From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Fri, 19 Sep 2025 07:38:28 +0200
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1uzTpE-004k2M-16
	for lore@lore.pengutronix.de;
	Fri, 19 Sep 2025 07:38:28 +0200
Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de)
	by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1uzTpE-0003lp-5G; Fri, 19 Sep 2025 07:38:28 +0200
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
 by metis.whiteo.stw.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mol@pengutronix.de>)
 id 1uzTp8-0003le-O9; Fri, 19 Sep 2025 07:38:22 +0200
Received: from pty.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::c5])
 by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96)
 (envelope-from <mol@pengutronix.de>) id 1uzTp8-0023XN-1o;
 Fri, 19 Sep 2025 07:38:22 +0200
Received: from mol by pty.whiteo.stw.pengutronix.de with local (Exim 4.96)
 (envelope-from <mol@pengutronix.de>) id 1uzTp8-000KFN-1U;
 Fri, 19 Sep 2025 07:38:22 +0200
Date: Fri, 19 Sep 2025 07:38:22 +0200
From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Message-ID: <aMzsTlOa90pGbr4I@pengutronix.de>
Mail-Followup-To: ptxdist@pengutronix.de,
 ruggero rossi <rugrossi@googlemail.com>
References: <20250917083239.145112e9@RR-Laptop>
 <de26260c-079d-41c1-8a13-15deb79e53a7@t2data.com>
 <20250917110003.6587c431@RR-Laptop>
 <ea633f3d-68a4-42f0-ab3c-12a035edf6e6@t2data.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ea633f3d-68a4-42f0-ab3c-12a035edf6e6@t2data.com>
X-Sent-From: Pengutronix Hildesheim
X-URL: http://www.pengutronix.de/
X-Accept-Language: de,en
X-Accept-Content-Type: text/plain
X-IRC: #ptxdist @freenode
Subject: Re: [ptxdist] PTXDIST 2025.09.0: build failure of openssl-3.5.2
 when gcc option -fzero-call-used-regs is not supported
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <https://metis.pengutronix.de/mailman/options/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <https://metis.pengutronix.de/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <https://metis.pengutronix.de/mailman/listinfo/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: ruggero rossi <rugrossi@googlemail.com>
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false

On Wed, Sep 17, 2025 at 11:18:31AM +0200, Christian Melki wrote:
> On 9/17/25 11:00 AM, ruggero rossi wrote:
> > On Wed, 17 Sep 2025 10:30:04 +0200
> > Christian Melki <christian.melki@t2data.com> wrote:
> > > Which version of gcc are we talking about?
> > It is quite old, but I'm bound to it because some software does not
> > compile with newer versions. It looks like that the -fzero-call-used-regs
> > is supported from GCC 11 (released April 2021).
> > 
> > > GCC 11 should support this, but I don't know over which archs.
> > > It is there as a security enhancement. I would say something like less
> > > gadgets for ROP style attacks? And while it does slow down execution,
> > > for something like OpenSSL, it usually is worth it imho.
> > I agree.... The option is a must, when it is supported.
> > 
> > Moreover, I found a comment in some openssh (not openssl) tracking,
> > saying that to detect whether a version of gcc supports the option or not
> > may be not trivial.

Note, that there used to be a patch that removed the flag. I looked into
this and decided it was time to remove it. I wanted the extra security.
If you absolutely need to use an old compiler, then you can find the patch
in older ptxdist versions and apply it locally.

Michael

> > > I don't see a suitable toolchain option or hardening flag in ptxdist
> > > that currently fits this cleanly.  Not sure if something like this fits
> > > for a its own global pass either. Maybe someone else has another opinion.
> > > 
> > > So my immediate suggestion would be to keep this local at your end for
> > > now.
> > 
> > OK - and these messages remain as a help if anyone else has the same
> > problem.
> 
> Indeed. Appreciate the time taken to report it.



-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |