Re: security/nss targeting armv7 tries to compile armv8-a source code: nss/lib/freebl/aes-armv8.c
Date: Thu, 29 Aug 2024 09:04:08 UTC
On 29. 8. 2024 9:48, Mark Millard wrote: > nss/lib/freebl/Makefile has: > > ifeq ($(CPU_ARCH),arm) > $(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8 > $(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon > endif > > but targeting -mcpu=cortex-a7 (an armv7) results in the likes of: > > cc -o FreeBSD15.0_OPT.OBJ/FreeBSD_SINGLE_SHLIB/aes-armv8.o -c -std=c99 -O2 -gline-tables-only -pipe -mcpu=cortex-a7 . . . . -march=armv8-a -mfpu=crypto-neon-fp-armv8 aes-armv8.c > cc: warning: ignoring extension 'sha2' because the 'armv7-a' architecture does not support it [-Winvalid-command-line-argument] > cc: warning: ignoring extension 'aes' because the 'armv7-a' architecture does not support it [-Winvalid-command-line-argument] > aes-armv8.c:14:2: error: "Compiler option is invalid" > 14 | #error "Compiler option is invalid" > | ^ > > from nss/lib/freebl/aes-armv8.c: > > . . . > #include "secerr.h" > #include "rijndael.h" > > #if ((defined(__clang__) || \ > (defined(__GNUC__) && defined(__GNUC_MINOR__) && \ > (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8)))) && \ > defined(IS_LITTLE_ENDIAN)) > > #ifndef __ARM_FEATURE_CRYPTO > #error "Compiler option is invalid" > #endif > > #include <arm_neon.h> > . . . > > (The example happens to be for 3.103 .) > > Seems odd to me to have armv7 targeting have any dependency on > armv8 encoded instructions that from well after armv7 was > defined. (Even if the goal is to have the processor reject the > instructions.) > The short answer is that nss works fine (compiled with default options). The longer story is that nss dynamically determines the optimal/fastest implementation of various cryptographic routines. Because of this, you need to compile all versions - basic, using neon, or using 32-bit armv8 encryption instructions (sha2, aes)... Passing -mcpu or -march will break everything. This is probably a small problem with nss make (and there is a question what the expected behavior is), but the actual impact of this bug for freebsd users is imho close to zero.. Michal Meloun > > Note: I ran into this trying to see if I could build www/firefox > in a armv7 jail on a aarch64 that supports armv7 code. BE_WASM > for llvm*'s may be a waste of resources if armv7 based builds > are just not going to work. (I do not normally build firefox.) > > === > Mark Millard > marklmi at yahoo.com > >