State | New |
| Headers | show |
| Series | [1/3] arm/trusted-firmware-m: set OpenSSL provider path | expand |
On Thu, 27 Jan 2022 16:54:17 +0000, Ross Burton wrote: > imgtool from mcuboot uses python3-cryptography-native, and the latest > python3-cryptography explicitly loads the legacy provider, which is a > separate shared object in OpenSSL 3. The search path for providers is > hard-coded into the library so the wrong path is searched and the module > is not found. > > Set OPENSSL_MODULES so the right path, so that the legacy module is > found. In the future we may be able to be removed this if the explict > use of legacy algorithms is removed > (https://github.com/pyca/cryptography/issues/6809). > > [...] Applied, thanks! [1/3] arm/trusted-firmware-m: set OpenSSL provider path commit: 1ee79374727224129f47c56115b18dea4edbd553 [2/3] Revert "meta-arm-bsp: use old python3-crytography on platforms using TF-M" commit: 778236335a983cd3e8e55857a19b83daf20ef8b7 [3/3] Revert "meta-arm: add old version of python3-cryptography" commit: 8a42328437db26071339162fd3c5b23d104eed60 Best regards,
diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.5.0.bb b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.5.0.bb index 302fd2cd..c0eee5cc 100644 --- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.5.0.bb +++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.5.0.bb @@ -97,6 +97,10 @@ LDFLAGS[unexport] = "1" AS[unexport] = "1" LD[unexport] = "1" +# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the +# right path until this is relocated automatically. +export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" + # TF-M ships patches that it needs applied to mbedcrypto, so apply them # as part of do_patch. apply_local_patches() {
imgtool from mcuboot uses python3-cryptography-native, and the latest python3-cryptography explicitly loads the legacy provider, which is a separate shared object in OpenSSL 3. The search path for providers is hard-coded into the library so the wrong path is searched and the module is not found. Set OPENSSL_MODULES so the right path, so that the legacy module is found. In the future we may be able to be removed this if the explict use of legacy algorithms is removed (https://github.com/pyca/cryptography/issues/6809). This also means we can remove the downgrades of python3-crytography that were being carried in meta-arm. Signed-off-by: Ross Burton <ross.burton@arm.com> --- .../trusted-firmware-m/trusted-firmware-m_1.5.0.bb | 4 ++++ 1 file changed, 4 insertions(+)