From 995e5496771b7de51f4bff5f2a811b35b1c43dc8 Mon Sep 17 00:00:00 2001
From: Scott Fleener <scott@buoyant.io>
Date: Tue, 5 Aug 2025 11:06:05 -0400
Subject: [PATCH 1/6] chore(tls): Switch to aws-lc-rs by default

This changes the default crypto backend from ring to aws-lc-rs. Eventually we can remove ring entirely from the dependency tree, but for now this simply changes the default.

Signed-off-by: Scott Fleener <scott@buoyant.io>
---
 linkerd/meshtls/rustls/Cargo.toml  | 2 +-
 linkerd/proxy/transport/Cargo.toml | 2 +-
 linkerd2-proxy/Cargo.toml          | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/linkerd/meshtls/rustls/Cargo.toml b/linkerd/meshtls/rustls/Cargo.toml
index 213afacb7a..f5b34dddc2 100644
--- a/linkerd/meshtls/rustls/Cargo.toml
+++ b/linkerd/meshtls/rustls/Cargo.toml
@@ -7,7 +7,7 @@ edition = "2018"
 publish = { workspace = true }
 
 [features]
-default = ["ring"]
+default = ["aws-lc"]
 ring = ["tokio-rustls/ring", "rustls-webpki/ring"]
 aws-lc = ["tokio-rustls/aws-lc-rs", "rustls-webpki/aws-lc-rs"]
 aws-lc-fips = ["aws-lc", "tokio-rustls/fips"]
diff --git a/linkerd/proxy/transport/Cargo.toml b/linkerd/proxy/transport/Cargo.toml
index d6f6b004ef..e95966b269 100644
--- a/linkerd/proxy/transport/Cargo.toml
+++ b/linkerd/proxy/transport/Cargo.toml
@@ -14,7 +14,7 @@ futures = { version = "0.3", default-features = false }
 linkerd-error = { path = "../../error" }
 linkerd-io = { path = "../../io" }
 linkerd-stack = { path = "../../stack" }
-socket2 = "0.5"
+socket2 = { version = "0.5", features = ["all"] }
 thiserror = "2"
 tokio = { version = "1", features = ["macros", "net"] }
 tokio-stream = { version = "0.1", features = ["net"] }
diff --git a/linkerd2-proxy/Cargo.toml b/linkerd2-proxy/Cargo.toml
index 544147ab7f..429a494309 100644
--- a/linkerd2-proxy/Cargo.toml
+++ b/linkerd2-proxy/Cargo.toml
@@ -8,7 +8,7 @@ publish = { workspace = true }
 description = "The main proxy executable"
 
 [features]
-default = ["meshtls-rustls-ring"]
+default = ["meshtls-rustls-aws-lc"]
 meshtls-boring = ["linkerd-meshtls/boring"]
 meshtls-boring-fips = ["linkerd-meshtls/boring-fips"]
 meshtls-rustls-aws-lc = ["linkerd-meshtls/rustls-aws-lc"]

From eb5d8a2fb2ab610db137863bc441b8d595777703 Mon Sep 17 00:00:00 2001
From: Scott Fleener <scott@buoyant.io>
Date: Fri, 1 Aug 2025 15:02:52 -0400
Subject: [PATCH 2/6] fix(ci): Add cross-compilation toolchain for arm64

This adds the cross compilation toolchain and required environment variables to the release workflows and local Dockerfile. These will end up in the dev image, but for now we can specify them manually.

Signed-off-by: Scott Fleener <scott@buoyant.io>
---
 .github/workflows/release.yml | 11 +++++++++++
 Dockerfile                    |  8 +++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 49c0613188..f4b9780215 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -145,11 +145,22 @@ jobs:
     env:
       LINKERD2_PROXY_VENDOR: ${{ github.repository_owner }}
       LINKERD2_PROXY_VERSION: ${{ needs.meta.outputs.version }}
+      # TODO: add to dev image
+      AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu: "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld"
+      AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl: "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld"
     steps:
       # TODO: add to dev image
       - name: Install MiniGW
         if: matrix.os == 'windows'
         run: apt-get update && apt-get install mingw-w64 -y
+      # TODO: add to dev image
+      - name: Install cross compilation toolchain
+        if: matrix.arch == 'arm64'
+        run: apt-get update && apt-get install --no-install-recommends -y \
+          g++-aarch64-linux-gnu \
+          gcc-aarch64-linux-gnu \
+          binutils-aarch64-linux-gnu \
+          libc6-dev-arm64-cross
       - name: Configure git
         run: git config --global --add safe.directory "$PWD" # actions/runner#2033
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
diff --git a/Dockerfile b/Dockerfile
index fb9b8a9a55..916fa80f10 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,11 +14,16 @@ FROM $LINKERD2_IMAGE as linkerd2
 FROM --platform=$BUILDPLATFORM $RUST_IMAGE as fetch
 
 ARG PROXY_FEATURES=""
+ARG TARGETARCH="amd64"
 RUN apt-get update && \
     apt-get install -y time && \
     if [[ "$PROXY_FEATURES" =~ .*meshtls-boring.* ]] ; then \
       apt-get install -y golang ; \
     fi && \
+    case "$TARGETARCH" in \
+        amd64) true ;; \
+        arm64) apt-get install --no-install-recommends -y libc6-dev-arm64-cross gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu ;; \
+    esac && \
     rm -rf /var/lib/apt/lists/*
 
 ENV CARGO_NET_RETRY=10
@@ -33,7 +38,8 @@ RUN --mount=type=cache,id=cargo,target=/usr/local/cargo/registry \
 FROM fetch as build
 ENV CARGO_INCREMENTAL=0
 ENV RUSTFLAGS="-D warnings -A deprecated --cfg tokio_unstable"
-ARG TARGETARCH="amd64"
+ENV AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu="-fuse-ld=/usr/aarch64-linux-gnu/bin/ld"
+ENV AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl="-fuse-ld=/usr/aarch64-linux-gnu/bin/ld"
 ARG PROFILE="release"
 ARG LINKERD2_PROXY_VERSION=""
 ARG LINKERD2_PROXY_VENDOR=""

From d2d3e4fadfbf72abf79917cba838bcce6f33d41d Mon Sep 17 00:00:00 2001
From: Scott Fleener <scott@buoyant.io>
Date: Tue, 5 Aug 2025 10:23:58 -0400
Subject: [PATCH 3/6] lint: Include specific dev release in TODO comments

Signed-off-by: Scott Fleener <scott@buoyant.io>
---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f4b9780215..58280fbbce 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -145,7 +145,7 @@ jobs:
     env:
       LINKERD2_PROXY_VENDOR: ${{ github.repository_owner }}
       LINKERD2_PROXY_VERSION: ${{ needs.meta.outputs.version }}
-      # TODO: add to dev image
+      # TODO: these variables will be included in dev v48
       AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu: "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld"
       AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl: "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld"
     steps:
@@ -153,7 +153,7 @@ jobs:
       - name: Install MiniGW
         if: matrix.os == 'windows'
         run: apt-get update && apt-get install mingw-w64 -y
-      # TODO: add to dev image
+      # TODO: these packages will be included in dev v48
       - name: Install cross compilation toolchain
         if: matrix.arch == 'arm64'
         run: apt-get update && apt-get install --no-install-recommends -y \

From f21cbe60533c3a449f712f42d43bf0264a9113d9 Mon Sep 17 00:00:00 2001
From: Scott Fleener <scott@buoyant.io>
Date: Tue, 5 Aug 2025 11:12:45 -0400
Subject: [PATCH 4/6] fix(ci): Move cross compile env vars to justfile

Signed-off-by: Scott Fleener <scott@buoyant.io>
---
 .github/workflows/release.yml | 8 +-------
 justfile                      | 4 ++++
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 58280fbbce..fa566959db 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -145,9 +145,6 @@ jobs:
     env:
       LINKERD2_PROXY_VENDOR: ${{ github.repository_owner }}
       LINKERD2_PROXY_VERSION: ${{ needs.meta.outputs.version }}
-      # TODO: these variables will be included in dev v48
-      AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu: "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld"
-      AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl: "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld"
     steps:
       # TODO: add to dev image
       - name: Install MiniGW
@@ -157,10 +154,7 @@ jobs:
       - name: Install cross compilation toolchain
         if: matrix.arch == 'arm64'
         run: apt-get update && apt-get install --no-install-recommends -y \
-          g++-aarch64-linux-gnu \
-          gcc-aarch64-linux-gnu \
-          binutils-aarch64-linux-gnu \
-          libc6-dev-arm64-cross
+          binutils-aarch64-linux-gnu
       - name: Configure git
         run: git config --global --add safe.directory "$PWD" # actions/runner#2033
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
diff --git a/justfile b/justfile
index 1781b24438..24015333ec 100644
--- a/justfile
+++ b/justfile
@@ -18,6 +18,10 @@ features := ""
 export LINKERD2_PROXY_VERSION := env_var_or_default("LINKERD2_PROXY_VERSION", "0.0.0-dev" + `git rev-parse --short HEAD`)
 export LINKERD2_PROXY_VENDOR := env_var_or_default("LINKERD2_PROXY_VENDOR", `whoami` + "@" + `hostname`)
 
+# TODO: these variables will be included in dev v48
+export AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu := env_var_or_default("AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu", "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld")
+export AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl := env_var_or_default("AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl", "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld")
+
 # The version name to use for packages.
 package_version := "v" + LINKERD2_PROXY_VERSION
 

From 6b60574ec7fe00ed51fcc3945791bc78362e5c88 Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Tue, 5 Aug 2025 13:14:24 -0700
Subject: [PATCH 5/6] chore(dockerfile): minimal apt-get install

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 916fa80f10..8949fd7905 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,7 +22,7 @@ RUN apt-get update && \
     fi && \
     case "$TARGETARCH" in \
         amd64) true ;; \
-        arm64) apt-get install --no-install-recommends -y libc6-dev-arm64-cross gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu ;; \
+        arm64) apt-get install --no-install-recommends -y binutils-aarch64-linux-gnu ;; \
     esac && \
     rm -rf /var/lib/apt/lists/*
 

From 49f235c0746ee438e667a648427c8bb6b7be2c10 Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Tue, 5 Aug 2025 13:14:40 -0700
Subject: [PATCH 6/6] chore(dockerfile): remove redundant CFLAGS

---
 Dockerfile | 2 --
 1 file changed, 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 8949fd7905..cfc246a619 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -38,8 +38,6 @@ RUN --mount=type=cache,id=cargo,target=/usr/local/cargo/registry \
 FROM fetch as build
 ENV CARGO_INCREMENTAL=0
 ENV RUSTFLAGS="-D warnings -A deprecated --cfg tokio_unstable"
-ENV AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu="-fuse-ld=/usr/aarch64-linux-gnu/bin/ld"
-ENV AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl="-fuse-ld=/usr/aarch64-linux-gnu/bin/ld"
 ARG PROFILE="release"
 ARG LINKERD2_PROXY_VERSION=""
 ARG LINKERD2_PROXY_VENDOR=""