Build on Ubuntu 22.04

187 views
Skip to first unread message

Krissscool72

unread,
Sep 25, 2023, 10:13:03 AM9/25/23
to Crypto++ Users
Hi,
until now I was using cryptopp 8.2.0 on Ubuntu 18.04 and builting it with 
CXXFLAGS="-DNDEBUG -O3 -mfunction-return=thunk -mindirect-branch=thunk" 
make static

I tried to build it on Ubuntu 22.04:
- Linux version 5.15.0-82-generic
- gcc 11.4.0

and encountered the followinf error:
/usr/include/c++/11/cstddef:126:48: error: '-mindirect-branch' and 
'fcf-protection' are not compatible

*Do you have any idea where it comes from ?*

I tried to compile with the following options instead:
CXXFLAGS="-DNDEBUG -O3 -fcf-protection=none -mfunction-return=thunk 
-mindirect-branch=thunk" make static 
OR
CXXFLAGS="-DNDEBUG -O3 -mfunction-return=thunk-extern 
-mindirect-branch=thunk-extern" make static 
which succeedeed.

*Do you have any recommandation on the best thing to do ?*

Thanks in advance!

Jeffrey Walton

unread,
Sep 25, 2023, 11:03:42 AM9/25/23
to Crypto++ Users

Jeffrey Walton

unread,
Sep 25, 2023, 11:08:16 AM9/25/23
to Crypto++ Users
On Monday, September 25, 2023 at 10:13:03 AM UTC-4 Krissscool72 wrote:

Krissscool72

unread,
Sep 25, 2023, 6:36:18 PM9/25/23
to Crypto++ Users
Thanks for the answer. This explains where it comes from. 
Regarding my second question: Do you have any recommandation on the best thing to do ? What is the solution to build cryptopp as before ?

Thanks in advance.

One Sini

unread,
Sep 28, 2023, 5:56:50 AM9/28/23
to cryptop...@googlegroups.com

The error you encountered, "error: '-mindirect-branch' and 'fcf-protection' are not compatible," is related to compiler options that affect control flow integrity and branch protection. This error typically arises when certain compiler flags are incompatible with each other.

In your original build with Crypto++ 8.2.0 on Ubuntu 18.04, you were using the following flags:

bash
CXXFLAGS="-DNDEBUG -O3 -mfunction-return=thunk -mindirect-branch=thunk" make static

However, on Ubuntu 22.04 with GCC 11.4.0, these flags seem to conflict with each other, leading to the error you mentioned.

You mentioned two alternative sets of flags that succeeded in the build:

  1. Using -fcf-protection=none to disable Control-Flow Integrity (CFI) protection:

    bash
  1. CXXFLAGS="-DNDEBUG -O3 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk" make static
  1. Using -mfunction-return=thunk-extern instead of -mfunction-return=thunk:

    bash
  1. CXXFLAGS="-DNDEBUG -O3 -mfunction-return=thunk-extern -mindirect-branch=thunk-extern" make static

Here are some recommendations:

  1. Understand the Impact: It's important to understand the impact of changing these compiler flags. Control-Flow Integrity (CFI) and branch protection are security features that help protect against certain types of exploits. Disabling them (-fcf-protection=none) or changing their behavior (-mfunction-return=thunk-extern) can potentially reduce security.

  2. Check Crypto++ Compatibility: Check the Crypto++ documentation and release notes to see if there are any specific recommendations or updates for compiling on newer versions of GCC or Ubuntu. There might be changes or adjustments required in the build process or flags for newer compiler versions.

  3. Consider Security Implications: If you are building a security-critical application, disabling or changing security-related flags should be done cautiously. Evaluate the security implications of your chosen compiler flags and make sure they align with your project's security requirements.

  4. Test Thoroughly: After making changes to compiler flags, thoroughly test your application to ensure it functions correctly and securely. Pay close attention to any potential security vulnerabilities that might be introduced by the changes.

  5. Keep Software Updated: If possible, consider updating Crypto++ to a newer version that might have better compatibility with your target compiler and platform. Newer versions of libraries often include bug fixes and improvements for the latest compiler versions.

In summary, the flags you used to build Crypto++ on Ubuntu 22.04 with GCC 11.4.0 may have been necessary to resolve the compatibility issue, but they may have security implications. It's important to carefully consider these implications and potentially explore updates or alternatives to maintain both security and compatibility.

The error you encountered, "error: '-mindirect-branch' and 'fcf-protection' are not compatible," is related to compiler options that affect control flow integrity and branch protection. This error typically arises when certain compiler flags are incompatible with each other.

In your original build with Crypto++ 8.2.0 on Ubuntu 18.04, you were using the following flags:

bash
CXXFLAGS="-DNDEBUG -O3 -mfunction-return=thunk -mindirect-branch=thunk" make static

However, on Ubuntu 22.04 with GCC 11.4.0, these flags seem to conflict with each other, leading to the error you mentioned.

You mentioned two alternative sets of flags that succeeded in the build:

  1. Using -fcf-protection=none to disable Control-Flow Integrity (CFI) protection:

    bash
  1. CXXFLAGS="-DNDEBUG -O3 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk" make static
  1. Using -mfunction-return=thunk-extern instead of -mfunction-return=thunk:

    bash
  1. CXXFLAGS="-DNDEBUG -O3 -mfunction-return=thunk-extern -mindirect-branch=thunk-extern" make static

Here are some recommendations:

  1. Understand the Impact: It's important to understand the impact of changing these compiler flags. Control-Flow Integrity (CFI) and branch protection are security features that help protect against certain types of exploits. Disabling them (-fcf-protection=none) or changing their behavior (-mfunction-return=thunk-extern) can potentially reduce security.

  2. Check Crypto++ Compatibility: Check the Crypto++ documentation and release notes to see if there are any specific recommendations or updates for compiling on newer versions of GCC or Ubuntu. There might be changes or adjustments required in the build process or flags for newer compiler versions.

  3. Consider Security Implications: If you are building a security-critical application, disabling or changing security-related flags should be done cautiously. Evaluate the security implications of your chosen compiler flags and make sure they align with your project's security requirements.

  4. Test Thoroughly: After making changes to compiler flags, thoroughly test your application to ensure it functions correctly and securely. Pay close attention to any potential security vulnerabilities that might be introduced by the changes.

  5. Keep Software Updated: If possible, consider updating Crypto++ to a newer version that might have better compatibility with your target compiler and platform. Newer versions of libraries often include bug fixes and improvements for the latest compiler versions.

In summary, the flags you used to build Crypto++ on Ubuntu 22.04 with GCC 11.4.0 may have been necessary to resolve the compatibility issue, but they may have security implications. It's important to carefully consider these implications and potentially explore updates or alternatives to maintain both security and compatibility.



--
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cryptopp-users/fef2d7f1-3347-4cda-a521-6b4b8b95d832n%40googlegroups.com.

Krissscool72

unread,
Sep 28, 2023, 8:25:49 AM9/28/23
to Crypto++ Users
Thanks you for this answer.

As you mentioned, the problem is relative to GCC. I already tried the last version of cryptopp which resulted in the same problem and did not find any point about this in cryptopp documentation.

As you mentioned, my concern is about the same level of security in 22.04 as I had in 18.04. As I am not familiar with these options I was hoping someone in the community (or in cryptopp team) had already been confronted to this issue and could help to find the best solution...

Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages