diff --git a/package/boot/arm-trusted-firmware-microchipsw/Makefile b/package/boot/arm-trusted-firmware-microchipsw/Makefile index 0095cc1c38..e4ec3851d6 100644 --- a/package/boot/arm-trusted-firmware-microchipsw/Makefile +++ b/package/boot/arm-trusted-firmware-microchipsw/Makefile @@ -62,17 +62,6 @@ define Build/Prepare $(TAR) -C $(PKG_BUILD_DIR) -xf $(DL_DIR)/$(MBEDTLS_SOURCE) endef -# We must not pass OPENSSL_DIR as locally built mbedtls is used -define Build/Compile - +unset CC; \ - $(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE=$(TARGET_CROSS) \ - $(if $(DTC),DTC="$(DTC)") \ - PLAT=$(PLAT) \ - BUILD_STRING="OpenWrt $(PKG_VERSION_PREFIX)$(PKG_VERSION)-$(PKG_RELEASE) ($(VARIANT))" \ - $(TFA_MAKE_FLAGS) -endef - TFA_MAKE_FLAGS += \ MBEDTLS_DIR=$(PKG_BUILD_DIR)/$(MBEDTLS_NAME) \ BL33=$(STAGING_DIR_IMAGE)/$(BUILD_VARIANT)-u-boot.bin \ diff --git a/package/boot/arm-trusted-firmware-microchipsw/patches/0002-cert_create-add-LibreSSL-3.9-compatibility.patch b/package/boot/arm-trusted-firmware-microchipsw/patches/0002-cert_create-add-LibreSSL-3.9-compatibility.patch new file mode 100644 index 0000000000..55a053418e --- /dev/null +++ b/package/boot/arm-trusted-firmware-microchipsw/patches/0002-cert_create-add-LibreSSL-3.9-compatibility.patch @@ -0,0 +1,95 @@ +From 40166fd8d88f33c621d3cca0b936f31816f3fe2e Mon Sep 17 00:00:00 2001 +From: Robert Marko +Date: Mon, 12 Jan 2026 14:40:23 +0100 +Subject: [PATCH] cert_create: add LibreSSL 3.9+ compatibility + +LibreSSL 3.9+ has dropped the whole support for X509V3 extensions. + +Generated by Gemini 3 Pro. + +Signed-off-by: Robert Marko +--- + tools/cert_create/src/ext.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +--- a/tools/cert_create/src/ext.c ++++ b/tools/cert_create/src/ext.c +@@ -51,15 +51,18 @@ int ext_init(void) + { + cmd_opt_t cmd_opt; + ext_t *ext; ++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x40200000L + X509V3_EXT_METHOD *m; +- int nid, ret; ++ int ret, nid; ++#endif + unsigned int i; + + extensions = malloc((num_def_extensions * sizeof(def_extensions[0])) + #ifdef PDEF_EXTS + + (num_pdef_extensions * sizeof(pdef_extensions[0])) + #endif +- ); ++ ); ++ + if (extensions == NULL) { + ERROR("%s:%d Failed to allocate memory.\n", __func__, __LINE__); + return 1; +@@ -69,7 +72,7 @@ int ext_init(void) + (num_def_extensions * sizeof(def_extensions[0]))); + #ifdef PDEF_EXTS + memcpy(&extensions[num_def_extensions], &pdef_extensions[0], +- (num_pdef_extensions * sizeof(pdef_extensions[0]))); ++ (num_pdef_extensions * sizeof(pdef_extensions[0]))); + num_extensions = num_def_extensions + num_pdef_extensions; + #else + num_extensions = num_def_extensions; +@@ -86,11 +89,15 @@ int ext_init(void) + cmd_opt.help_msg = ext->help_msg; + cmd_opt_add(&cmd_opt); + } ++ + /* Register the extension OID in OpenSSL */ + if (ext->oid == NULL) { + continue; + } ++ ++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x40200000L + nid = OBJ_create(ext->oid, ext->sn, ext->ln); ++ + if (ext->alias) { + X509V3_EXT_add_alias(nid, ext->alias); + } else { +@@ -117,7 +124,16 @@ int ext_init(void) + return 1; + } + } ++#else ++ /* ++ * LibreSSL 4.2.0+ removed X509V3_EXT_add/alias. ++ * We still register the OID, but ignore the returned NID ++ * as we skip method registration. ++ */ ++ OBJ_create(ext->oid, ext->sn, ext->ln); ++#endif + } ++ + return 0; + } + +@@ -323,12 +339,14 @@ void ext_cleanup(void) + for (i = 0; i < num_extensions; i++) { + if (extensions[i].arg != NULL) { + void *ptr = (void *)extensions[i].arg; +- + extensions[i].arg = NULL; + free(ptr); + } + } + free(extensions); ++ ++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x40200000L + X509V3_EXT_cleanup(); ++#endif + } + diff --git a/package/boot/arm-trusted-firmware-microchipsw/patches/0003-cert_create-pass-pthread-in-LDFLAGS.patch b/package/boot/arm-trusted-firmware-microchipsw/patches/0003-cert_create-pass-pthread-in-LDFLAGS.patch new file mode 100644 index 0000000000..2d8f6ac022 --- /dev/null +++ b/package/boot/arm-trusted-firmware-microchipsw/patches/0003-cert_create-pass-pthread-in-LDFLAGS.patch @@ -0,0 +1,36 @@ +From 11ff8b5e67830d5a09f39e8c1f000b0ddcf8e88f Mon Sep 17 00:00:00 2001 +From: Robert Marko +Date: Mon, 12 Jan 2026 15:16:07 +0100 +Subject: [PATCH] cert_create: pass pthread in LDFLAGS + +OpenWrt-s LibreSSL is linked against pthread, so we have to make sure to +pass -lpthread in LDFLAGS to avoid: +/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-crypto_init.o): in function `OPENSSL_init_crypto': +crypto_init.c:(.text+0x67): undefined reference to `pthread_once' +/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-err.o): in function `ERR_load_ERR_strings': +err.c:(.text+0x812): undefined reference to `pthread_once' +/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-conf_sap.o): in function `OpenSSL_config': +conf_sap.c:(.text+0xc0): undefined reference to `pthread_once' +/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-conf_sap.o): in function `OpenSSL_no_config': +conf_sap.c:(.text+0x107): undefined reference to `pthread_once' +/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-err_all.o): in function `ERR_load_crypto_strings': +err_all.c:(.text+0xa3): undefined reference to `pthread_once' +collect2: error: ld returned 1 exit status +make[4]: *** [Makefile:93: cert_create] Error 1 + +Signed-off-by: Robert Marko +--- + tools/cert_create/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/cert_create/Makefile ++++ b/tools/cert_create/Makefile +@@ -79,7 +79,7 @@ INC_DIR += -I ./include -I ${PLAT_INCLUD + # located under the main project directory (i.e.: ${OPENSSL_DIR}, not + # ${OPENSSL_DIR}/lib/). + LIB_DIR := -L ${OPENSSL_DIR}/lib -L ${OPENSSL_DIR} +-LIB := -lssl -lcrypto ++LIB := -lssl -lcrypto -pthread + + HOSTCC ?= gcc +