Skip to content

(backport 87637/88593 to 4.0) modules: mbedtls: update to 3.6.3 and tf-m to 2.1.2 #88437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 9, 2025
Merged

(backport 87637/88593 to 4.0) modules: mbedtls: update to 3.6.3 and tf-m to 2.1.2 #88437

merged 2 commits into from
May 9, 2025

Conversation

@wearyzen
Copy link
Contributor

@wearyzen wearyzen commented Apr 10, 2025
edited
Loading

Update Mbed TLS to 3.6.3 as it has CVE fixes.
Fixes #88435.
Related to #87637 .

@wearyzen
modules: mbedtls: update to 3.6.3
4d71cc3 
Update Mbed TLS to 3.6.3 as it has CVE fixes.

Signed-off-by: Sudan Landge <[email protected]>
@wearyzen wearyzen requested a review from tomi-font April 10, 2025 13:51
@zephyrbot
Copy link

zephyrbot commented Apr 10, 2025
edited
Loading

The following west manifest projects have been modified in this Pull Request:

Name Old Revision New Revision Diff
mbedtls zephyrproject-rtos/mbedtls@a78176c zephyrproject-rtos/mbedtls@5f88993 (zephyr) zephyrproject-rtos/[email protected]
tf-m-tests zephyrproject-rtos/tf-m-tests@502ea90 zephyrproject-rtos/tf-m-tests@c712761 (main) zephyrproject-rtos/[email protected]
trusted-firmware-m zephyrproject-rtos/trusted-firmware-m@8134106 zephyrproject-rtos/trusted-firmware-m@e2288c1 (main) zephyrproject-rtos/[email protected]

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@wearyzen wearyzen changed the title modules: mbedtls: update to 3.6.3 (backport 87637 to 4.0) modules: mbedtls: update to 3.6.3 Apr 11, 2025
@dkalowsk dkalowsk added this to the v4.0.1 milestone Apr 12, 2025
@dkalowsk
Copy link
Contributor

dkalowsk commented Apr 12, 2025
edited
Loading

Nothing against the PR, seems like a good addition. Can you or @ceolin (or really someone from the security team) make sure the release notes are updated with the CVE mitigation notes?

[EDIT: forgot to tag @wearyzen to ensure visibility]

tomi-font
tomi-font requested changes Apr 14, 2025
View reviewed changes
Copy link
Contributor

@tomi-font tomi-font left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs changes in TF-M as well to work properly

@ceolin
Copy link
Member

ceolin commented Apr 14, 2025

@dkalowsk that is indeed a good thing to do. @wearyzen thanks for doing it. Are you willing to look TF-M changes as well ?

@tomi-font
Copy link
Contributor

tomi-font commented Apr 15, 2025

I think that for 4.0 and 4.1 you can try to just point to my TF-M 2.1.2 update as it also makes sense to take it in, more than just the commits needed to work with Mbed TLS 3.6.3 (and the main branch in the TF-M fork should be compatible): zephyrproject-rtos/trusted-firmware-m#130

@wearyzen wearyzen requested a review from tomi-font April 17, 2025 14:40
@dkalowsk
Copy link
Contributor

dkalowsk commented Apr 17, 2025

@mmahadevan108 once this PR (and it's dependencies) is merged, we should release 4.0.1. Any objections?

@wearyzen
Copy link
Contributor Author

wearyzen commented Apr 17, 2025

@kartben could you please help with ci failures? I retried the job multiple times but not sure if this is just a github ci hiccup or if something else needs to be done to fix this.

@tomi-font
Copy link
Contributor

tomi-font commented Apr 22, 2025

@kartben could you please help with ci failures? I retried the job multiple times but not sure if this is just a github ci hiccup or if something else needs to be done to fix this.

Something similar to #87977 is needed for 4.0. cc @nashif

tomi-font
tomi-font requested changes Apr 22, 2025
View reviewed changes
Copy link
Contributor

@tomi-font tomi-font left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comments than on #88433 (review)

@wearyzen wearyzen force-pushed the backport-88229-to-4.0 branch from 8a4d9c5 to 31cf831 Compare April 22, 2025 12:40
@wearyzen wearyzen changed the title (backport 87637 to 4.0) modules: mbedtls: update to 3.6.3 (backport 87637/88593 to 4.0) modules: mbedtls: update to 3.6.3 and tf-m to 2.1.2 Apr 22, 2025
@wearyzen wearyzen requested a review from tomi-font April 22, 2025 12:51
tomi-font
tomi-font previously approved these changes Apr 22, 2025
View reviewed changes
@wearyzen
modules: tf-m: update to 2.1.2
5713963 
Update TF-M to 2.1.2 from version 2.1.1.
This is required to use MbedTLS 3.6.3.

Signed-off-by: Sudan Landge <[email protected]>
@wearyzen wearyzen force-pushed the backport-88229-to-4.0 branch from 31cf831 to 5713963 Compare April 22, 2025 13:06
@wearyzen
Copy link
Contributor Author

wearyzen commented Apr 25, 2025

@dkalowsk, @ceolin , I have updated the PR to include TF-M changes as well. Could you please have a look and help with the approval/merge if it looks good?

@wearyzen
Copy link
Contributor Author

wearyzen commented Apr 29, 2025

@fabiobaltieri, @kartben, could you please help with this PR as well? This is same as #88433 but for 4.0

@fabiobaltieri fabiobaltieri reopened this May 9, 2025
@zephyrbot zephyrbot added the Release Notes To be mentioned in the release notes label May 9, 2025
@zephyrbot zephyrbot requested a review from kartben May 9, 2025 10:22
@sonarqubecloud
Copy link

sonarqubecloud bot commented May 9, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@dkalowsk dkalowsk merged commit 0a8f9bb into zephyrproject-rtos:v4.0-branch May 9, 2025
52 of 55 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dkalowsk dkalowsk dkalowsk approved these changes

@tomi-font tomi-font tomi-font approved these changes

@d3zd3z d3zd3z Awaiting requested review from d3zd3z

@ceolin ceolin Awaiting requested review from ceolin

@mmahadevan108 mmahadevan108 Awaiting requested review from mmahadevan108

@kartben kartben Awaiting requested review from kartben

Assignees

@dkalowsk dkalowsk

@mmahadevan108 mmahadevan108

Labels

manifest manifest-mbedtls manifest-tf-m-tests manifest-trusted-firmware-m Release Notes To be mentioned in the release notes

Projects

None yet

Milestone

v4.0.1

Development

Successfully merging this pull request may close these issues.

7 participants

@wearyzen @zephyrbot @dkalowsk @ceolin @tomi-font @fabiobaltieri @mmahadevan108