Thanks you for this answer. As you mentioned, the problem is relative to GCC. I already tried the last version of cryptopp which resulted in the same problem and did not find any point about this in cryptopp documentation.
As you mentioned, my concern is about the same level of security in 22.04 as I had in 18.04. As I am not familiar with these options I was hoping someone in the community (or in cryptopp team) had already been confronted to this issue and could help to find the best solution... Le jeudi 28 septembre 2023 à 11:56:50 UTC+2, One Sini a écrit : > The error you encountered, "error: '-mindirect-branch' and > 'fcf-protection' are not compatible," is related to compiler options that > affect control flow integrity and branch protection. This error typically > arises when certain compiler flags are incompatible with each other. > > In your original build with Crypto++ 8.2.0 on Ubuntu 18.04, you were using > the following flags: > > bashCopy code > > CXXFLAGS="-DNDEBUG -O3 -mfunction-return=thunk -mindirect-branch=thunk" make > static > > However, on Ubuntu 22.04 with GCC 11.4.0, these flags seem to conflict > with each other, leading to the error you mentioned. > > You mentioned two alternative sets of flags that succeeded in the build: > > 1. > > Using -fcf-protection=none to disable Control-Flow Integrity (CFI) > protection: > > bashCopy code > > > > 1. > > CXXFLAGS="-DNDEBUG -O3 -fcf-protection=none -mfunction-return=thunk > -mindirect-branch=thunk" make static > > > > 1. > > 2. > > Using -mfunction-return=thunk-extern instead of -mfunction-return=thunk > : > > bashCopy code > > > > 1. > > CXXFLAGS="-DNDEBUG -O3 -mfunction-return=thunk-extern > -mindirect-branch=thunk-extern" make static > > > > 1. > > > Here are some recommendations: > > 1. > > *Understand the Impact:* It's important to understand the impact of > changing these compiler flags. Control-Flow Integrity (CFI) and branch > protection are security features that help protect against certain types > of > exploits. Disabling them (-fcf-protection=none) or changing their > behavior (-mfunction-return=thunk-extern) can potentially reduce > security. > 2. > > *Check Crypto++ Compatibility:* Check the Crypto++ documentation and > release notes to see if there are any specific recommendations or updates > for compiling on newer versions of GCC or Ubuntu. There might be changes > or > adjustments required in the build process or flags for newer compiler > versions. > 3. > > *Consider Security Implications:* If you are building a > security-critical application, disabling or changing security-related > flags > should be done cautiously. Evaluate the security implications of your > chosen compiler flags and make sure they align with your project's > security > requirements. > 4. > > *Test Thoroughly:* After making changes to compiler flags, thoroughly > test your application to ensure it functions correctly and securely. Pay > close attention to any potential security vulnerabilities that might be > introduced by the changes. > 5. > > *Keep Software Updated:* If possible, consider updating Crypto++ to a > newer version that might have better compatibility with your target > compiler and platform. Newer versions of libraries often include bug fixes > and improvements for the latest compiler versions. > > In summary, the flags you used to build Crypto++ on Ubuntu 22.04 with GCC > 11.4.0 may have been necessary to resolve the compatibility issue, but they > may have security implications. It's important to carefully consider these > implications and potentially explore updates or alternatives to maintain > both security and compatibility. > > The error you encountered, "error: '-mindirect-branch' and > 'fcf-protection' are not compatible," is related to compiler options that > affect control flow integrity and branch protection. This error typically > arises when certain compiler flags are incompatible with each other. > > In your original build with Crypto++ 8.2.0 on Ubuntu 18.04, you were using > the following flags: > > bashCopy code > > CXXFLAGS="-DNDEBUG -O3 -mfunction-return=thunk -mindirect-branch=thunk" make > static > > However, on Ubuntu 22.04 with GCC 11.4.0, these flags seem to conflict > with each other, leading to the error you mentioned. > > You mentioned two alternative sets of flags that succeeded in the build: > > 1. > > Using -fcf-protection=none to disable Control-Flow Integrity (CFI) > protection: > > bashCopy code > > > > 1. > > CXXFLAGS="-DNDEBUG -O3 -fcf-protection=none -mfunction-return=thunk > -mindirect-branch=thunk" make static > > > > 1. > > 2. > > Using -mfunction-return=thunk-extern instead of -mfunction-return=thunk > : > > bashCopy code > > > > 1. > > CXXFLAGS="-DNDEBUG -O3 -mfunction-return=thunk-extern > -mindirect-branch=thunk-extern" make static > > > > 1. > > > Here are some recommendations: > > 1. > > *Understand the Impact:* It's important to understand the impact of > changing these compiler flags. Control-Flow Integrity (CFI) and branch > protection are security features that help protect against certain types > of > exploits. Disabling them (-fcf-protection=none) or changing their > behavior (-mfunction-return=thunk-extern) can potentially reduce > security. > 2. > > *Check Crypto++ Compatibility:* Check the Crypto++ documentation and > release notes to see if there are any specific recommendations or updates > for compiling on newer versions of GCC or Ubuntu. There might be changes > or > adjustments required in the build process or flags for newer compiler > versions. > 3. > > *Consider Security Implications:* If you are building a > security-critical application, disabling or changing security-related > flags > should be done cautiously. Evaluate the security implications of your > chosen compiler flags and make sure they align with your project's > security > requirements. > 4. > > *Test Thoroughly:* After making changes to compiler flags, thoroughly > test your application to ensure it functions correctly and securely. Pay > close attention to any potential security vulnerabilities that might be > introduced by the changes. > 5. > > *Keep Software Updated:* If possible, consider updating Crypto++ to a > newer version that might have better compatibility with your target > compiler and platform. Newer versions of libraries often include bug fixes > and improvements for the latest compiler versions. > > In summary, the flags you used to build Crypto++ on Ubuntu 22.04 with GCC > 11.4.0 may have been necessary to resolve the compatibility issue, but they > may have security implications. It's important to carefully consider these > implications and potentially explore updates or alternatives to maintain > both security and compatibility. > > > Jeffrey Walton <nolo...@gmail.com> schrieb am Mo. 25. Sept. 2023 um 17:08: > >> >> >> On Monday, September 25, 2023 at 10:13:03 AM UTC-4 Krissscool72 wrote: >> >> until now I was using cryptopp 8.2.0 on Ubuntu 18.04 and builting it with >> CXXFLAGS="-DNDEBUG -O3 -mfunction-return=thunk -mindirect-branch=thunk" >> make static >> >> I tried to build it on Ubuntu 22.04: >> - Linux version 5.15.0-82-generic >> - gcc 11.4.0 >> >> and encountered the followinf error: >> /usr/include/c++/11/cstddef:126:48: error: '-mindirect-branch' and >> 'fcf-protection' are not compatible >> >> *Do you have any idea where it comes from ?* >> >> I tried to compile with the following options instead: >> CXXFLAGS="-DNDEBUG -O3 -fcf-protection=none -mfunction-return=thunk >> -mindirect-branch=thunk" make static >> OR >> CXXFLAGS="-DNDEBUG -O3 -mfunction-return=thunk-extern >> -mindirect-branch=thunk-extern" make static >> which succeedeed. >> >> *Do you have any recommandation on the best thing to do ?* >> >> >> And I think these are the GCC bugs: >> >> * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87412 >> * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93654 >> >> Jeff >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Crypto++ Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cryptopp-user...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/cryptopp-users/fef2d7f1-3347-4cda-a521-6b4b8b95d832n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/cryptopp-users/fef2d7f1-3347-4cda-a521-6b4b8b95d832n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/cryptopp-users/caa69af8-f146-4371-9648-b8afebd2f092n%40googlegroups.com.
