Package: arm-trusted-firmware Followup-For: Bug #1137474 X-Debbugs-Cc: [email protected] Control: tags -1 patch ftbfs
Dear Maintainer, The patch fixes the build issue, but it is not a real fix. provider impl is not a drop in, I filed a bug for the upstream to fix. -- System Information: Debian Release: trixie/sid APT prefers noble-updates APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500, 'noble'), (100, 'noble-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.8.0-117-generic (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Description: Disable PKCS#11 key loading with OpenSSL 4.0 OpenSSL 4.0 removes the ENGINE API. The cert_create tool uses ENGINE for PKCS#11 key loading which cannot be replaced with the provider API as a drop-in. Disable PKCS#11 URIs with OpenSSL 4.0 — file-based (PEM) keys still work. This only affects the cert_create build tool, not the firmware itself. Guard ENGINE includes with #ifndef OPENSSL_NO_ENGINE. Forwarded: no Bug: https://github.com/TrustedFirmware-A/trusted-firmware-a/issues/170 Bug-Ubuntu: https://bugs.launchpad.net/bugs/2154828 Bug-Debian: https://bugs.debian.org/1137474 Last-Update: 2026-06-26 Index: arm-trusted-firmware/tools/cert_create/src/key.c =================================================================== --- arm-trusted-firmware.orig/tools/cert_create/src/key.c 2026-06-26 15:54:53.843660315 +0200 +++ arm-trusted-firmware/tools/cert_create/src/key.c 2026-06-26 15:57:05.516161980 +0200 @@ -14,7 +14,9 @@ #define OPENSSL_SUPPRESS_DEPRECATED #include <openssl/conf.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif #include <openssl/evp.h> #include <openssl/pem.h> @@ -210,6 +212,11 @@ static EVP_PKEY *key_load_pkcs11(const char *uri) { +#if OPENSSL_VERSION_MAJOR >= 4 + fprintf(stderr, "PKCS#11 URIs are not supported with OpenSSL 4.0. " + "Use PEM keys instead.\n"); + return NULL; +#else char *key_pass; EVP_PKEY *pkey; ENGINE *e; @@ -240,7 +247,7 @@ err: ENGINE_free(e); return NULL; - +#endif } unsigned int key_load(cert_key_t *key) Index: arm-trusted-firmware/tools/cert_create/src/main.c =================================================================== --- arm-trusted-firmware.orig/tools/cert_create/src/main.c 2026-06-26 15:56:10.119946798 +0200 +++ arm-trusted-firmware/tools/cert_create/src/main.c 2026-06-26 15:58:00.212379663 +0200 @@ -15,7 +15,9 @@ #include <stdbool.h> #include <openssl/conf.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif #include <openssl/err.h> #include <openssl/pem.h> #include <openssl/sha.h>
