There is an openssl build error if the prebuilt FIPS object module is built on target with a CPU which supports AVX/AVX2 instruction set. Add section "Known Issues" to describe this issue.
Signed-off-by: Yi Zhao <[email protected]> --- README.build | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/README.build b/README.build index 102c850..36e3875 100644 --- a/README.build +++ b/README.build @@ -254,3 +254,31 @@ Note this sample command is functionally equivalent to: $ env OPENSSL_FIPS=1 openssl sha1 -hmac etaonrishdlcupfm fips_hmac.c HMAC-SHA1(fips_hmac.c)= ae25ad68d9a8cc04075100563a437fa37829afcc +======================= +Known Issues +======================= +If the CPU on target machine which building FIPS object module is newer than +Nehalem (e.g. Sandy Brigde) or is an Intel Atom processor. Then you may +encounter an error when building openssl with the FIPS object module: +qemu: uncaught target signal 4 (Illegal instruction). + +The current processor emulated in qemu is set to Nehalem. But the GCC will use +-march=native to enable all instruction subsets supported by the target machine +when building FIPS object module. The illegal instruction error will occur if +some instruction subsets (e.g AVX/AVX2) are not supported by Nehalem. + +To check if the CPU is Intel Atom: +$ cat /proc/cpuinfo | grep "Atom" + +To check if the CPU supports AVX/AVX2: +$ cat /proc/cpuinfo | grep "avx" +Or: +$ gcc -dM -E - < /dev/null | grep "AVX" + +As a workaround, we can specify -march=nehalem in GCC before build the FIPS +object module: +$ export CC="gcc -march=nehalem" +$ ./config [no-asm] +$ make +$ make install + -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#53213): https://lists.yoctoproject.org/g/yocto/message/53213 Mute This Topic: https://lists.yoctoproject.org/mt/82280210/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
