[Buildroot] [PATCH 1/1] package/libnss fix buildtype

[Buildroot] [PATCH 1/1] package/libnss fix buildtype

[Ayrton Leyssens]

By default, libnss is built as debug.
We need to add BUILD_OPT=1 to the LIBNSS_BUILD_VARS
https://firefox-source-docs.mozilla.org/security/nss/build.html

Signed-off-by: Ayrton Leyssens<aleyssens@idtech.be>
---
 package/libnss/libnss.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/libnss/libnss.mk b/package/libnss/libnss.mk
index 541edf185f..8c99e55a13 100644
--- a/package/libnss/libnss.mk
+++ b/package/libnss/libnss.mk
@@ -47,6 +47,7 @@ LIBNSS_PRE_CONFIGURE_HOOKS += LIBNSS_DROP_GC_SECTIONS
 endif
 
 LIBNSS_BUILD_VARS = \
+	BUILD_OPT=1 \
 	MOZILLA_CLIENT=1 \
 	NSPR_INCLUDE_DIR=$(STAGING_DIR)/usr/include/nspr \
 	NSPR_LIB_DIR=$(STAGING_DIR)/usr/lib \
@@ -128,6 +129,7 @@ define LIBNSS_INSTALL_TARGET_CMDS
 endef
 
 HOST_LIBNSS_BUILD_VARS = \
+	BUILD_OPT=1 \
 	MOZILLA_CLIENT=1 \
 	NSPR_INCLUDE_DIR=$(HOST_DIR)/include/nspr \
 	NSPR_LIB_DIR=$(HOST_DIR)/lib \
-- 
2.43.0

Ayrton Leyssens
Embedded Software Engineer


_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/libnss fix buildtype

[Thomas Petazzoni via buildroot]

Hello Ayrton,

Thanks for your patch!

On Tue, 22 Apr 2025 14:01:24 +0000
Ayrton Leyssens <aleyssens@idtech.be> wrote:

>  LIBNSS_BUILD_VARS = \
> +	BUILD_OPT=1 \

Could you clarify what this does exactly? Indeed, Buildroot already
passes its own optimization flags in CFLAGS, based on the
BR2_OPTIMIZE_* settings, and we clearly don't want libnss to override
that.

Without your patch, when I look at the libnss build, I see:

/home/thomas/projets/buildroot/output/host/bin/arm-linux-gcc -o Linux2.6_arm_arm-linux-gcc.br_real_glibc_PTH_DBG.OBJ/tstclnt -g -g -fPIC   -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64  -O2 -g0 -D_FORTIFY_SOURCE=1 -Wall -Wshadow -DNSS_NO_GCC48 -DXP_UNIX -DXP_UNIX -DDLL_PREFIX=\"lib\" -DDLL_SUFFIX=\"so\" -DDEBUG -UNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DDEBUG -UNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_DISABLE_AVX2 -DNSS_DISABLE_SSE3 -DNSS_NO_INIT_SUPPORT -DNSS_DISABLE_ARM32_NEON -DNSS_DISABLE_ALTIVEC -DNSS_DISABLE_CRYPTO_VSX -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/home/thomas/projets/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/include/nspr -I/home/thomas/projets/buildroot/output/build/libnss-3.110/dist/include -
 I../../../dist/public/nss -I../../../dist/private/nss -I../../../dist/public/seccmd -I../../../dist/public/dbm  Linux2.6_arm_arm-linux-gcc.br_real_glibc_PTH_DBG.OBJ/tstclnt.o  -z noexecstack  -z noexecstack  -z noexecstack  -z noexecstack  -z noexecstack  -z noexecstack  -z noexecstack  -z noexecstack /home/thomas/projets/buildroot/output/build/libnss-3.110/dist/lib/libsectool.a  -L/home/thomas/projets/buildroot/output/build/libnss-3.110/dist/lib -L/home/thomas/projets/buildroot/output/build/libnss-3.110/dist/lib -lnssutil3 -L/home/thomas/projets/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib -lplc4 -lplds4 -lnspr4  -lssl3 -lsmime3 -lnss3 -lpthread  -ldl -lc -lz

So -O2 is present (from Buildroot), and the -g0 (from Buildroot, by
default) disables the production of debugging symbols which are
apparently enabled earlier by default by libnss (using -g).

So from my perspective, there is nothing to fix, and things are working
as intended. Could you clarify what optimization you are missing, and
how/where you spotted the issue?

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/libnss fix buildtype

[Ayrton Leyssens]

Hi Thomas

The issue presented when we were debugging Certmonger (which I still have to send in correctful).
Same Cermonger version as a Yocto based reference build.
So, we looked at the dependencies.
When checking versions with 'strings libnss.a | grep -i version' we saw version = 3.108 (debug) (while the reference has not).
Going through the docs of LibNSS, I noticed that the make target of LibNSS is not using the default passed make arguments (like -O2).
When passed no additional arguments as defined (https://firefox-source-docs.mozilla.org/security/nss/build.html ), it is all 0 by default.
So goes for the BUILD_OPT:
0: Build a debug (non-optimized) version of NSS. This is the default.
1: Build an optimized (non-debug) version of NSS.

-O2 disables the production of debug symbols, but the BUILD_OPT var has implications on the source itself.
When in the so called 'debug' build, LibNSS discards all variables / sets them to NULL if not all arguments are passed to some functions.


Ayrton Leyssens
Embedded Software Engineer



Rue Saucin 62, 5032 Isnes, Belgium
Phone: +32 81 55 46 10

Discover how we Open Doors to Solutions
www.idtech.be

> -----Original Message-----
> From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> Sent: Wednesday, April 23, 2025 11:48 PM
> To: Ayrton Leyssens <aleyssens@idtech.be>
> Cc: buildroot@buildroot.org; Gilles Fouarge <gfouarge@idtech.be>
> Subject: Re: [Buildroot] [PATCH 1/1] package/libnss fix buildtype
> 
> Hello Ayrton,
> 
> Thanks for your patch!
> 
> On Tue, 22 Apr 2025 14:01:24 +0000
> Ayrton Leyssens <aleyssens@idtech.be> wrote:
> 
> >  LIBNSS_BUILD_VARS = \
> > +	BUILD_OPT=1 \
> 
> Could you clarify what this does exactly? Indeed, Buildroot already passes its
> own optimization flags in CFLAGS, based on the
> BR2_OPTIMIZE_* settings, and we clearly don't want libnss to override that.
> 
> Without your patch, when I look at the libnss build, I see:
> 
> /home/thomas/projets/buildroot/output/host/bin/arm-linux-gcc -o
> Linux2.6_arm_arm-linux-gcc.br_real_glibc_PTH_DBG.OBJ/tstclnt -g -g -fPIC   -
> pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -
> D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64  -
> O2 -g0 -D_FORTIFY_SOURCE=1 -Wall -Wshadow -DNSS_NO_GCC48 -
> DXP_UNIX -DXP_UNIX -DDLL_PREFIX=\"lib\" -DDLL_SUFFIX=\"so\" -DDEBUG -
> UNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -
> DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DDEBUG -UNDEBUG -
> D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -
> DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_DISABLE_AVX2 -
> DNSS_DISABLE_SSE3 -DNSS_NO_INIT_SUPPORT -
> DNSS_DISABLE_ARM32_NEON -DNSS_DISABLE_ALTIVEC -
> DNSS_DISABLE_CRYPTO_VSX -DUSE_UTIL_DIRECTLY -
> DNO_NSPR_10_SUPPORT -
> DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -
> I/home/thomas/projets/buildroot/output/host/arm-buildroot-linux-
> gnueabihf/sysroot/usr/include/nspr -
> I/home/thomas/projets/buildroot/output/build/libnss-3.110/dist/include -
>  I../../../dist/public/nss -I../../../dist/private/nss -I../../../dist/public/seccmd -
> I../../../dist/public/dbm  Linux2.6_arm_arm-linux-
> gcc.br_real_glibc_PTH_DBG.OBJ/tstclnt.o  -z noexecstack  -z noexecstack  -z
> noexecstack  -z noexecstack  -z noexecstack  -z noexecstack  -z noexecstack  -z
> noexecstack /home/thomas/projets/buildroot/output/build/libnss-
> 3.110/dist/lib/libsectool.a  -
> L/home/thomas/projets/buildroot/output/build/libnss-3.110/dist/lib -
> L/home/thomas/projets/buildroot/output/build/libnss-3.110/dist/lib -
> lnssutil3 -L/home/thomas/projets/buildroot/output/host/arm-buildroot-
> linux-gnueabihf/sysroot/usr/lib -lplc4 -lplds4 -lnspr4  -lssl3 -lsmime3 -lnss3 -
> lpthread  -ldl -lc -lz
> 
> So -O2 is present (from Buildroot), and the -g0 (from Buildroot, by
> default) disables the production of debugging symbols which are apparently
> enabled earlier by default by libnss (using -g).
> 
> So from my perspective, there is nothing to fix, and things are working as
> intended. Could you clarify what optimization you are missing, and
> how/where you spotted the issue?
> 
> Best regards,
> 
> Thomas
> --
> Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel
> engineering and training https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/libnss fix buildtype

[Thomas Petazzoni via buildroot]

Hello Ayrton,

Thanks for the feedback. More questions/comments below.

On Thu, 24 Apr 2025 06:11:27 +0000
Ayrton Leyssens <aleyssens@idtech.be> wrote:

> The issue presented when we were debugging Certmonger (which I still have to send in correctful).
> Same Cermonger version as a Yocto based reference build.
> So, we looked at the dependencies.
> When checking versions with 'strings libnss.a | grep -i version' we saw version = 3.108 (debug) (while the reference has not).
> Going through the docs of LibNSS, I noticed that the make target of LibNSS is not using the default passed make arguments (like -O2).

Reading the code of nss, I see:

ifdef BUILD_OPT
ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
	OPTIMIZER = -Os
else
	OPTIMIZER = -O2
endif

So when BUILD_OPT is 0, no flag is added. And as reported in my
previous e-mail, Buildroot passed CFLAGS -O2 and -g0 are taken into
account.

> When passed no additional arguments as defined (https://firefox-source-docs.mozilla.org/security/nss/build.html ), it is all 0 by default.
> So goes for the BUILD_OPT:
> 0: Build a debug (non-optimized) version of NSS. This is the default.
> 1: Build an optimized (non-debug) version of NSS.
> 
> -O2 disables the production of debug symbols, but the BUILD_OPT var has implications on the source itself.

No -O2 does not disable the production of debug symbols. The -g0 does it.

Could you clarify which implications BUILD_OPT has on the source files?
I went through the nss code base, grepped for BUILD_OPT everywhere, and
couldn't spot how this was having an impact on the source code.

> When in the so called 'debug' build, LibNSS discards all variables / sets them to NULL if not all arguments are passed to some functions.

Could you provide some pointers to the actual code? Also I guess you
meant these are discarded in the optimized build, not the debug build,
right?

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot