Re: security/nss targeting armv7 tries to compile armv8-a source code: nss/lib/freebl/aes-armv8.c

From: Michal Meloun <meloun.michal_at_gmail.com>
Date: Thu, 29 Aug 2024 09:04:08 UTC

On 29. 8. 2024 9:48, Mark Millard wrote:
> nss/lib/freebl/Makefile has:
> 
> ifeq ($(CPU_ARCH),arm)
> $(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8
> $(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon
> endif
> 
> but targeting -mcpu=cortex-a7 (an armv7) results in the likes of:
> 
> cc -o FreeBSD15.0_OPT.OBJ/FreeBSD_SINGLE_SHLIB/aes-armv8.o -c -std=c99 -O2 -gline-tables-only -pipe -mcpu=cortex-a7  . . . .  -march=armv8-a -mfpu=crypto-neon-fp-armv8 aes-armv8.c
> cc: warning: ignoring extension 'sha2' because the 'armv7-a' architecture does not support it [-Winvalid-command-line-argument]
> cc: warning: ignoring extension 'aes' because the 'armv7-a' architecture does not support it [-Winvalid-command-line-argument]
> aes-armv8.c:14:2: error: "Compiler option is invalid"
>     14 | #error "Compiler option is invalid"
>        |  ^
> 
> from nss/lib/freebl/aes-armv8.c:
> 
> . . .
> #include "secerr.h"
> #include "rijndael.h"
> 
> #if ((defined(__clang__) ||                                         \
>        (defined(__GNUC__) && defined(__GNUC_MINOR__) &&              \
>         (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8)))) && \
>       defined(IS_LITTLE_ENDIAN))
> 
> #ifndef __ARM_FEATURE_CRYPTO
> #error "Compiler option is invalid"
> #endif
> 
> #include <arm_neon.h>
> . . .
> 
> (The example happens to be for 3.103 .)
> 
> Seems odd to me to have armv7 targeting have any dependency on
> armv8 encoded instructions that from well after armv7 was
> defined. (Even if the goal is to have the processor reject the
> instructions.)
> 

The short answer is that nss works fine (compiled with default options).

The longer story is that nss dynamically determines the optimal/fastest 
implementation of various cryptographic routines. Because of this, you 
need to compile all versions - basic, using neon, or using 32-bit armv8 
encryption instructions (sha2, aes)... Passing -mcpu or -march will 
break everything.
This is probably a small problem with nss make (and there is a question 
what the expected behavior is), but the actual impact of this bug for 
freebsd users is imho close to zero..
Michal Meloun

> 
> Note: I ran into this trying to see if I could build www/firefox
> in a armv7 jail on a aarch64 that supports armv7 code. BE_WASM
> for llvm*'s may be a waste of resources if armv7 based builds
> are just not going to work. (I do not normally build firefox.)
> 
> ===
> Mark Millard
> marklmi at yahoo.com
> 
>