[openwrt/openwrt] boot: arm-trusted-firmware-microchipsw: fix compilation against LibreSSL
LEDE Commits
lede-commits at lists.infradead.org
Mon Jan 12 09:01:20 PST 2026
robimarko pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/410277ca12d811daa8040edf75dfd87a2d9dd5f8
commit 410277ca12d811daa8040edf75dfd87a2d9dd5f8
Author: Robert Marko <robert.marko at sartura.hr>
AuthorDate: Mon Jan 12 17:28:06 2026 +0100
boot: arm-trusted-firmware-microchipsw: fix compilation against LibreSSL
LibreSSL 3.9+ has dropped support for X509V3 extension API so cert_create
tool does not compile against it at all.
This was hidden by the fact that it was compiling against OpenSSL on my
host which still has that API, however we do not ship libssl-dev in the
Buildbot containers so compiling against distro OpenSSL is not possible.
So, after a long time trying to find any docs on that API I resorted to
LLM(Gemini 3 Pro) to get it to compile.
Our libcrypto is linked against pthread so we must pass -lpthread as well
for cert_tool.
Fixes: 5205c0c42607 ("microchipsw: lan969x: add Microchip EV23X71A")
Signed-off-by: Robert Marko <robert.marko at sartura.hr>
---
.../boot/arm-trusted-firmware-microchipsw/Makefile | 11 ---
...ert_create-add-LibreSSL-3.9-compatibility.patch | 95 ++++++++++++++++++++++
.../0003-cert_create-pass-pthread-in-LDFLAGS.patch | 36 ++++++++
3 files changed, 131 insertions(+), 11 deletions(-)
diff --git a/package/boot/arm-trusted-firmware-microchipsw/Makefile b/package/boot/arm-trusted-firmware-microchipsw/Makefile
index 0095cc1c38..e4ec3851d6 100644
--- a/package/boot/arm-trusted-firmware-microchipsw/Makefile
+++ b/package/boot/arm-trusted-firmware-microchipsw/Makefile
@@ -62,17 +62,6 @@ define Build/Prepare
$(TAR) -C $(PKG_BUILD_DIR) -xf $(DL_DIR)/$(MBEDTLS_SOURCE)
endef
-# We must not pass OPENSSL_DIR as locally built mbedtls is used
-define Build/Compile
- +unset CC; \
- $(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
- CROSS_COMPILE=$(TARGET_CROSS) \
- $(if $(DTC),DTC="$(DTC)") \
- PLAT=$(PLAT) \
- BUILD_STRING="OpenWrt $(PKG_VERSION_PREFIX)$(PKG_VERSION)-$(PKG_RELEASE) ($(VARIANT))" \
- $(TFA_MAKE_FLAGS)
-endef
-
TFA_MAKE_FLAGS += \
MBEDTLS_DIR=$(PKG_BUILD_DIR)/$(MBEDTLS_NAME) \
BL33=$(STAGING_DIR_IMAGE)/$(BUILD_VARIANT)-u-boot.bin \
diff --git a/package/boot/arm-trusted-firmware-microchipsw/patches/0002-cert_create-add-LibreSSL-3.9-compatibility.patch b/package/boot/arm-trusted-firmware-microchipsw/patches/0002-cert_create-add-LibreSSL-3.9-compatibility.patch
new file mode 100644
index 0000000000..55a053418e
--- /dev/null
+++ b/package/boot/arm-trusted-firmware-microchipsw/patches/0002-cert_create-add-LibreSSL-3.9-compatibility.patch
@@ -0,0 +1,95 @@
+From 40166fd8d88f33c621d3cca0b936f31816f3fe2e Mon Sep 17 00:00:00 2001
+From: Robert Marko <robert.marko at sartura.hr>
+Date: Mon, 12 Jan 2026 14:40:23 +0100
+Subject: [PATCH] cert_create: add LibreSSL 3.9+ compatibility
+
+LibreSSL 3.9+ has dropped the whole support for X509V3 extensions.
+
+Generated by Gemini 3 Pro.
+
+Signed-off-by: Robert Marko <robert.marko at sartura.hr>
+---
+ tools/cert_create/src/ext.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+--- a/tools/cert_create/src/ext.c
++++ b/tools/cert_create/src/ext.c
+@@ -51,15 +51,18 @@ int ext_init(void)
+ {
+ cmd_opt_t cmd_opt;
+ ext_t *ext;
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x40200000L
+ X509V3_EXT_METHOD *m;
+- int nid, ret;
++ int ret, nid;
++#endif
+ unsigned int i;
+
+ extensions = malloc((num_def_extensions * sizeof(def_extensions[0]))
+ #ifdef PDEF_EXTS
+ + (num_pdef_extensions * sizeof(pdef_extensions[0]))
+ #endif
+- );
++ );
++
+ if (extensions == NULL) {
+ ERROR("%s:%d Failed to allocate memory.\n", __func__, __LINE__);
+ return 1;
+@@ -69,7 +72,7 @@ int ext_init(void)
+ (num_def_extensions * sizeof(def_extensions[0])));
+ #ifdef PDEF_EXTS
+ memcpy(&extensions[num_def_extensions], &pdef_extensions[0],
+- (num_pdef_extensions * sizeof(pdef_extensions[0])));
++ (num_pdef_extensions * sizeof(pdef_extensions[0])));
+ num_extensions = num_def_extensions + num_pdef_extensions;
+ #else
+ num_extensions = num_def_extensions;
+@@ -86,11 +89,15 @@ int ext_init(void)
+ cmd_opt.help_msg = ext->help_msg;
+ cmd_opt_add(&cmd_opt);
+ }
++
+ /* Register the extension OID in OpenSSL */
+ if (ext->oid == NULL) {
+ continue;
+ }
++
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x40200000L
+ nid = OBJ_create(ext->oid, ext->sn, ext->ln);
++
+ if (ext->alias) {
+ X509V3_EXT_add_alias(nid, ext->alias);
+ } else {
+@@ -117,7 +124,16 @@ int ext_init(void)
+ return 1;
+ }
+ }
++#else
++ /*
++ * LibreSSL 4.2.0+ removed X509V3_EXT_add/alias.
++ * We still register the OID, but ignore the returned NID
++ * as we skip method registration.
++ */
++ OBJ_create(ext->oid, ext->sn, ext->ln);
++#endif
+ }
++
+ return 0;
+ }
+
+@@ -323,12 +339,14 @@ void ext_cleanup(void)
+ for (i = 0; i < num_extensions; i++) {
+ if (extensions[i].arg != NULL) {
+ void *ptr = (void *)extensions[i].arg;
+-
+ extensions[i].arg = NULL;
+ free(ptr);
+ }
+ }
+ free(extensions);
++
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x40200000L
+ X509V3_EXT_cleanup();
++#endif
+ }
+
diff --git a/package/boot/arm-trusted-firmware-microchipsw/patches/0003-cert_create-pass-pthread-in-LDFLAGS.patch b/package/boot/arm-trusted-firmware-microchipsw/patches/0003-cert_create-pass-pthread-in-LDFLAGS.patch
new file mode 100644
index 0000000000..2d8f6ac022
--- /dev/null
+++ b/package/boot/arm-trusted-firmware-microchipsw/patches/0003-cert_create-pass-pthread-in-LDFLAGS.patch
@@ -0,0 +1,36 @@
+From 11ff8b5e67830d5a09f39e8c1f000b0ddcf8e88f Mon Sep 17 00:00:00 2001
+From: Robert Marko <robert.marko at sartura.hr>
+Date: Mon, 12 Jan 2026 15:16:07 +0100
+Subject: [PATCH] cert_create: pass pthread in LDFLAGS
+
+OpenWrt-s LibreSSL is linked against pthread, so we have to make sure to
+pass -lpthread in LDFLAGS to avoid:
+/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-crypto_init.o): in function `OPENSSL_init_crypto':
+crypto_init.c:(.text+0x67): undefined reference to `pthread_once'
+/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-err.o): in function `ERR_load_ERR_strings':
+err.c:(.text+0x812): undefined reference to `pthread_once'
+/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-conf_sap.o): in function `OpenSSL_config':
+conf_sap.c:(.text+0xc0): undefined reference to `pthread_once'
+/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-conf_sap.o): in function `OpenSSL_no_config':
+conf_sap.c:(.text+0x107): undefined reference to `pthread_once'
+/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-err_all.o): in function `ERR_load_crypto_strings':
+err_all.c:(.text+0xa3): undefined reference to `pthread_once'
+collect2: error: ld returned 1 exit status
+make[4]: *** [Makefile:93: cert_create] Error 1
+
+Signed-off-by: Robert Marko <robert.marko at sartura.hr>
+---
+ tools/cert_create/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/cert_create/Makefile
++++ b/tools/cert_create/Makefile
+@@ -79,7 +79,7 @@ INC_DIR += -I ./include -I ${PLAT_INCLUD
+ # located under the main project directory (i.e.: ${OPENSSL_DIR}, not
+ # ${OPENSSL_DIR}/lib/).
+ LIB_DIR := -L ${OPENSSL_DIR}/lib -L ${OPENSSL_DIR}
+-LIB := -lssl -lcrypto
++LIB := -lssl -lcrypto -pthread
+
+ HOSTCC ?= gcc
+
More information about the lede-commits
mailing list