* systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
@ 2025-05-05 11:46 Max Krummenacher
2025-05-05 12:33 ` [OE-core] " Vyacheslav Yurkov
2025-05-05 14:45 ` Khem Raj
0 siblings, 2 replies; 29+ messages in thread
From: Max Krummenacher @ 2025-05-05 11:46 UTC (permalink / raw)
To: openembedded-core; +Cc: Khem Raj, Max Krummenacher
Hello
I'm seeing a strange warning resulting in a failed build when building
systemd with tpm2 in DISTRO_FEATURES.
GCS seems to be a new feature supported with GCC 15 and friends
targeting the AARCH64 architecture. Whatever it does ;-).
Ways to reproduce:
Add the needed layers for tpm2, add tpm2 to distro features and build
systemd.
E.g.
bblayers.conf additions:
${TOPDIR}/../meta-security/meta-tpm \
${TOPDIR}/../meta-openembedded/meta-oe \
${TOPDIR}/../meta-openembedded/meta-python \
local.conf additions:
DISTRO_FEATURES:append = " tpm2"
INIT_MANAGER = "systemd"
MACHINE=qemuarm64 bitbake systemd
Results in:
| FAILED: src/shared/libsystemd-shared-257.so
| aarch64-poky-linux-gcc -mcpu=cortex-a57+crc -mbranch-protection=standard -fstack-protector-strong
-O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=...systemd/257.5/recipe-sysroot
-o src/shared/libsystemd-shared-257.so -Wl,--as-needed -Wl,--no-undefined -shared -fPIC
-Wl,-soname,libsystemd-shared-257.so -Wl,--whole-archive -Wl,--start-group src/shared/libsystemd-shared-257.a
src/basic/libbasic.a src/libsystemd/libsystemd_static.a -Wl,--no-whole-archive -fstack-protector
-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=...systemd/257.5/git=/usr/src/debug/systemd/257.5
-ffile-prefix-map...systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=...systemd/257.5/recipe-sysroot=
-ffile-prefix-map=...systemd/257.5/recipe-sysroot-native= -Wl,-z,relro,-z,now -shared
-Wl,--version-script=...systemd/257.5/git/src/shared/libshared.sym -pthread ...systemd/257.5/recipe-sysroot/usr/lib/libacl.so
...systemd/257.5/recipe-sysroot/usr/lib/libblkid.so ...systemd/257.5/recipe-sysroot/usr/lib/libcap.so
...systemd/257.5/recipe-sysroot/usr/lib/libcrypt.so -ldl ...systemd/257.5/recipe-sysroot/usr/lib/libmount.so
...systemd/257.5/recipe-sysroot/usr/lib/libssl.so ...systemd/257.5/recipe-sysroot/usr/lib/libcrypto.so -lrt
...systemd/257.5/recipe-sysroot/usr/lib/libseccomp.so -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common
-Wl,--gc-sections -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections -lm
-Wl,--end-group -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections
-Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections
| ...systemd/257.5/recipe-sysroot/usr/lib/libcrypto.so: warning: GCS is required by -z gcs,
but this shared library lacks the necessary property note. The dynamic loader might not enable GCS
or refuse to load the program unless all the shared library dependencies have the GCS marking.
| collect2: error: ld returned 1 exit status
I already found that adding to the systemd recipe
'CFLAGS:append = " -Wl,-z,gcs-report-dynamic=none"'
prevents the build error. However I'm not sure if that would be a good
way forward and if there are other recipes / configurations which would
result in similar build errors.
Any comments? Thanks.
Regards
Max
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-05 11:46 systemd build failure with gcc 15 / tpm2 / aarch64: gcs required Max Krummenacher
@ 2025-05-05 12:33 ` Vyacheslav Yurkov
2025-05-05 12:56 ` Max Krummenacher
2025-05-05 14:45 ` Khem Raj
1 sibling, 1 reply; 29+ messages in thread
From: Vyacheslav Yurkov @ 2025-05-05 12:33 UTC (permalink / raw)
To: max.oss.09; +Cc: openembedded-core, Khem Raj, Max Krummenacher
[-- Attachment #1: Type: text/plain, Size: 3809 bytes --]
Did you ask this in the systemd issue tracker as well?
Slava
On Mon, May 5, 2025, 13:46 Max Krummenacher via lists.openembedded.org
<max.oss.09=gmail.com@lists.openembedded.org> wrote:
> Hello
>
> I'm seeing a strange warning resulting in a failed build when building
> systemd with tpm2 in DISTRO_FEATURES.
>
> GCS seems to be a new feature supported with GCC 15 and friends
> targeting the AARCH64 architecture. Whatever it does ;-).
>
> Ways to reproduce:
>
> Add the needed layers for tpm2, add tpm2 to distro features and build
> systemd.
> E.g.
> bblayers.conf additions:
>
> ${TOPDIR}/../meta-security/meta-tpm \
> ${TOPDIR}/../meta-openembedded/meta-oe \
> ${TOPDIR}/../meta-openembedded/meta-python \
>
> local.conf additions:
>
> DISTRO_FEATURES:append = " tpm2"
> INIT_MANAGER = "systemd"
>
> MACHINE=qemuarm64 bitbake systemd
>
> Results in:
>
> | FAILED: src/shared/libsystemd-shared-257.so
> | aarch64-poky-linux-gcc -mcpu=cortex-a57+crc -mbranch-protection=standard
> -fstack-protector-strong
> -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
> -Werror=format-security --sysroot=...systemd/257.5/recipe-sysroot
> -o src/shared/libsystemd-shared-257.so -Wl,--as-needed
> -Wl,--no-undefined -shared -fPIC
> -Wl,-soname,libsystemd-shared-257.so -Wl,--whole-archive
> -Wl,--start-group src/shared/libsystemd-shared-257.a
> src/basic/libbasic.a src/libsystemd/libsystemd_static.a
> -Wl,--no-whole-archive -fstack-protector
> -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
> -ffile-prefix-map=...systemd/257.5/git=/usr/src/debug/systemd/257.5
> -ffile-prefix-map...systemd/257.5/build=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=...systemd/257.5/recipe-sysroot=
> -ffile-prefix-map=...systemd/257.5/recipe-sysroot-native=
> -Wl,-z,relro,-z,now -shared
> -Wl,--version-script=...systemd/257.5/git/src/shared/libshared.sym
> -pthread ...systemd/257.5/recipe-sysroot/usr/lib/libacl.so
> ...systemd/257.5/recipe-sysroot/usr/lib/libblkid.so
> ...systemd/257.5/recipe-sysroot/usr/lib/libcap.so
> ...systemd/257.5/recipe-sysroot/usr/lib/libcrypt.so -ldl
> ...systemd/257.5/recipe-sysroot/usr/lib/libmount.so
> ...systemd/257.5/recipe-sysroot/usr/lib/libssl.so
> ...systemd/257.5/recipe-sysroot/usr/lib/libcrypto.so -lrt
> ...systemd/257.5/recipe-sysroot/usr/lib/libseccomp.so
> -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common
> -Wl,--gc-sections -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro
> -Wl,--warn-common -Wl,--gc-sections -lm
> -Wl,--end-group -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro
> -Wl,--warn-common -Wl,--gc-sections
> -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common
> -Wl,--gc-sections
> | ...systemd/257.5/recipe-sysroot/usr/lib/libcrypto.so: warning: GCS is
> required by -z gcs,
> but this shared library lacks the necessary property note. The dynamic
> loader might not enable GCS
> or refuse to load the program unless all the shared library dependencies
> have the GCS marking.
> | collect2: error: ld returned 1 exit status
>
>
> I already found that adding to the systemd recipe
>
> 'CFLAGS:append = " -Wl,-z,gcs-report-dynamic=none"'
>
> prevents the build error. However I'm not sure if that would be a good
> way forward and if there are other recipes / configurations which would
> result in similar build errors.
>
> Any comments? Thanks.
>
> Regards
> Max
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#216006):
> https://lists.openembedded.org/g/openembedded-core/message/216006
> Mute This Topic: https://lists.openembedded.org/mt/112627480/4455192
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> uvv.mail@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
[-- Attachment #2: Type: text/html, Size: 5009 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-05 12:33 ` [OE-core] " Vyacheslav Yurkov
@ 2025-05-05 12:56 ` Max Krummenacher
0 siblings, 0 replies; 29+ messages in thread
From: Max Krummenacher @ 2025-05-05 12:56 UTC (permalink / raw)
To: Vyacheslav Yurkov; +Cc: openembedded-core, Khem Raj, Max Krummenacher
On Mon, May 05, 2025 at 02:33:22PM +0200, Vyacheslav Yurkov wrote:
> Did you ask this in the systemd issue tracker as well?
No, I didn't. I hoped to get some insight from OE first.
To me it looks more like an issue with the way the toolchain or
systemd or openssl gets configured rather than with the upstream
systemd codebase. I might be wrong though.
Regards
Max
>
> Slava
>
> On Mon, May 5, 2025, 13:46 Max Krummenacher via lists.openembedded.org
> <max.oss.09=gmail.com@lists.openembedded.org> wrote:
>
> > Hello
> >
> > I'm seeing a strange warning resulting in a failed build when building
> > systemd with tpm2 in DISTRO_FEATURES.
> >
> > GCS seems to be a new feature supported with GCC 15 and friends
> > targeting the AARCH64 architecture. Whatever it does ;-).
> >
> > Ways to reproduce:
> >
> > Add the needed layers for tpm2, add tpm2 to distro features and build
> > systemd.
> > E.g.
> > bblayers.conf additions:
> >
> > ${TOPDIR}/../meta-security/meta-tpm \
> > ${TOPDIR}/../meta-openembedded/meta-oe \
> > ${TOPDIR}/../meta-openembedded/meta-python \
> >
> > local.conf additions:
> >
> > DISTRO_FEATURES:append = " tpm2"
> > INIT_MANAGER = "systemd"
> >
> > MACHINE=qemuarm64 bitbake systemd
> >
> > Results in:
> >
> > | FAILED: src/shared/libsystemd-shared-257.so
> > | aarch64-poky-linux-gcc -mcpu=cortex-a57+crc -mbranch-protection=standard
> > -fstack-protector-strong
> > -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
> > -Werror=format-security --sysroot=...systemd/257.5/recipe-sysroot
> > -o src/shared/libsystemd-shared-257.so -Wl,--as-needed
> > -Wl,--no-undefined -shared -fPIC
> > -Wl,-soname,libsystemd-shared-257.so -Wl,--whole-archive
> > -Wl,--start-group src/shared/libsystemd-shared-257.a
> > src/basic/libbasic.a src/libsystemd/libsystemd_static.a
> > -Wl,--no-whole-archive -fstack-protector
> > -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
> > -ffile-prefix-map=...systemd/257.5/git=/usr/src/debug/systemd/257.5
> > -ffile-prefix-map...systemd/257.5/build=/usr/src/debug/systemd/257.5
> > -ffile-prefix-map=...systemd/257.5/recipe-sysroot=
> > -ffile-prefix-map=...systemd/257.5/recipe-sysroot-native=
> > -Wl,-z,relro,-z,now -shared
> > -Wl,--version-script=...systemd/257.5/git/src/shared/libshared.sym
> > -pthread ...systemd/257.5/recipe-sysroot/usr/lib/libacl.so
> > ...systemd/257.5/recipe-sysroot/usr/lib/libblkid.so
> > ...systemd/257.5/recipe-sysroot/usr/lib/libcap.so
> > ...systemd/257.5/recipe-sysroot/usr/lib/libcrypt.so -ldl
> > ...systemd/257.5/recipe-sysroot/usr/lib/libmount.so
> > ...systemd/257.5/recipe-sysroot/usr/lib/libssl.so
> > ...systemd/257.5/recipe-sysroot/usr/lib/libcrypto.so -lrt
> > ...systemd/257.5/recipe-sysroot/usr/lib/libseccomp.so
> > -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common
> > -Wl,--gc-sections -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro
> > -Wl,--warn-common -Wl,--gc-sections -lm
> > -Wl,--end-group -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro
> > -Wl,--warn-common -Wl,--gc-sections
> > -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common
> > -Wl,--gc-sections
> > | ...systemd/257.5/recipe-sysroot/usr/lib/libcrypto.so: warning: GCS is
> > required by -z gcs,
> > but this shared library lacks the necessary property note. The dynamic
> > loader might not enable GCS
> > or refuse to load the program unless all the shared library dependencies
> > have the GCS marking.
> > | collect2: error: ld returned 1 exit status
> >
> >
> > I already found that adding to the systemd recipe
> >
> > 'CFLAGS:append = " -Wl,-z,gcs-report-dynamic=none"'
> >
> > prevents the build error. However I'm not sure if that would be a good
> > way forward and if there are other recipes / configurations which would
> > result in similar build errors.
> >
> > Any comments? Thanks.
> >
> > Regards
> > Max
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#216006):
> > https://lists.openembedded.org/g/openembedded-core/message/216006
> > Mute This Topic: https://lists.openembedded.org/mt/112627480/4455192
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> > uvv.mail@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
> >
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-05 11:46 systemd build failure with gcc 15 / tpm2 / aarch64: gcs required Max Krummenacher
2025-05-05 12:33 ` [OE-core] " Vyacheslav Yurkov
@ 2025-05-05 14:45 ` Khem Raj
2025-05-05 19:09 ` [OE-core] " Randy MacLeod
1 sibling, 1 reply; 29+ messages in thread
From: Khem Raj @ 2025-05-05 14:45 UTC (permalink / raw)
To: Max Krummenacher, openembedded-core; +Cc: Max Krummenacher
On 5/5/25 4:46 AM, Max Krummenacher wrote:
> Hello
>
> I'm seeing a strange warning resulting in a failed build when building
> systemd with tpm2 in DISTRO_FEATURES.
>
> GCS seems to be a new feature supported with GCC 15 and friends
> targeting the AARCH64 architecture. Whatever it does ;-).
>
> Ways to reproduce:
>
> Add the needed layers for tpm2, add tpm2 to distro features and build
> systemd.
> E.g.
> bblayers.conf additions:
>
> ${TOPDIR}/../meta-security/meta-tpm \
> ${TOPDIR}/../meta-openembedded/meta-oe \
> ${TOPDIR}/../meta-openembedded/meta-python \
>
> local.conf additions:
>
> DISTRO_FEATURES:append = " tpm2"
> INIT_MANAGER = "systemd"
>
> MACHINE=qemuarm64 bitbake systemd
>
> Results in:
>
> | FAILED: src/shared/libsystemd-shared-257.so
> | aarch64-poky-linux-gcc -mcpu=cortex-a57+crc -mbranch-protection=standard -fstack-protector-strong
> -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=...systemd/257.5/recipe-sysroot
> -o src/shared/libsystemd-shared-257.so -Wl,--as-needed -Wl,--no-undefined -shared -fPIC
> -Wl,-soname,libsystemd-shared-257.so -Wl,--whole-archive -Wl,--start-group src/shared/libsystemd-shared-257.a
> src/basic/libbasic.a src/libsystemd/libsystemd_static.a -Wl,--no-whole-archive -fstack-protector
> -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=...systemd/257.5/git=/usr/src/debug/systemd/257.5
> -ffile-prefix-map...systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=...systemd/257.5/recipe-sysroot=
> -ffile-prefix-map=...systemd/257.5/recipe-sysroot-native= -Wl,-z,relro,-z,now -shared
> -Wl,--version-script=...systemd/257.5/git/src/shared/libshared.sym -pthread ...systemd/257.5/recipe-sysroot/usr/lib/libacl.so
> ...systemd/257.5/recipe-sysroot/usr/lib/libblkid.so ...systemd/257.5/recipe-sysroot/usr/lib/libcap.so
> ...systemd/257.5/recipe-sysroot/usr/lib/libcrypt.so -ldl ...systemd/257.5/recipe-sysroot/usr/lib/libmount.so
> ...systemd/257.5/recipe-sysroot/usr/lib/libssl.so ...systemd/257.5/recipe-sysroot/usr/lib/libcrypto.so -lrt
> ...systemd/257.5/recipe-sysroot/usr/lib/libseccomp.so -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common
> -Wl,--gc-sections -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections -lm
> -Wl,--end-group -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections
> -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections
> | ...systemd/257.5/recipe-sysroot/usr/lib/libcrypto.so: warning: GCS is required by -z gcs,
> but this shared library lacks the necessary property note. The dynamic loader might not enable GCS
> or refuse to load the program unless all the shared library dependencies have the GCS marking.
> | collect2: error: ld returned 1 exit status
>
>
This error means that systems is being not only compiled but also linked
with -mbranch-protection=standard, however libcrypto.so which it is
linking to is not linked with -mbranch-protection=standard. One reason
could be that openssl linking process does not respect the
-mbranch-protection=standard flag or omits it somehow. Look into build
logs of openssl and see how libcrypto.so is being linked and maybe if we can
pass the -mbranch-protection=standard to linker ( if gcc driver is used
for linking ) or -Wl,-z,gcs to linker cmdline could fix the problem
second option might be to relax GCS Compliance Checking in systemd build
by using -Wl,-z,gcs-compliant=all in linker flags
> I already found that adding to the systemd recipe
>
> 'CFLAGS:append = " -Wl,-z,gcs-report-dynamic=none"'
>
> prevents the build error. However I'm not sure if that would be a good
> way forward and if there are other recipes / configurations which would
> result in similar build errors.
>
> Any comments? Thanks.
>
> Regards
> Max
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-05 14:45 ` Khem Raj
@ 2025-05-05 19:09 ` Randy MacLeod
2025-05-06 11:38 ` Sathishkumar D
0 siblings, 1 reply; 29+ messages in thread
From: Randy MacLeod @ 2025-05-05 19:09 UTC (permalink / raw)
To: raj.khem, Max Krummenacher, openembedded-core; +Cc: Max Krummenacher
[-- Attachment #1: Type: text/plain, Size: 1593 bytes --]
On 2025-05-05 10:45 a.m., Khem Raj via lists.openembedded.org wrote:
>
>
> On 5/5/25 4:46 AM, Max Krummenacher wrote:
>> Hello
>>
>> I'm seeing a strange warning resulting in a failed build when building
>> systemd with tpm2 in DISTRO_FEATURES.
>>
>> GCS seems to be a new feature supported with GCC 15 and friends
>> targeting the AARCH64 architecture. Whatever it does ;-).
I was wondering what GCS was as well so for those interested:
https://www.phoronix.com/news/GCC-15-Arm-GCS-Code-Generation
Arm introduced Guarded Control Stack with their 2022 CPU extensions and
is a means of helping mitigate against some return object programming
(ROP) attacks.
As explained in the Arm documentation
<https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/arm-a-profile-architecture-2022>:
"A GCS is a protected region of virtual address space allocated by
software.
When the processor executes a Branch with Link instruction, such as BL,
the return address is pushed onto the GCS as well as being written
into the Link Register (LR).
On a procedure return, the latest stored return address is popped
from the GCS.
The processor either compares the popped value with the LR, or uses
the popped value
directly...To prevent accidental or malicious changes to the GCS, a
new Stage 1 permission is introduced.
This permission allows reads by software, but restricts writes to
either GCSPUSH instructions or as a side-effect of executing a BL."
More info on the Phoronix page and links therein.
../Randy
[-- Attachment #2: Type: text/html, Size: 2477 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-05 19:09 ` [OE-core] " Randy MacLeod
@ 2025-05-06 11:38 ` Sathishkumar D
2025-05-06 12:24 ` [OE-core] " Mikko Rapeli
2025-05-06 13:13 ` Khem Raj
0 siblings, 2 replies; 29+ messages in thread
From: Sathishkumar D @ 2025-05-06 11:38 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 731 bytes --]
Hi all,
I am also facing the same build issue. I tried to understand the issue. From build system for both openssl and systemd, -mbranch-protection=standard enabled. In fact the support this flag added long back, https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579 ( https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579 ) and tpm2 introduces additional dependencies for systemd as in commit https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f.
So something issue with gcc-15? or what makes openssl to loose gcs?
Regards,
Sathishkumar D
[-- Attachment #2: Type: text/html, Size: 1207 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-06 11:38 ` Sathishkumar D
@ 2025-05-06 12:24 ` Mikko Rapeli
2025-05-06 13:13 ` Khem Raj
1 sibling, 0 replies; 29+ messages in thread
From: Mikko Rapeli @ 2025-05-06 12:24 UTC (permalink / raw)
To: sathishkumar.d.cbe; +Cc: openembedded-core
Hi,
On Tue, May 06, 2025 at 04:38:37AM -0700, Sathishkumar D via lists.openembedded.org wrote:
> Hi all,
>
> I am also facing the same build issue. I tried to understand the issue. From build system for both openssl and systemd, -mbranch-protection=standard enabled. In fact the support this flag added long back, https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579 ( https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579 ) and tpm2 introduces additional dependencies for systemd as in commit https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f.
>
> So something issue with gcc-15? or what makes openssl to loose gcs?
If you do not use TPM features in systemd to e.g. mount or create encrypted
file systems, then you can remove the PACKAGECONFIG
entries "cryptsetup cryptsetup-plugins efi openssl repart"
from systemd as a workaround.
Cheers,
-Mikko
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-06 11:38 ` Sathishkumar D
2025-05-06 12:24 ` [OE-core] " Mikko Rapeli
@ 2025-05-06 13:13 ` Khem Raj
2025-05-06 13:28 ` Sathishkumar Duraisamy
1 sibling, 1 reply; 29+ messages in thread
From: Khem Raj @ 2025-05-06 13:13 UTC (permalink / raw)
To: sathishkumar.d.cbe; +Cc: openembedded-core
On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
lists.openembedded.org
<sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
>
> Hi all,
>
> I am also facing the same build issue. I tried to understand the issue. From build system for both openssl and systemd, -mbranch-protection=standard enabled. In fact the support this flag added long back, https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579 and tpm2 introduces additional dependencies for systemd as in commit https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f.
>
is this flag passed to linker as well ?
> So something issue with gcc-15? or what makes openssl to loose gcs?
>
> Regards,
> Sathishkumar D
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#216040): https://lists.openembedded.org/g/openembedded-core/message/216040
> Mute This Topic: https://lists.openembedded.org/mt/112627480/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-06 13:13 ` Khem Raj
@ 2025-05-06 13:28 ` Sathishkumar Duraisamy
2025-05-06 13:32 ` Khem Raj
2025-05-06 22:59 ` Khem Raj
0 siblings, 2 replies; 29+ messages in thread
From: Sathishkumar Duraisamy @ 2025-05-06 13:28 UTC (permalink / raw)
To: Khem Raj; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 4655 bytes --]
Hi
On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com> wrote:
> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
> lists.openembedded.org
> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
> >
> > Hi all,
> >
> > I am also facing the same build issue. I tried to understand the issue.
> From build system for both openssl and systemd,
> -mbranch-protection=standard enabled. In fact the support this flag added
> long back,
> https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579
> and tpm2 introduces additional dependencies for systemd as in commit
> https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f
> .
> >
>
> is this flag passed to linker as well ?
>
> Openssl:
=======
export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto
-mbranch-protection=standard -fstack-protector-strong -O2
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
--sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
export CFLAGS=" -O2 -g
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot=
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native=
-pipe -Wl,-z,gcs-compliant=all "
export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot=
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native=
-Wl,-z,relro,-z,now"
systemd
======
export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto
-mbranch-protection=standard -fstack-protector-strong -O2
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
--sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
export CFLAGS=" -O2 -g
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot=
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native=
-pipe
--sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot=
-ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native=
-Wl,-z,relro,-z,now"
> > So something issue with gcc-15? or what makes openssl to loose gcs?
> >
> > Regards,
> > Sathishkumar D
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#216040):
> https://lists.openembedded.org/g/openembedded-core/message/216040
> > Mute This Topic: https://lists.openembedded.org/mt/112627480/1997914
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> raj.khem@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
[-- Attachment #2: Type: text/html, Size: 6402 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-06 13:28 ` Sathishkumar Duraisamy
@ 2025-05-06 13:32 ` Khem Raj
2025-05-06 13:45 ` Mikko Rapeli
2025-05-06 22:59 ` Khem Raj
1 sibling, 1 reply; 29+ messages in thread
From: Khem Raj @ 2025-05-06 13:32 UTC (permalink / raw)
To: Sathishkumar Duraisamy; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 4957 bytes --]
On Tue, May 6, 2025 at 6:28 AM Sathishkumar Duraisamy <
sathishkumar.d.cbe@gmail.com> wrote:
> Hi
>
> On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com> wrote:
>
>> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
>> lists.openembedded.org
>> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
>> >
>> > Hi all,
>> >
>> > I am also facing the same build issue. I tried to understand the issue.
>> From build system for both openssl and systemd,
>> -mbranch-protection=standard enabled. In fact the support this flag added
>> long back,
>> https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579
>> and tpm2 introduces additional dependencies for systemd as in commit
>> https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f
>> .
>> >
>>
>> is this flag passed to linker as well ?
>>
>> Openssl:
> =======
>
> export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto
> -mbranch-protection=standard -fstack-protector-strong -O2
> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
>
> export CFLAGS=" -O2 -g
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot=
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native=
> -pipe -Wl,-z,gcs-compliant=all "
>
> export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot=
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native=
> -Wl,-z,relro,-z,now"
>
> systemd
> ======
>
> export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto
> -mbranch-protection=standard -fstack-protector-strong -O2
> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
>
> export CFLAGS=" -O2 -g
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot=
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native=
> -pipe
> --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
>
> export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot=
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native=
> -Wl,-z,relro,-z,now"
>
Please post exact linker command line to build libcrypto.so as well
>
>
>
>> > So something issue with gcc-15? or what makes openssl to loose gcs?
>> >
>> > Regards,
>> > Sathishkumar D
>> >
>> >
>> > -=-=-=-=-=-=-=-=-=-=-=-
>> > Links: You receive all messages sent to this group.
>> > View/Reply Online (#216040):
>> https://lists.openembedded.org/g/openembedded-core/message/216040
>> > Mute This Topic: https://lists.openembedded.org/mt/112627480/1997914
>> > Group Owner: openembedded-core+owner@lists.openembedded.org
>> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
>> raj.khem@gmail.com]
>> > -=-=-=-=-=-=-=-=-=-=-=-
>> >
>>
>
[-- Attachment #2: Type: text/html, Size: 7162 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-06 13:32 ` Khem Raj
@ 2025-05-06 13:45 ` Mikko Rapeli
2025-05-06 14:21 ` Max Krummenacher
0 siblings, 1 reply; 29+ messages in thread
From: Mikko Rapeli @ 2025-05-06 13:45 UTC (permalink / raw)
To: raj.khem; +Cc: Sathishkumar Duraisamy, openembedded-core
Hi,
On Tue, May 06, 2025 at 06:32:02AM -0700, Khem Raj via lists.openembedded.org wrote:
> On Tue, May 6, 2025 at 6:28 AM Sathishkumar Duraisamy <
> sathishkumar.d.cbe@gmail.com> wrote:
>
> > Hi
> >
> > On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com> wrote:
> >
> >> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
> >> lists.openembedded.org
> >> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
> >> >
> >> > Hi all,
> >> >
> >> > I am also facing the same build issue. I tried to understand the issue.
> >> From build system for both openssl and systemd,
> >> -mbranch-protection=standard enabled. In fact the support this flag added
> >> long back,
> >> https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579
> >> and tpm2 introduces additional dependencies for systemd as in commit
> >> https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f
> >> .
> >> >
> >>
> >> is this flag passed to linker as well ?
> >>
> >> Openssl:
> > =======
> >
> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto
> > -mbranch-protection=standard -fstack-protector-strong -O2
> > -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> > --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
> >
> > export CFLAGS=" -O2 -g
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot=
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native=
> > -pipe -Wl,-z,gcs-compliant=all "
> >
> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot=
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native=
> > -Wl,-z,relro,-z,now"
> >
> > systemd
> > ======
> >
> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto
> > -mbranch-protection=standard -fstack-protector-strong -O2
> > -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> > --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> >
> > export CFLAGS=" -O2 -g
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot=
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native=
> > -pipe
> > --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> >
> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot=
> > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native=
> > -Wl,-z,relro,-z,now"
> >
>
> Please post exact linker command line to build libcrypto.so as well
FWIW, this reproduces on genericarm64 machine, poky-altcfg distro, tpm2 added to
MACHINE_FEATURES and meta-security/meta-tpm layer added to build. It is triggered by
"openssl" in systemd PACKAGECONFIG.
Cheers,
-Mikko
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-06 13:45 ` Mikko Rapeli
@ 2025-05-06 14:21 ` Max Krummenacher
0 siblings, 0 replies; 29+ messages in thread
From: Max Krummenacher @ 2025-05-06 14:21 UTC (permalink / raw)
To: Mikko Rapeli; +Cc: raj.khem, Sathishkumar Duraisamy, openembedded-core
On Tue, May 06, 2025 at 04:45:46PM +0300, Mikko Rapeli wrote:
> Hi,
>
> On Tue, May 06, 2025 at 06:32:02AM -0700, Khem Raj via lists.openembedded.org wrote:
> > On Tue, May 6, 2025 at 6:28 AM Sathishkumar Duraisamy <
> > sathishkumar.d.cbe@gmail.com> wrote:
> >
> > > Hi
> > >
> > > On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com> wrote:
> > >
> > >> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
> > >> lists.openembedded.org
> > >> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
> > >> >
> > >> > Hi all,
> > >> >
> > >> > I am also facing the same build issue. I tried to understand the issue.
> > >> From build system for both openssl and systemd,
> > >> -mbranch-protection=standard enabled. In fact the support this flag added
> > >> long back,
> > >> https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579
> > >> and tpm2 introduces additional dependencies for systemd as in commit
> > >> https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f
> > >> .
> > >> >
> > >>
> > >> is this flag passed to linker as well ?
> > >>
> > >> Openssl:
> > > =======
> > >
> > > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto
> > > -mbranch-protection=standard -fstack-protector-strong -O2
> > > -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> > > --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
> > >
> > > export CFLAGS=" -O2 -g
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot=
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native=
> > > -pipe -Wl,-z,gcs-compliant=all "
> > >
> > > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot=
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native=
> > > -Wl,-z,relro,-z,now"
> > >
> > > systemd
> > > ======
> > >
> > > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto
> > > -mbranch-protection=standard -fstack-protector-strong -O2
> > > -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> > > --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> > >
> > > export CFLAGS=" -O2 -g
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot=
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native=
> > > -pipe
> > > --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> > >
> > > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot=
> > > -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native=
> > > -Wl,-z,relro,-z,now"
> > >
> >
> > Please post exact linker command line to build libcrypto.so as well
I checked all the object files (*.o) built.
About 40 have the GCS flag not set. All of which are produced from assembler
sources using 'gcc' as the 'as' frontend with all the same flags as used for
C source files. Changing marm from 'cortex-a57+crc' to 'cortex-a57+crc+gcs'
doesn't change that.
Configuring openssl with no-arm no longer uses the optimized assembler code
and thus the resulting .so is marked with the GCS feature.
I sent a patch to the ML.
https://lore.kernel.org/all/20250506141013.2600055-1-max.oss.09@gmail.com/
Thanks Khem for the valuable feedback.
Regards
Max
>
> FWIW, this reproduces on genericarm64 machine, poky-altcfg distro, tpm2 added to
> MACHINE_FEATURES and meta-security/meta-tpm layer added to build. It is triggered by
> "openssl" in systemd PACKAGECONFIG.
>
> Cheers,
>
> -Mikko
>
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-06 13:28 ` Sathishkumar Duraisamy
2025-05-06 13:32 ` Khem Raj
@ 2025-05-06 22:59 ` Khem Raj
2025-05-07 6:04 ` Sathishkumar Duraisamy
1 sibling, 1 reply; 29+ messages in thread
From: Khem Raj @ 2025-05-06 22:59 UTC (permalink / raw)
To: Sathishkumar Duraisamy; +Cc: openembedded-core
On Tue, May 6, 2025 at 6:28 AM Sathishkumar Duraisamy
<sathishkumar.d.cbe@gmail.com> wrote:
>
> Hi
>
> On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com> wrote:
>>
>> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
>> lists.openembedded.org
>> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
>> >
>> > Hi all,
>> >
>> > I am also facing the same build issue. I tried to understand the issue. From build system for both openssl and systemd, -mbranch-protection=standard enabled. In fact the support this flag added long back, https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579 and tpm2 introduces additional dependencies for systemd as in commit https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f.
>> >
>>
>> is this flag passed to linker as well ?
>>
> Openssl:
> =======
>
> export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
>
> export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -pipe -Wl,-z,gcs-compliant=all "
>
> export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -Wl,-z,relro,-z,now"
>
> systemd
> ======
>
> export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
>
> export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -pipe --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
>
> export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -Wl,-z,relro,-z,now"
>
>
Please try adding -Wl,-z,gcs-compliant=all to systemd LDFLAGS not
CFLAGS or to openssl flags.
>
>>
>> > So something issue with gcc-15? or what makes openssl to loose gcs?
>> >
>> > Regards,
>> > Sathishkumar D
>> >
>> >
>> > -=-=-=-=-=-=-=-=-=-=-=-
>> > Links: You receive all messages sent to this group.
>> > View/Reply Online (#216040): https://lists.openembedded.org/g/openembedded-core/message/216040
>> > Mute This Topic: https://lists.openembedded.org/mt/112627480/1997914
>> > Group Owner: openembedded-core+owner@lists.openembedded.org
>> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
>> > -=-=-=-=-=-=-=-=-=-=-=-
>> >
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-06 22:59 ` Khem Raj
@ 2025-05-07 6:04 ` Sathishkumar Duraisamy
2025-05-07 6:14 ` Khem Raj
0 siblings, 1 reply; 29+ messages in thread
From: Sathishkumar Duraisamy @ 2025-05-07 6:04 UTC (permalink / raw)
To: Khem Raj; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 5397 bytes --]
On Wed, May 7, 2025 at 4:29 AM Khem Raj <raj.khem@gmail.com> wrote:
> On Tue, May 6, 2025 at 6:28 AM Sathishkumar Duraisamy
> <sathishkumar.d.cbe@gmail.com> wrote:
> >
> > Hi
> >
> > On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com> wrote:
> >>
> >> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
> >> lists.openembedded.org
> >> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
> >> >
> >> > Hi all,
> >> >
> >> > I am also facing the same build issue. I tried to understand the
> issue. From build system for both openssl and systemd,
> -mbranch-protection=standard enabled. In fact the support this flag added
> long back,
> https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579
> and tpm2 introduces additional dependencies for systemd as in commit
> https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f
> .
> >> >
> >>
> >> is this flag passed to linker as well ?
> >>
> > Openssl:
> > =======
> >
> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto
> -mbranch-protection=standard -fstack-protector-strong -O2
> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
> >
> > export CFLAGS=" -O2 -g
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot=
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native=
> -pipe -Wl,-z,gcs-compliant=all "
> >
> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot=
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native=
> -Wl,-z,relro,-z,now"
> >
> > systemd
> > ======
> >
> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto
> -mbranch-protection=standard -fstack-protector-strong -O2
> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> >
> > export CFLAGS=" -O2 -g
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot=
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native=
> -pipe
> --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> >
> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot=
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native=
> -Wl,-z,relro,-z,now"
> >
> >
>
> Please try adding -Wl,-z,gcs-compliant=all to systemd LDFLAGS not
> CFLAGS or to openssl flags.
Shortly I will build with LDFLAGS and will post the update here.
Yesterday, I added ' EXTRA_OECONF:append:aarch64 = " no-asm" ' as
recommended by Max to the openssl bbappend file. And I see I am able to
build systemd. I will re-build with LDFLAGS.
>
>
> >>
> >> > So something issue with gcc-15? or what makes openssl to loose gcs?
> >> >
> >> > Regards,
> >> > Sathishkumar D
> >> >
> >> >
> >> > -=-=-=-=-=-=-=-=-=-=-=-
> >> > Links: You receive all messages sent to this group.
> >> > View/Reply Online (#216040):
> https://lists.openembedded.org/g/openembedded-core/message/216040
> >> > Mute This Topic: https://lists.openembedded.org/mt/112627480/1997914
> >> > Group Owner: openembedded-core+owner@lists.openembedded.org
> >> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
> [raj.khem@gmail.com]
> >> > -=-=-=-=-=-=-=-=-=-=-=-
> >> >
>
[-- Attachment #2: Type: text/html, Size: 7514 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-07 6:04 ` Sathishkumar Duraisamy
@ 2025-05-07 6:14 ` Khem Raj
2025-05-07 8:22 ` Mikko Rapeli
[not found] ` <183D310FC8853D5E.1749@lists.openembedded.org>
0 siblings, 2 replies; 29+ messages in thread
From: Khem Raj @ 2025-05-07 6:14 UTC (permalink / raw)
To: Sathishkumar Duraisamy; +Cc: openembedded-core
On Tue, May 6, 2025 at 11:04 PM Sathishkumar Duraisamy
<sathishkumar.d.cbe@gmail.com> wrote:
>
> On Wed, May 7, 2025 at 4:29 AM Khem Raj <raj.khem@gmail.com> wrote:
>>
>> On Tue, May 6, 2025 at 6:28 AM Sathishkumar Duraisamy
>> <sathishkumar.d.cbe@gmail.com> wrote:
>> >
>> > Hi
>> >
>> > On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com> wrote:
>> >>
>> >> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
>> >> lists.openembedded.org
>> >> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
>> >> >
>> >> > Hi all,
>> >> >
>> >> > I am also facing the same build issue. I tried to understand the issue. From build system for both openssl and systemd, -mbranch-protection=standard enabled. In fact the support this flag added long back, https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579 and tpm2 introduces additional dependencies for systemd as in commit https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f.
>> >> >
>> >>
>> >> is this flag passed to linker as well ?
>> >>
>> > Openssl:
>> > =======
>> >
>> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
>> >
>> > export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -pipe -Wl,-z,gcs-compliant=all "
>> >
>> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -Wl,-z,relro,-z,now"
>> >
>> > systemd
>> > ======
>> >
>> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
>> >
>> > export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -pipe --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
>> >
>> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -Wl,-z,relro,-z,now"
>> >
>> >
>>
>> Please try adding -Wl,-z,gcs-compliant=all to systemd LDFLAGS not
>> CFLAGS or to openssl flags.
>
>
> Shortly I will build with LDFLAGS and will post the update here.
>
also try adding try with -Wl,-z,gcs-report-dynamic=none to LDFLAGS in
systemd and see if that helps
> Yesterday, I added ' EXTRA_OECONF:append:aarch64 = " no-asm" ' as recommended by Max to the openssl bbappend file. And I see I am able to build systemd. I will re-build with LDFLAGS.
>
>
>>
>>
>> >
>> >>
>> >> > So something issue with gcc-15? or what makes openssl to loose gcs?
>> >> >
>> >> > Regards,
>> >> > Sathishkumar D
>> >> >
>> >> >
>> >> > -=-=-=-=-=-=-=-=-=-=-=-
>> >> > Links: You receive all messages sent to this group.
>> >> > View/Reply Online (#216040): https://lists.openembedded.org/g/openembedded-core/message/216040
>> >> > Mute This Topic: https://lists.openembedded.org/mt/112627480/1997914
>> >> > Group Owner: openembedded-core+owner@lists.openembedded.org
>> >> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
>> >> > -=-=-=-=-=-=-=-=-=-=-=-
>> >> >
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-07 6:14 ` Khem Raj
@ 2025-05-07 8:22 ` Mikko Rapeli
[not found] ` <183D310FC8853D5E.1749@lists.openembedded.org>
1 sibling, 0 replies; 29+ messages in thread
From: Mikko Rapeli @ 2025-05-07 8:22 UTC (permalink / raw)
To: raj.khem; +Cc: Sathishkumar Duraisamy, openembedded-core
Hi,
On Tue, May 06, 2025 at 11:14:02PM -0700, Khem Raj via lists.openembedded.org wrote:
> On Tue, May 6, 2025 at 11:04 PM Sathishkumar Duraisamy
> <sathishkumar.d.cbe@gmail.com> wrote:
> >
> > On Wed, May 7, 2025 at 4:29 AM Khem Raj <raj.khem@gmail.com> wrote:
> >>
> >> On Tue, May 6, 2025 at 6:28 AM Sathishkumar Duraisamy
> >> <sathishkumar.d.cbe@gmail.com> wrote:
> >> >
> >> > Hi
> >> >
> >> > On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com> wrote:
> >> >>
> >> >> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
> >> >> lists.openembedded.org
> >> >> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
> >> >> >
> >> >> > Hi all,
> >> >> >
> >> >> > I am also facing the same build issue. I tried to understand the issue. From build system for both openssl and systemd, -mbranch-protection=standard enabled. In fact the support this flag added long back, https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579 and tpm2 introduces additional dependencies for systemd as in commit https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f.
> >> >> >
> >> >>
> >> >> is this flag passed to linker as well ?
> >> >>
> >> > Openssl:
> >> > =======
> >> >
> >> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
> >> >
> >> > export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -pipe -Wl,-z,gcs-compliant=all "
> >> >
> >> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -Wl,-z,relro,-z,now"
> >> >
> >> > systemd
> >> > ======
> >> >
> >> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> >> >
> >> > export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -pipe --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> >> >
> >> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -Wl,-z,relro,-z,now"
> >> >
> >> >
> >>
> >> Please try adding -Wl,-z,gcs-compliant=all to systemd LDFLAGS not
> >> CFLAGS or to openssl flags.
> >
> >
> > Shortly I will build with LDFLAGS and will post the update here.
> >
>
> also try adding try with -Wl,-z,gcs-report-dynamic=none to LDFLAGS in
> systemd and see if that helps
This did not seem to work. Unknown linker flag and build failure.
I think disabling linker warnings as errors in systemd is the way out for now.
Cheers,
-Mikko
^ permalink raw reply [flat|nested] 29+ messages in thread[parent not found: <183D310FC8853D5E.1749@lists.openembedded.org>]
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
[not found] ` <183D310FC8853D5E.1749@lists.openembedded.org>
@ 2025-05-07 8:31 ` Mikko Rapeli
2025-05-07 8:55 ` Sathishkumar Duraisamy
2025-05-07 14:22 ` Mikko Rapeli
1 sibling, 1 reply; 29+ messages in thread
From: Mikko Rapeli @ 2025-05-07 8:31 UTC (permalink / raw)
To: raj.khem, Sathishkumar Duraisamy, openembedded-core
Hi,
On Wed, May 07, 2025 at 11:22:49AM +0300, Mikko Rapeli via lists.openembedded.org wrote:
> I think disabling linker warnings as errors in systemd is the way out for now.
Sent out https://lists.yoctoproject.org/g/yocto-patches/message/1524
which disables systemd linker warnings as errors and fixes this for me.
Cheers,
-Mikko
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-07 8:31 ` Mikko Rapeli
@ 2025-05-07 8:55 ` Sathishkumar Duraisamy
0 siblings, 0 replies; 29+ messages in thread
From: Sathishkumar Duraisamy @ 2025-05-07 8:55 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 657 bytes --]
Hi,
On Wed, May 7, 2025 at 2:01 PM Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
> Hi,
>
> On Wed, May 07, 2025 at 11:22:49AM +0300, Mikko Rapeli via
> lists.openembedded.org wrote:
> > I think disabling linker warnings as errors in systemd is the way out
> for now.
>
> Sent out https://lists.yoctoproject.org/g/yocto-patches/message/1524
> which disables systemd linker warnings as errors and fixes this for me.
>
> Super. That is great.
I have triggered a clean build, my laptop is a little-bit old, the build is
still on-going. I will add this patch in my local layer.
> Cheers,
>
> -Mikko
>
Regards,
Sathishkumar D
[-- Attachment #2: Type: text/html, Size: 1393 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
[not found] ` <183D310FC8853D5E.1749@lists.openembedded.org>
2025-05-07 8:31 ` Mikko Rapeli
@ 2025-05-07 14:22 ` Mikko Rapeli
2025-05-07 14:35 ` Khem Raj
2025-05-07 18:29 ` Trevor Woerner
1 sibling, 2 replies; 29+ messages in thread
From: Mikko Rapeli @ 2025-05-07 14:22 UTC (permalink / raw)
To: raj.khem, Trevor Woerner, Sathishkumar Duraisamy,
openembedded-core
Hi,
On Wed, May 07, 2025 at 11:22:49AM +0300, Mikko Rapeli via lists.openembedded.org wrote:
> On Tue, May 06, 2025 at 11:14:02PM -0700, Khem Raj via lists.openembedded.org wrote:
> > On Tue, May 6, 2025 at 11:04 PM Sathishkumar Duraisamy
> > <sathishkumar.d.cbe@gmail.com> wrote:
> > >
> > > On Wed, May 7, 2025 at 4:29 AM Khem Raj <raj.khem@gmail.com> wrote:
> > >>
> > >> On Tue, May 6, 2025 at 6:28 AM Sathishkumar Duraisamy
> > >> <sathishkumar.d.cbe@gmail.com> wrote:
> > >> >
> > >> > Hi
> > >> >
> > >> > On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com> wrote:
> > >> >>
> > >> >> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
> > >> >> lists.openembedded.org
> > >> >> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
> > >> >> >
> > >> >> > Hi all,
> > >> >> >
> > >> >> > I am also facing the same build issue. I tried to understand the issue. From build system for both openssl and systemd, -mbranch-protection=standard enabled. In fact the support this flag added long back, https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579 and tpm2 introduces additional dependencies for systemd as in commit https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f.
> > >> >> >
> > >> >>
> > >> >> is this flag passed to linker as well ?
> > >> >>
> > >> > Openssl:
> > >> > =======
> > >> >
> > >> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
> > >> >
> > >> > export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -pipe -Wl,-z,gcs-compliant=all "
> > >> >
> > >> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -Wl,-z,relro,-z,now"
> > >> >
> > >> > systemd
> > >> > ======
> > >> >
> > >> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> > >> >
> > >> > export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -pipe --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> > >> >
> > >> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -Wl,-z,relro,-z,now"
> > >> >
> > >> >
> > >>
> > >> Please try adding -Wl,-z,gcs-compliant=all to systemd LDFLAGS not
> > >> CFLAGS or to openssl flags.
> > >
> > >
> > > Shortly I will build with LDFLAGS and will post the update here.
> > >
> >
> > also try adding try with -Wl,-z,gcs-report-dynamic=none to LDFLAGS in
> > systemd and see if that helps
>
> This did not seem to work. Unknown linker flag and build failure.
Trevor replied on #yocto irc that this worked so I was wrong. I must have mixed up
testing "-Wl,-z,gcs-report-dynamic=none" which works and "-Wl,-z,gcs-compliant=all"
which fails in systemd build with:
| ../git/meson.build:3:0: ERROR: Compiler aarch64-poky-linux-gcc -march=armv8-a+crc -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/recipe-sysroot cannot compile programs.
and
$ grep error: /home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/build/meson-logs/meson-log.txt
/home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/recipe-sysroot-native/usr/bin/aarch64-poky-linux/../../libexec/aarch64-poky-linux/gcc/aarch64-poky-linux/15.1.0/ld: error: unrecognized value '-z gcs-compliant=all'
So this in meta-security/meta-tpm systemd bbappend works:
LDFLAGS:append:aarch64 = " -Wl,-z,gcs-report-dynamic=none"
I can send this out in v2. No need to patch meson.build then.
Cheers,
-Mikko
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-07 14:22 ` Mikko Rapeli
@ 2025-05-07 14:35 ` Khem Raj
2025-05-07 16:05 ` Sathishkumar Duraisamy
2025-05-07 18:29 ` Trevor Woerner
1 sibling, 1 reply; 29+ messages in thread
From: Khem Raj @ 2025-05-07 14:35 UTC (permalink / raw)
To: Mikko Rapeli; +Cc: Trevor Woerner, Sathishkumar Duraisamy, openembedded-core
On Wed, May 7, 2025 at 7:22 AM Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
>
> Hi,
>
> On Wed, May 07, 2025 at 11:22:49AM +0300, Mikko Rapeli via lists.openembedded.org wrote:
> > On Tue, May 06, 2025 at 11:14:02PM -0700, Khem Raj via lists.openembedded.org wrote:
> > > On Tue, May 6, 2025 at 11:04 PM Sathishkumar Duraisamy
> > > <sathishkumar.d.cbe@gmail.com> wrote:
> > > >
> > > > On Wed, May 7, 2025 at 4:29 AM Khem Raj <raj.khem@gmail.com> wrote:
> > > >>
> > > >> On Tue, May 6, 2025 at 6:28 AM Sathishkumar Duraisamy
> > > >> <sathishkumar.d.cbe@gmail.com> wrote:
> > > >> >
> > > >> > Hi
> > > >> >
> > > >> > On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com> wrote:
> > > >> >>
> > > >> >> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
> > > >> >> lists.openembedded.org
> > > >> >> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
> > > >> >> >
> > > >> >> > Hi all,
> > > >> >> >
> > > >> >> > I am also facing the same build issue. I tried to understand the issue. From build system for both openssl and systemd, -mbranch-protection=standard enabled. In fact the support this flag added long back, https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579 and tpm2 introduces additional dependencies for systemd as in commit https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f.
> > > >> >> >
> > > >> >>
> > > >> >> is this flag passed to linker as well ?
> > > >> >>
> > > >> > Openssl:
> > > >> > =======
> > > >> >
> > > >> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
> > > >> >
> > > >> > export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -pipe -Wl,-z,gcs-compliant=all "
> > > >> >
> > > >> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -Wl,-z,relro,-z,now"
> > > >> >
> > > >> > systemd
> > > >> > ======
> > > >> >
> > > >> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> > > >> >
> > > >> > export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -pipe --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> > > >> >
> > > >> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -Wl,-z,relro,-z,now"
> > > >> >
> > > >> >
> > > >>
> > > >> Please try adding -Wl,-z,gcs-compliant=all to systemd LDFLAGS not
> > > >> CFLAGS or to openssl flags.
> > > >
> > > >
> > > > Shortly I will build with LDFLAGS and will post the update here.
> > > >
> > >
> > > also try adding try with -Wl,-z,gcs-report-dynamic=none to LDFLAGS in
> > > systemd and see if that helps
> >
> > This did not seem to work. Unknown linker flag and build failure.
>
> Trevor replied on #yocto irc that this worked so I was wrong. I must have mixed up
> testing "-Wl,-z,gcs-report-dynamic=none" which works and "-Wl,-z,gcs-compliant=all"
> which fails in systemd build with:
>
> | ../git/meson.build:3:0: ERROR: Compiler aarch64-poky-linux-gcc -march=armv8-a+crc -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/recipe-sysroot cannot compile programs.
>
> and
>
> $ grep error: /home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/build/meson-logs/meson-log.txt
> /home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/recipe-sysroot-native/usr/bin/aarch64-poky-linux/../../libexec/aarch64-poky-linux/gcc/aarch64-poky-linux/15.1.0/ld: error: unrecognized value '-z gcs-compliant=all'
>
> So this in meta-security/meta-tpm systemd bbappend works:
>
> LDFLAGS:append:aarch64 = " -Wl,-z,gcs-report-dynamic=none"
>
> I can send this out in v2. No need to patch meson.build then.
Exactly, please send v2
>
> Cheers,
>
> -Mikko
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-07 14:35 ` Khem Raj
@ 2025-05-07 16:05 ` Sathishkumar Duraisamy
0 siblings, 0 replies; 29+ messages in thread
From: Sathishkumar Duraisamy @ 2025-05-07 16:05 UTC (permalink / raw)
To: Khem Raj; +Cc: Mikko Rapeli, Trevor Woerner, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 7038 bytes --]
On Wed, May 7, 2025 at 8:06 PM Khem Raj <raj.khem@gmail.com> wrote:
> On Wed, May 7, 2025 at 7:22 AM Mikko Rapeli <mikko.rapeli@linaro.org>
> wrote:
> >
> > Hi,
> >
> > On Wed, May 07, 2025 at 11:22:49AM +0300, Mikko Rapeli via
> lists.openembedded.org wrote:
> > > On Tue, May 06, 2025 at 11:14:02PM -0700, Khem Raj via
> lists.openembedded.org wrote:
> > > > On Tue, May 6, 2025 at 11:04 PM Sathishkumar Duraisamy
> > > > <sathishkumar.d.cbe@gmail.com> wrote:
> > > > >
> > > > > On Wed, May 7, 2025 at 4:29 AM Khem Raj <raj.khem@gmail.com>
> wrote:
> > > > >>
> > > > >> On Tue, May 6, 2025 at 6:28 AM Sathishkumar Duraisamy
> > > > >> <sathishkumar.d.cbe@gmail.com> wrote:
> > > > >> >
> > > > >> > Hi
> > > > >> >
> > > > >> > On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com>
> wrote:
> > > > >> >>
> > > > >> >> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
> > > > >> >> lists.openembedded.org
> > > > >> >> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
> > > > >> >> >
> > > > >> >> > Hi all,
> > > > >> >> >
> > > > >> >> > I am also facing the same build issue. I tried to understand
> the issue. From build system for both openssl and systemd,
> -mbranch-protection=standard enabled. In fact the support this flag added
> long back,
> https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579
> and tpm2 introduces additional dependencies for systemd as in commit
> https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f
> .
> > > > >> >> >
> > > > >> >>
> > > > >> >> is this flag passed to linker as well ?
> > > > >> >>
> > > > >> > Openssl:
> > > > >> > =======
> > > > >> >
> > > > >> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto
> -mbranch-protection=standard -fstack-protector-strong -O2
> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
> > > > >> >
> > > > >> > export CFLAGS=" -O2 -g
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot=
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native=
> -pipe -Wl,-z,gcs-compliant=all "
> > > > >> >
> > > > >> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot=
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native=
> -Wl,-z,relro,-z,now"
> > > > >> >
> > > > >> > systemd
> > > > >> > ======
> > > > >> >
> > > > >> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto
> -mbranch-protection=standard -fstack-protector-strong -O2
> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> > > > >> >
> > > > >> > export CFLAGS=" -O2 -g
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot=
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native=
> -pipe
> --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> > > > >> >
> > > > >> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot=
> -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native=
> -Wl,-z,relro,-z,now"
> > > > >> >
> > > > >> >
> > > > >>
> > > > >> Please try adding -Wl,-z,gcs-compliant=all to systemd LDFLAGS not
> > > > >> CFLAGS or to openssl flags.
> > > > >
> > > > >
> > > > > Shortly I will build with LDFLAGS and will post the update here.
> > > > >
> > > >
> > > > also try adding try with -Wl,-z,gcs-report-dynamic=none to LDFLAGS in
> > > > systemd and see if that helps
> > >
> > > This did not seem to work. Unknown linker flag and build failure.
> >
> > Trevor replied on #yocto irc that this worked so I was wrong. I must
> have mixed up
> > testing "-Wl,-z,gcs-report-dynamic=none" which works and
> "-Wl,-z,gcs-compliant=all"
> > which fails in systemd build with:
> >
> > | ../git/meson.build:3:0: ERROR: Compiler aarch64-poky-linux-gcc
> -march=armv8-a+crc -mbranch-protection=standard -fstack-protector-strong
> -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> --sysroot=/home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/recipe-sysroot
> cannot compile programs.
> >
> > and
> >
> > $ grep error:
> /home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/build/meson-logs/meson-log.txt
> >
> /home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/recipe-sysroot-native/usr/bin/aarch64-poky-linux/../../libexec/aarch64-poky-linux/gcc/aarch64-poky-linux/15.1.0/ld:
> error: unrecognized value '-z gcs-compliant=all'
> >
> > So this in meta-security/meta-tpm systemd bbappend works:
> >
> > LDFLAGS:append:aarch64 = " -Wl,-z,gcs-report-dynamic=none"
> >
>
Build is successful with this change.
> > I can send this out in v2. No need to patch meson.build then.
>
> Exactly, please send v2
>
> >
> > Cheers,
> >
> > -Mikko
>
[-- Attachment #2: Type: text/html, Size: 9642 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-07 14:22 ` Mikko Rapeli
2025-05-07 14:35 ` Khem Raj
@ 2025-05-07 18:29 ` Trevor Woerner
2025-05-07 18:33 ` Ross Burton
1 sibling, 1 reply; 29+ messages in thread
From: Trevor Woerner @ 2025-05-07 18:29 UTC (permalink / raw)
To: Mikko Rapeli; +Cc: raj.khem, Sathishkumar Duraisamy, openembedded-core
On Wed 2025-05-07 @ 05:22:28 PM, Mikko Rapeli wrote:
> Hi,
>
> On Wed, May 07, 2025 at 11:22:49AM +0300, Mikko Rapeli via lists.openembedded.org wrote:
> > On Tue, May 06, 2025 at 11:14:02PM -0700, Khem Raj via lists.openembedded.org wrote:
> > > On Tue, May 6, 2025 at 11:04 PM Sathishkumar Duraisamy
> > > <sathishkumar.d.cbe@gmail.com> wrote:
> > > >
> > > > On Wed, May 7, 2025 at 4:29 AM Khem Raj <raj.khem@gmail.com> wrote:
> > > >>
> > > >> On Tue, May 6, 2025 at 6:28 AM Sathishkumar Duraisamy
> > > >> <sathishkumar.d.cbe@gmail.com> wrote:
> > > >> >
> > > >> > Hi
> > > >> >
> > > >> > On Tue, May 6, 2025 at 6:43 PM Khem Raj <raj.khem@gmail.com> wrote:
> > > >> >>
> > > >> >> On Tue, May 6, 2025 at 4:38 AM Sathishkumar D via
> > > >> >> lists.openembedded.org
> > > >> >> <sathishkumar.d.cbe=gmail.com@lists.openembedded.org> wrote:
> > > >> >> >
> > > >> >> > Hi all,
> > > >> >> >
> > > >> >> > I am also facing the same build issue. I tried to understand the issue. From build system for both openssl and systemd, -mbranch-protection=standard enabled. In fact the support this flag added long back, https://github.com/openembedded/openembedded-core/commit/8905639d1cdc5ce809cc5ecd9672f5e86bf8a579 and tpm2 introduces additional dependencies for systemd as in commit https://git.yoctoproject.org/meta-security/commit/meta-tpm/recipes-core/systemd/systemd_%25.bbappend?id=6eb3098e57881895e62fc811f714c2aa4ecfcf8f.
> > > >> >> >
> > > >> >>
> > > >> >> is this flag passed to linker as well ?
> > > >> >>
> > > >> > Openssl:
> > > >> > =======
> > > >> >
> > > >> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot"
> > > >> >
> > > >> > export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -pipe -Wl,-z,gcs-compliant=all "
> > > >> >
> > > >> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/openssl-3.5.0=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/build=/usr/src/debug/openssl/3.5.0 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/openssl/3.5.0/recipe-sysroot-native= -Wl,-z,relro,-z,now"
> > > >> >
> > > >> > systemd
> > > >> > ======
> > > >> >
> > > >> > export CC="aarch64-tdx-linux-gcc -march=armv8-a+crypto -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> > > >> >
> > > >> > export CFLAGS=" -O2 -g -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -pipe --sysroot=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot"
> > > >> >
> > > >> > export LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/git=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/build=/usr/src/debug/systemd/257.5 -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot= -ffile-prefix-map=/home/sathishkumar/yoctospace/verdin-next/build/tmp/work/armv8a-tdx-linux/systemd/257.5/recipe-sysroot-native= -Wl,-z,relro,-z,now"
> > > >> >
> > > >> >
> > > >>
> > > >> Please try adding -Wl,-z,gcs-compliant=all to systemd LDFLAGS not
> > > >> CFLAGS or to openssl flags.
> > > >
> > > >
> > > > Shortly I will build with LDFLAGS and will post the update here.
> > > >
> > >
> > > also try adding try with -Wl,-z,gcs-report-dynamic=none to LDFLAGS in
> > > systemd and see if that helps
> >
> > This did not seem to work. Unknown linker flag and build failure.
>
> Trevor replied on #yocto irc that this worked so I was wrong. I must have mixed up
> testing "-Wl,-z,gcs-report-dynamic=none" which works and "-Wl,-z,gcs-compliant=all"
> which fails in systemd build with:
>
> | ../git/meson.build:3:0: ERROR: Compiler aarch64-poky-linux-gcc -march=armv8-a+crc -mbranch-protection=standard -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/recipe-sysroot cannot compile programs.
>
> and
>
> $ grep error: /home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/build/meson-logs/meson-log.txt
> /home/builder/src/base/repo/build/tmp_genericarm64/work/armv8a-poky-linux/systemd/257.5/recipe-sysroot-native/usr/bin/aarch64-poky-linux/../../libexec/aarch64-poky-linux/gcc/aarch64-poky-linux/15.1.0/ld: error: unrecognized value '-z gcs-compliant=all'
>
> So this in meta-security/meta-tpm systemd bbappend works:
>
> LDFLAGS:append:aarch64 = " -Wl,-z,gcs-report-dynamic=none"
>
> I can send this out in v2. No need to patch meson.build then.
I stumbled across this build issue via a completely different route than most
others, it seems, and certainly different than what you have described. I'm
not using meta-security and I'm not using tpm2. Therefore your patch will do
little to solve my build, and others will likely stumble across this issue by
other routes as well.
I'm using systemd's repart mechanism to repartition/resize my disks on boot to
support A/B partitioning using RAUC in meta-rockchip. To support this, I have
enabled systemd's "repart" PACKAGECONFIG, which (apparently) requires
systemd's "openssl" PACKAGECONFIG to be enabled as well. This, in systemd,
appears to be the *root* of the problem. If the user is building for aarch64,
and has enabled systemd's openssl PACKAGECONFIG, then the additional linker
flags are required. This should solve the problem for everyone?
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-07 18:29 ` Trevor Woerner
@ 2025-05-07 18:33 ` Ross Burton
2025-05-07 18:38 ` Khem Raj
0 siblings, 1 reply; 29+ messages in thread
From: Ross Burton @ 2025-05-07 18:33 UTC (permalink / raw)
To: twoerner@gmail.com
Cc: Mikko Rapeli, raj.khem@gmail.com, Sathishkumar Duraisamy,
openembedded-core@lists.openembedded.org
On 7 May 2025, at 19:29, Trevor Woerner via lists.openembedded.org <twoerner=gmail.com@lists.openembedded.org> wrote:
>
> I stumbled across this build issue via a completely different route than most
> others, it seems, and certainly different than what you have described. I'm
> not using meta-security and I'm not using tpm2. Therefore your patch will do
> little to solve my build, and others will likely stumble across this issue by
> other routes as well.
For what it’s worth, we’re seeing this without meta-security too. This needs to be worked around in core (personally, I’d remove —fatal-warnings from systemd until openssl includes the GCS hints).
Ross
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-07 18:33 ` Ross Burton
@ 2025-05-07 18:38 ` Khem Raj
2025-05-07 19:04 ` Trevor Woerner
0 siblings, 1 reply; 29+ messages in thread
From: Khem Raj @ 2025-05-07 18:38 UTC (permalink / raw)
To: Ross Burton
Cc: twoerner@gmail.com, Mikko Rapeli, Sathishkumar Duraisamy,
openembedded-core@lists.openembedded.org
On Wed, May 7, 2025 at 11:34 AM Ross Burton <Ross.Burton@arm.com> wrote:
>
> On 7 May 2025, at 19:29, Trevor Woerner via lists.openembedded.org <twoerner=gmail.com@lists.openembedded.org> wrote:
> >
> > I stumbled across this build issue via a completely different route than most
> > others, it seems, and certainly different than what you have described. I'm
> > not using meta-security and I'm not using tpm2. Therefore your patch will do
> > little to solve my build, and others will likely stumble across this issue by
> > other routes as well.
>
> For what it’s worth, we’re seeing this without meta-security too. This needs to be worked around in core (personally, I’d remove —fatal-warnings from systemd until openssl includes the GCS hints).
>
thats a bigger hammer, I would suggest to apply
LDFLAGS:append:aarch64 = " -Wl,-z,gcs-report-dynamic=none"
in systemd recipe in core
> Ross
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-07 18:38 ` Khem Raj
@ 2025-05-07 19:04 ` Trevor Woerner
2025-05-07 19:10 ` Trevor Woerner
0 siblings, 1 reply; 29+ messages in thread
From: Trevor Woerner @ 2025-05-07 19:04 UTC (permalink / raw)
To: Khem Raj
Cc: Ross Burton, Mikko Rapeli, Sathishkumar Duraisamy,
openembedded-core@lists.openembedded.org
On Wed 2025-05-07 @ 11:38:12 AM, Khem Raj wrote:
> On Wed, May 7, 2025 at 11:34 AM Ross Burton <Ross.Burton@arm.com> wrote:
> >
> > On 7 May 2025, at 19:29, Trevor Woerner via lists.openembedded.org <twoerner=gmail.com@lists.openembedded.org> wrote:
> > >
> > > I stumbled across this build issue via a completely different route than most
> > > others, it seems, and certainly different than what you have described. I'm
> > > not using meta-security and I'm not using tpm2. Therefore your patch will do
> > > little to solve my build, and others will likely stumble across this issue by
> > > other routes as well.
> >
> > For what it’s worth, we’re seeing this without meta-security too. This needs to be worked around in core (personally, I’d remove —fatal-warnings from systemd until openssl includes the GCS hints).
> >
>
> thats a bigger hammer, I would suggest to apply
> LDFLAGS:append:aarch64 = " -Wl,-z,gcs-report-dynamic=none"
> in systemd recipe in core
If we want to make the hammer smaller, it's only triggered when:
PACKAGECONFIG:append:pn-systemd = " openssl"
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-07 19:04 ` Trevor Woerner
@ 2025-05-07 19:10 ` Trevor Woerner
2025-05-07 19:51 ` Khem Raj
2025-05-08 6:22 ` Mikko Rapeli
0 siblings, 2 replies; 29+ messages in thread
From: Trevor Woerner @ 2025-05-07 19:10 UTC (permalink / raw)
To: Khem Raj
Cc: Ross Burton, Mikko Rapeli, Sathishkumar Duraisamy,
openembedded-core@lists.openembedded.org
On Wed 2025-05-07 @ 03:04:49 PM, Trevor Woerner wrote:
> On Wed 2025-05-07 @ 11:38:12 AM, Khem Raj wrote:
> > On Wed, May 7, 2025 at 11:34 AM Ross Burton <Ross.Burton@arm.com> wrote:
> > >
> > > On 7 May 2025, at 19:29, Trevor Woerner via lists.openembedded.org <twoerner=gmail.com@lists.openembedded.org> wrote:
> > > >
> > > > I stumbled across this build issue via a completely different route than most
> > > > others, it seems, and certainly different than what you have described. I'm
> > > > not using meta-security and I'm not using tpm2. Therefore your patch will do
> > > > little to solve my build, and others will likely stumble across this issue by
> > > > other routes as well.
> > >
> > > For what it’s worth, we’re seeing this without meta-security too. This needs to be worked around in core (personally, I’d remove —fatal-warnings from systemd until openssl includes the GCS hints).
> > >
> >
> > thats a bigger hammer, I would suggest to apply
> > LDFLAGS:append:aarch64 = " -Wl,-z,gcs-report-dynamic=none"
> > in systemd recipe in core
>
> If we want to make the hammer smaller, it's only triggered when:
>
> PACKAGECONFIG:append:pn-systemd = " openssl"
>
diff --git a/meta/recipes-core/systemd/systemd_257.5.bb b/meta/recipes-core/systemd/systemd_257.5.bb
index acf97517a94a..995b55580e4a 100644
--- a/meta/recipes-core/systemd/systemd_257.5.bb
+++ b/meta/recipes-core/systemd/systemd_257.5.bb
@@ -240,6 +240,7 @@ RESOLV_CONF ??= ""
# bpf-framework: pass the recipe-sysroot to the compiler used to build
# the eBPFs, so that it can find needed system includes in there.
CFLAGS:append = " --sysroot=${STAGING_DIR_TARGET}"
+LDFLAGS:append:aarch64 = " ${@bb.utils.contains('PACKAGECONFIG', 'openssl', '-Wl,-z,gcs-report-dynamic=none', '', d)}"
EXTRA_OEMESON += "-Dnobody-user=nobody \
-Dnobody-group=nogroup \
^ permalink raw reply related [flat|nested] 29+ messages in thread* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-07 19:10 ` Trevor Woerner
@ 2025-05-07 19:51 ` Khem Raj
2025-05-08 6:22 ` Mikko Rapeli
1 sibling, 0 replies; 29+ messages in thread
From: Khem Raj @ 2025-05-07 19:51 UTC (permalink / raw)
To: Trevor Woerner
Cc: Ross Burton, Mikko Rapeli, Sathishkumar Duraisamy,
openembedded-core@lists.openembedded.org
On Wed, May 7, 2025 at 12:10 PM Trevor Woerner <twoerner@gmail.com> wrote:
>
> On Wed 2025-05-07 @ 03:04:49 PM, Trevor Woerner wrote:
> > On Wed 2025-05-07 @ 11:38:12 AM, Khem Raj wrote:
> > > On Wed, May 7, 2025 at 11:34 AM Ross Burton <Ross.Burton@arm.com> wrote:
> > > >
> > > > On 7 May 2025, at 19:29, Trevor Woerner via lists.openembedded.org <twoerner=gmail.com@lists.openembedded.org> wrote:
> > > > >
> > > > > I stumbled across this build issue via a completely different route than most
> > > > > others, it seems, and certainly different than what you have described. I'm
> > > > > not using meta-security and I'm not using tpm2. Therefore your patch will do
> > > > > little to solve my build, and others will likely stumble across this issue by
> > > > > other routes as well.
> > > >
> > > > For what it’s worth, we’re seeing this without meta-security too. This needs to be worked around in core (personally, I’d remove —fatal-warnings from systemd until openssl includes the GCS hints).
> > > >
> > >
> > > thats a bigger hammer, I would suggest to apply
> > > LDFLAGS:append:aarch64 = " -Wl,-z,gcs-report-dynamic=none"
> > > in systemd recipe in core
> >
> > If we want to make the hammer smaller, it's only triggered when:
> >
> > PACKAGECONFIG:append:pn-systemd = " openssl"
> >
>
> diff --git a/meta/recipes-core/systemd/systemd_257.5.bb b/meta/recipes-core/systemd/systemd_257.5.bb
> index acf97517a94a..995b55580e4a 100644
> --- a/meta/recipes-core/systemd/systemd_257.5.bb
> +++ b/meta/recipes-core/systemd/systemd_257.5.bb
> @@ -240,6 +240,7 @@ RESOLV_CONF ??= ""
> # bpf-framework: pass the recipe-sysroot to the compiler used to build
> # the eBPFs, so that it can find needed system includes in there.
> CFLAGS:append = " --sysroot=${STAGING_DIR_TARGET}"
> +LDFLAGS:append:aarch64 = " ${@bb.utils.contains('PACKAGECONFIG', 'openssl', '-Wl,-z,gcs-report-dynamic=none', '', d)}"
>
LGTM
> EXTRA_OEMESON += "-Dnobody-user=nobody \
> -Dnobody-group=nogroup \
>
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-07 19:10 ` Trevor Woerner
2025-05-07 19:51 ` Khem Raj
@ 2025-05-08 6:22 ` Mikko Rapeli
2025-05-08 7:00 ` Khem Raj
1 sibling, 1 reply; 29+ messages in thread
From: Mikko Rapeli @ 2025-05-08 6:22 UTC (permalink / raw)
To: Trevor Woerner
Cc: Khem Raj, Ross Burton, Sathishkumar Duraisamy,
openembedded-core@lists.openembedded.org
Hi,
On Wed, May 07, 2025 at 03:10:29PM -0400, Trevor Woerner wrote:
> On Wed 2025-05-07 @ 03:04:49 PM, Trevor Woerner wrote:
> > On Wed 2025-05-07 @ 11:38:12 AM, Khem Raj wrote:
> > > On Wed, May 7, 2025 at 11:34 AM Ross Burton <Ross.Burton@arm.com> wrote:
> > > >
> > > > On 7 May 2025, at 19:29, Trevor Woerner via lists.openembedded.org <twoerner=gmail.com@lists.openembedded.org> wrote:
> > > > >
> > > > > I stumbled across this build issue via a completely different route than most
> > > > > others, it seems, and certainly different than what you have described. I'm
> > > > > not using meta-security and I'm not using tpm2. Therefore your patch will do
> > > > > little to solve my build, and others will likely stumble across this issue by
> > > > > other routes as well.
> > > >
> > > > For what it’s worth, we’re seeing this without meta-security too. This needs to be worked around in core (personally, I’d remove —fatal-warnings from systemd until openssl includes the GCS hints).
> > > >
> > >
> > > thats a bigger hammer, I would suggest to apply
> > > LDFLAGS:append:aarch64 = " -Wl,-z,gcs-report-dynamic=none"
> > > in systemd recipe in core
> >
> > If we want to make the hammer smaller, it's only triggered when:
> >
> > PACKAGECONFIG:append:pn-systemd = " openssl"
> >
>
> diff --git a/meta/recipes-core/systemd/systemd_257.5.bb b/meta/recipes-core/systemd/systemd_257.5.bb
> index acf97517a94a..995b55580e4a 100644
> --- a/meta/recipes-core/systemd/systemd_257.5.bb
> +++ b/meta/recipes-core/systemd/systemd_257.5.bb
> @@ -240,6 +240,7 @@ RESOLV_CONF ??= ""
> # bpf-framework: pass the recipe-sysroot to the compiler used to build
> # the eBPFs, so that it can find needed system includes in there.
> CFLAGS:append = " --sysroot=${STAGING_DIR_TARGET}"
> +LDFLAGS:append:aarch64 = " ${@bb.utils.contains('PACKAGECONFIG', 'openssl', '-Wl,-z,gcs-report-dynamic=none', '', d)}"
>
> EXTRA_OEMESON += "-Dnobody-user=nobody \
> -Dnobody-group=nogroup \
I would prefer this but in the past I had trouble getting non-default
config fixes to oe-core and thus I proposed the patch to meta-security/meta-tpm
only. I do understand that "openssl" in systemd PACKAGECONFIG can be enabled
in a number of builds and setups, but it's not the default. Maybe
it should be the default, together with "repart"? Another thread, hopefully
shorter than "efi".
There are a lot of corner cases and non-default configs which need fixes
to oe-core. I would like to understand what the policy for fixes is.
I think it would make sense to enable more features by default, but allow them
to be disabled. TPM support being one of them.
Cheers,
-Mikko
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [OE-core] systemd build failure with gcc 15 / tpm2 / aarch64: gcs required
2025-05-08 6:22 ` Mikko Rapeli
@ 2025-05-08 7:00 ` Khem Raj
0 siblings, 0 replies; 29+ messages in thread
From: Khem Raj @ 2025-05-08 7:00 UTC (permalink / raw)
To: Mikko Rapeli
Cc: Trevor Woerner, Ross Burton, Sathishkumar Duraisamy,
openembedded-core@lists.openembedded.org
On Wed, May 7, 2025 at 11:22 PM Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
>
> Hi,
>
> On Wed, May 07, 2025 at 03:10:29PM -0400, Trevor Woerner wrote:
> > On Wed 2025-05-07 @ 03:04:49 PM, Trevor Woerner wrote:
> > > On Wed 2025-05-07 @ 11:38:12 AM, Khem Raj wrote:
> > > > On Wed, May 7, 2025 at 11:34 AM Ross Burton <Ross.Burton@arm.com> wrote:
> > > > >
> > > > > On 7 May 2025, at 19:29, Trevor Woerner via lists.openembedded.org <twoerner=gmail.com@lists.openembedded.org> wrote:
> > > > > >
> > > > > > I stumbled across this build issue via a completely different route than most
> > > > > > others, it seems, and certainly different than what you have described. I'm
> > > > > > not using meta-security and I'm not using tpm2. Therefore your patch will do
> > > > > > little to solve my build, and others will likely stumble across this issue by
> > > > > > other routes as well.
> > > > >
> > > > > For what it’s worth, we’re seeing this without meta-security too. This needs to be worked around in core (personally, I’d remove —fatal-warnings from systemd until openssl includes the GCS hints).
> > > > >
> > > >
> > > > thats a bigger hammer, I would suggest to apply
> > > > LDFLAGS:append:aarch64 = " -Wl,-z,gcs-report-dynamic=none"
> > > > in systemd recipe in core
> > >
> > > If we want to make the hammer smaller, it's only triggered when:
> > >
> > > PACKAGECONFIG:append:pn-systemd = " openssl"
> > >
> >
> > diff --git a/meta/recipes-core/systemd/systemd_257.5.bb b/meta/recipes-core/systemd/systemd_257.5.bb
> > index acf97517a94a..995b55580e4a 100644
> > --- a/meta/recipes-core/systemd/systemd_257.5.bb
> > +++ b/meta/recipes-core/systemd/systemd_257.5.bb
> > @@ -240,6 +240,7 @@ RESOLV_CONF ??= ""
> > # bpf-framework: pass the recipe-sysroot to the compiler used to build
> > # the eBPFs, so that it can find needed system includes in there.
> > CFLAGS:append = " --sysroot=${STAGING_DIR_TARGET}"
> > +LDFLAGS:append:aarch64 = " ${@bb.utils.contains('PACKAGECONFIG', 'openssl', '-Wl,-z,gcs-report-dynamic=none', '', d)}"
> >
> > EXTRA_OEMESON += "-Dnobody-user=nobody \
> > -Dnobody-group=nogroup \
>
> I would prefer this but in the past I had trouble getting non-default
> config fixes to oe-core and thus I proposed the patch to meta-security/meta-tpm
> only. I do understand that "openssl" in systemd PACKAGECONFIG can be enabled
> in a number of builds and setups, but it's not the default. Maybe
> it should be the default, together with "repart"? Another thread, hopefully
> shorter than "efi".
>
if there are more than one usecases that makes a stronger case to
apply it in recipe proper.
we also allowed inert code in core e.g. disabled package configs
checks in tasks to tweak something
if changes are made for a particular case that inserts itself in main
flow, it needs tests and those changes are
also have better changes to be accepted.
> There are a lot of corner cases and non-default configs which need fixes
> to oe-core. I would like to understand what the policy for fixes is.
>
> I think it would make sense to enable more features by default, but allow them
> to be disabled. TPM support being one of them.
Enabling more can change behavior, so using a sane default is all we
strive for. there are
many combinations and we can not test all of them, so we have to stick
to a known set and above thoughts go into
deciding that.
>
> Cheers,
>
> -Mikko
^ permalink raw reply [flat|nested] 29+ messages in thread
end of thread, other threads:[~2025-05-08 7:01 UTC | newest]
Thread overview: 29+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-05 11:46 systemd build failure with gcc 15 / tpm2 / aarch64: gcs required Max Krummenacher
2025-05-05 12:33 ` [OE-core] " Vyacheslav Yurkov
2025-05-05 12:56 ` Max Krummenacher
2025-05-05 14:45 ` Khem Raj
2025-05-05 19:09 ` [OE-core] " Randy MacLeod
2025-05-06 11:38 ` Sathishkumar D
2025-05-06 12:24 ` [OE-core] " Mikko Rapeli
2025-05-06 13:13 ` Khem Raj
2025-05-06 13:28 ` Sathishkumar Duraisamy
2025-05-06 13:32 ` Khem Raj
2025-05-06 13:45 ` Mikko Rapeli
2025-05-06 14:21 ` Max Krummenacher
2025-05-06 22:59 ` Khem Raj
2025-05-07 6:04 ` Sathishkumar Duraisamy
2025-05-07 6:14 ` Khem Raj
2025-05-07 8:22 ` Mikko Rapeli
[not found] ` <183D310FC8853D5E.1749@lists.openembedded.org>
2025-05-07 8:31 ` Mikko Rapeli
2025-05-07 8:55 ` Sathishkumar Duraisamy
2025-05-07 14:22 ` Mikko Rapeli
2025-05-07 14:35 ` Khem Raj
2025-05-07 16:05 ` Sathishkumar Duraisamy
2025-05-07 18:29 ` Trevor Woerner
2025-05-07 18:33 ` Ross Burton
2025-05-07 18:38 ` Khem Raj
2025-05-07 19:04 ` Trevor Woerner
2025-05-07 19:10 ` Trevor Woerner
2025-05-07 19:51 ` Khem Raj
2025-05-08 6:22 ` Mikko Rapeli
2025-05-08 7:00 ` Khem Raj
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox