new file mode 100644
@@ -0,0 +1,33 @@
+From 178e089683bf42097ac6d27522820d07483bc6bd Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 23 Apr 2026 08:54:02 +0200
+Subject: [PATCH] c_build_helper: Split cc command line
+
+Optionally the CC/HOSTCC environment variable can hold the command to
+invoke the C compiler, however this command can also contain extra
+arguments, not only the binary name. In this particular case Python
+was treating the whole value as a single binary name, and was trying
+to execute as such (e.g. "cc -arg1 -arg2" instead of "cc" and the arguments
+separately), which results in failure.
+
+Split the compiler command into its components to invoke it correctly.
+
+Upstream-Status: Submitted [https://github.com/Mbed-TLS/mbedtls-framework/pull/301]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ scripts/mbedtls_framework/c_build_helper.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/mbedtls_framework/c_build_helper.py b/scripts/mbedtls_framework/c_build_helper.py
+index 59bb326e2..85dbb628f 100644
+--- a/tf-psa-crypto/framework/scripts/mbedtls_framework/c_build_helper.py
++++ b/tf-psa-crypto/framework/scripts/mbedtls_framework/c_build_helper.py
+@@ -98,7 +98,7 @@ def compile_c_file(c_filename, exe_filename, include_dirs):
+ cc = os.getenv('HOSTCC', None)
+ if cc is None:
+ cc = os.getenv('CC', 'cc')
+- cmd = [cc]
++ cmd = cc.split()
+
+ proc = subprocess.Popen(cmd,
+ stdout=subprocess.DEVNULL,
new file mode 100644
@@ -0,0 +1,29 @@
+From 46f0ea3eb35e8d0d33e88298a9e7c3dbdd49ec17 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 23 Apr 2026 09:14:40 +0200
+Subject: [PATCH] use qemuwrapper to run cross-compiled binary
+
+The build process executes a compiled binary to get some details,
+however this results in a failure in case of cross-compiling.
+
+Run it with qemuwrapper, that is created in the recipe.
+
+Upstream-Status: Inappropriate [cross-compile specific]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ scripts/mbedtls_framework/c_build_helper.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/mbedtls_framework/c_build_helper.py b/scripts/mbedtls_framework/c_build_helper.py
+index 59bb326e2..5c4c211ee 100644
+--- a/tf-psa-crypto/framework/scripts/mbedtls_framework/c_build_helper.py
++++ b/tf-psa-crypto/framework/scripts/mbedtls_framework/c_build_helper.py
+@@ -169,7 +169,7 @@ def get_c_expression_values(
+ .format(caller, c_name))
+ else:
+ os.remove(c_name)
+- output = subprocess.check_output([exe_name])
++ output = subprocess.check_output(['../../../qemuwrapper', exe_name])
+ return output.decode('ascii').strip().split('\n')
+ finally:
+ remove_file_if_exists(exe_name)
new file mode 100644
@@ -0,0 +1,88 @@
+SUMMARY = "Lightweight crypto and SSL/TLS library"
+DESCRIPTION = "mbedtls is a lean open source crypto library \
+for providing SSL and TLS support in your programs. It offers \
+an intuitive API and documented header files, so you can actually \
+understand what the code does. It features: \
+ \
+ - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4, \
+ Camellia and XTEA \
+ - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5 \
+ - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG \
+ - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \
+ ECDSA and ECDH \
+ - SSL v3 and TLS 1.0, 1.1 and 1.2 \
+ - Abstraction layers for ciphers, hashes, public key operations, \
+ platform abstraction and threading \
+"
+
+HOMEPAGE = "https://www.trustedfirmware.org/projects/mbed-tls/"
+BUGTRACKER = "https://github.com/Mbed-TLS/mbedtls/issues"
+
+LICENSE = "Apache-2.0 | GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=379d5819937a6c2f1ef1630d341e026d"
+
+SECTION = "libs"
+
+SRC_URI = "gitsm://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=mbedtls-4.1;tag=v${PV} \
+ file://run-ptest \
+ file://0001-c_build_helper-Split-cc-command-line.patch \
+ "
+
+SRC_URI:append:class-target = " file://0001-use-qemuwrapper-to-run-cross-compiled-binary.patch"
+
+SRCREV = "0fe989b6b514192783c469039edd325fd0989806"
+
+DEPENDS += "python3-jinja2-native python3-jsonschema-native qemu-native"
+
+UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
+
+inherit cmake ptest python3native qemu
+
+PACKAGECONFIG ??= "shared-libs programs ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}"
+PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF"
+PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF"
+PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF"
+PACKAGECONFIG[tests] = "-DENABLE_TESTING=ON,-DENABLE_TESTING=OFF"
+
+PROVIDES += "polarssl"
+RPROVIDES:${PN} = "polarssl"
+
+PACKAGES =+ "${PN}-programs"
+FILES:${PN}-programs = "${bindir}/"
+
+BBCLASSEXTEND = "native nativesdk"
+
+CVE_PRODUCT = "mbed_tls"
+
+do_configure:prepend() {
+ # during building tf-psa-crypto/framework/scripts/mbedtls_framework/c_build_helper.py
+ # runs some of the cross-compiled binaries.
+
+ qemu_binary="${@qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST'), [d.expand('${STAGING_DIR_HOST}${libdir}'),d.expand('${STAGING_LIBDIR}')])}"
+ cat > ${WORKDIR}/qemuwrapper << EOF
+#!/bin/sh
+$qemu_binary "\$@"
+EOF
+
+ chmod +x ${WORKDIR}/qemuwrapper
+}
+
+# Strip host paths from autogenerated test files
+do_compile:append() {
+ sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || :
+ sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || :
+}
+
+# Export source files/headers needed by Arm Trusted Firmware
+sysroot_stage_all:append() {
+ sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library"
+ sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include"
+}
+
+do_install_ptest () {
+ install -d ${D}${PTEST_PATH}/tests
+ install -d ${D}${PTEST_PATH}/framework
+ cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/
+ find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete
+ cp -fR ${S}/framework/data_files ${D}${PTEST_PATH}/framework/
+}
This is the current LTS version for mbedtls, add it next to the existing recipe for v3.6. This new version will be supported longer than v3.6, but there are some incompatibilities between the two (see migration guide[1] and changelog[2]). This recipe is based on the v3.6 recipe. psa PACKAGECONFIG was dropped, as it is now the regular behavior, without an option to turn it off. update-alternatives class is also removed - it was required due to a sample program called "hello", which has been removed from this release. Added two small patches: - one to handle the CC env var correctly from Python. This is submitted for upstream. - one to use qemu to run cross-compiled binaries instead of running them as they are. This is not upstreamed, as it is OE specific. Ptests passed successfully: root@qemux86-64:~# ptest-runner START: ptest-runner 2026-04-23T07:29 BEGIN: /usr/lib/mbedtls/ptest PASS: test_suite_config.mbedtls_boolean PASS: test_suite_config.tls_combinations PASS: test_suite_constant_time_hmac PASS: test_suite_debug PASS: test_suite_error PASS: test_suite_mps PASS: test_suite_net PASS: test_suite_pkcs7 PASS: test_suite_ssl PASS: test_suite_ssl.records PASS: test_suite_ssl.tls-defrag PASS: test_suite_ssl_decrypt.misc PASS: test_suite_test_helpers PASS: test_suite_timing PASS: test_suite_version PASS: test_suite_x509_oid PASS: test_suite_x509parse PASS: test_suite_x509write DURATION: 7 END: /usr/lib/mbedtls/ptest 2026-04-23T07:29 STOP: ptest-runner TOTAL: 1 FAIL: 0 [1]: https://github.com/Mbed-TLS/mbedtls/blob/development/docs/4.0-migration-guide.md [2]: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-4.1.0 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- v2: Inherit python3native, because some native python modules need to be used. When using the system python, PYTHONPATH gets mixed with build host and sysroot modules, which is incorrect. When using python3native class, the module search path is confined to the sysroot, so it can be better controlled. Also, add python3-jsonschema-native as a build dependency (in v1 the recipe took this dependency from my build host) ...c_build_helper-Split-cc-command-line.patch | 33 +++++++ ...wrapper-to-run-cross-compiled-binary.patch | 29 ++++++ .../mbedtls/mbedtls_4.1.0.bb | 88 +++++++++++++++++++ 3 files changed, 150 insertions(+) create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-c_build_helper-Split-cc-command-line.patch create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-use-qemuwrapper-to-run-cross-compiled-binary.patch create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls_4.1.0.bb