From: Trevor Woerner <twoerner@gmail.com>
To: Mikko Rapeli <mikko.rapeli@linaro.org>
Cc: raj.khem@gmail.com,
Sathishkumar Duraisamy <sathishkumar.d.cbe@gmail.com>,
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
Date: Wed, 7 May 2025 14:29:24 -0400 [thread overview]
Message-ID: <20250507182924.GA700@localhost> (raw)
In-Reply-To: <aBtspIFmf7KoIZ_7@nuoska>
On Wed 2025-05-07 @ 05:22:28 PM, Mikko Rapeli wrote:
> Hi,
>
> On Wed, May 07, 2025 at 11:22:49AM +0300, Mikko Rapeli via lists.openembedded.org wrote:
> > On Tue, May 06, 2025 at 11:14:02PM -0700, Khem Raj via lists.openembedded.org wrote:
> > > On Tue, May 6, 2025 at 11:04 PM Sathishkumar Duraisamy
> > > <sathishkumar.d.cbe@gmail.com> wrote:
> > > >
> > > > On Wed, May 7, 2025 at 4:29 AM Khem Raj <raj.khem@gmail.com> wrote:
> > > >>
> > > >> On Tue, May 6, 2025 at 6:28 AM Sathishkumar Duraisamy
> > > >> <sathishkumar.d.cbe@gmail.com> wrote:
> > > >> >
> > > >> > Hi
> > > >> >
> > > >> > On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com> wrote:
> > > >> >>
> > > >> >> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
> > > >> >> lists.openembedded.org
> > > >> >> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
> > > >> >> >
> > > >> >> > Hi all,
> > > >> >> >
> > > >> >> > I am also facing the same build issue. I tried to understand the issue. From build system for both openssl and systemd, -mbranch-protection=standard enabled. In fact the support this flag added long back, https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579 and tpm2 introduces additional dependencies for systemd as in commit https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f.
> > > >> >> >
> > > >> >>
> > > >> >> is this flag passed to linker as well ?
> > > >> >>
> > > >> > Openssl:
> > > >> > =======
> > > >> >
> > > >> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
> > > >> >
> > > >> > export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -pipe -Wl,-z,gcs-compliant=all "
> > > >> >
> > > >> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -Wl,-z,relro,-z,now"
> > > >> >
> > > >> > systemd
> > > >> > ======
> > > >> >
> > > >> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> > > >> >
> > > >> > export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -pipe --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> > > >> >
> > > >> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -Wl,-z,relro,-z,now"
> > > >> >
> > > >> >
> > > >>
> > > >> Please try adding -Wl,-z,gcs-compliant=all to systemd LDFLAGS not
> > > >> CFLAGS or to openssl flags.
> > > >
> > > >
> > > > Shortly I will build with LDFLAGS and will post the update here.
> > > >
> > >
> > > also try adding try with -Wl,-z,gcs-report-dynamic=none to LDFLAGS in
> > > systemd and see if that helps
> >
> > This did not seem to work. Unknown linker flag and build failure.
>
> Trevor replied on #yocto irc that this worked so I was wrong. I must have mixed up
> testing "-Wl,-z,gcs-report-dynamic=none" which works and "-Wl,-z,gcs-compliant=all"
> which fails in systemd build with:
>
> | ../git/meson.build:3:0: ERROR: Compiler aarch64-poky-linux-gcc -march=armv8-a+crc -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/recipe-sysroot cannot compile programs.
>
> and
>
> $ grep error: /home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/build/meson-logs/meson-log.txt
> /home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/recipe-sysroot-native/usr/bin/aarch64-poky-linux/../../libexec/aarch64-poky-linux/gcc/aarch64-poky-linux/15.1.0/ld: error: unrecognized value '-z gcs-compliant=all'
>
> So this in meta-security/meta-tpm systemd bbappend works:
>
> LDFLAGS:append:aarch64 = " -Wl,-z,gcs-report-dynamic=none"
>
> I can send this out in v2. No need to patch meson.build then.
I stumbled across this build issue via a completely different route than most
others, it seems, and certainly different than what you have described. I'm
not using meta-security and I'm not using tpm2. Therefore your patch will do
little to solve my build, and others will likely stumble across this issue by
other routes as well.
I'm using systemd's repart mechanism to repartition/resize my disks on boot to
support A/B partitioning using RAUC in meta-rockchip. To support this, I have
enabled systemd's "repart" PACKAGECONFIG, which (apparently) requires
systemd's "openssl" PACKAGECONFIG to be enabled as well. This, in systemd,
appears to be the *root* of the problem. If the user is building for aarch64,
and has enabled systemd's openssl PACKAGECONFIG, then the additional linker
flags are required. This should solve the problem for everyone?
next prev parent reply other threads:[~2025-05-07 18:29 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-05 11:46 systemd build failure with gcc 15 / tpm2 / aarch64: gcs required Max Krummenacher
2025-05-05 12:33 ` [OE-core] " Vyacheslav Yurkov
2025-05-05 12:56 ` Max Krummenacher
2025-05-05 14:45 ` Khem Raj
2025-05-05 19:09 ` [OE-core] " Randy MacLeod
2025-05-06 11:38 ` Sathishkumar D
2025-05-06 12:24 ` [OE-core] " Mikko Rapeli
2025-05-06 13:13 ` Khem Raj
2025-05-06 13:28 ` Sathishkumar Duraisamy
2025-05-06 13:32 ` Khem Raj
2025-05-06 13:45 ` Mikko Rapeli
2025-05-06 14:21 ` Max Krummenacher
2025-05-06 22:59 ` Khem Raj
2025-05-07 6:04 ` Sathishkumar Duraisamy
2025-05-07 6:14 ` Khem Raj
2025-05-07 8:22 ` Mikko Rapeli
[not found] ` <183D310FC8853D5E.1749@lists.openembedded.org>
2025-05-07 8:31 ` Mikko Rapeli
2025-05-07 8:55 ` Sathishkumar Duraisamy
2025-05-07 14:22 ` Mikko Rapeli
2025-05-07 14:35 ` Khem Raj
2025-05-07 16:05 ` Sathishkumar Duraisamy
2025-05-07 18:29 ` Trevor Woerner [this message]
2025-05-07 18:33 ` Ross Burton
2025-05-07 18:38 ` Khem Raj
2025-05-07 19:04 ` Trevor Woerner
2025-05-07 19:10 ` Trevor Woerner
2025-05-07 19:51 ` Khem Raj
2025-05-08 6:22 ` Mikko Rapeli
2025-05-08 7:00 ` Khem Raj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250507182924.GA700@localhost \
--to=twoerner@gmail.com \
--cc=mikko.rapeli@linaro.org \
--cc=openembedded-core@lists.openembedded.org \
--cc=raj.khem@gmail.com \
--cc=sathishkumar.d.cbe@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox