Hi,

 

As you may know, the build system was changed, and the tip of master depends on Openssl3. This version is quite new and is not available in many old (or not so old) but still supported operating systems. (Ubuntu 18.04 is an example.)

 

I made a quick and dirty fix to allow building Opessl3 right from TF-A if the source is pre-fetched. You can find this change here: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/16800 For our downstream project this is a perfect solution as the same component introducing the new dependency carries the solution. Thus, my build environment is not becoming TF-A version specific.

From TF-A point of view the situation is not so simple. The above patch extends TF-A with "build environment provisioning" responsibility. Before this patch TF-A assumed, all "common" dependencies are available in the build environment, and this patch changes that. Yes, some strongly TF-A specific components were owned and built by TF-A, but openssl is different.

 

Thus, my modification is a “game changer” in some ways. A few things to consider:

• Openssl becomes a special kind of TPIP which the project will need to manage (e.g. look for security risks, version updates, compatibility to different OSs and OS versions, etc...).
• This is a system wide component. There is a risk of breaking something the build uses. Hidden things like a python module depending on openssl and now picking up an incompatible version.
• This change might be considered as layer bleeding since it “melds” responsibilities of the TF-A project and the “owner of the build environment”. IMHO this might be a significant difference from supply-chain security perspectives.

 

There are alternatives which might be considered better:

• making the build system and host side tooling (e.g. cert_tool) backwards compatible with openssl2
• hosting pre-built static binaries somewhere, which would simplify build environment updates

As I mentioned above, this is a "good enough" fix for my use-case, but not sure if this is the right approach from TF-A perspectives.

 

I am happy to tidy up this patch and push it trough the review, but the efforts needed to implement “other options” are beyond my capacity.

I am looking for feedback both from TF-A maintainers and from “build environment owners”. Thanks!

 

/George

 

Ps.: Apologies for not doing “my homework”. I know there is a ticket somewhere in Phabricator and I did not invest the needed time to find it.