Known problem: the NOOPT builds fail due to PEI becoming too big.

What is the reason for doing these NOOPT builds?  I'm not sure what
value they provide.  But the lack of LTO bloats the binaries with dead
code, which is a constant source of trouble ...

v2 changes:
 - turn on crypto driver support by default.
 - left the config option in for now as fallback option.
   When all goes as planned remove it one or two releases
   later.
 - fix various build problems.

Gerd Hoffmann (10):
  CryptoPkg: move Driver PCD configs to include files
  CryptoPkg: add CryptoServicePcd.hash_only.dsc.inc
  CryptoPkg: add TPM hashes to CryptoServicePcd.min_dxe_smm.dsc.inc
  OvmfPkg: add OvmfCrypto*.inc
  OvmfPkg: OvmfPkgX64: use crypto includes
  OvmfPkg: OvmfPkgIa32X64: use crypto includes
  OvmfPkg: OvmfPkgIa32: use crypto includes
  OvmfPkg: Microvm: use crypto includes
  OvmfPkg: IntelTdx: use crypto includes
  OvmfPkg: AmdSev: use crypto includes

 .../Include/Dsc/CryptoServicePcd.all.dsc.inc  | 29 +++++++
 .../Dsc/CryptoServicePcd.hash_only.dsc.inc    |  8 ++
 .../Dsc/CryptoServicePcd.min_dxe_smm.dsc.inc  | 37 +++++++++
 .../Dsc/CryptoServicePcd.min_pei.dsc.inc      | 20 +++++
 .../Dsc/OvmfCryptoComponentsDxe.dsc.inc       | 23 ++++++
 .../Dsc/OvmfCryptoComponentsPei.dsc.inc       | 19 +++++
 .../Dsc/OvmfCryptoComponentsSmm.dsc.inc       | 18 +++++
 OvmfPkg/Include/Dsc/OvmfCryptoDefines.dsc.inc |  5 ++
 OvmfPkg/Include/Dsc/OvmfCryptoLibs.dsc.inc    | 57 ++++++++++++++
 CryptoPkg/CryptoPkg.dsc                       | 78 +------------------
 OvmfPkg/AmdSev/AmdSevX64.dsc                  | 12 ++-
 OvmfPkg/IntelTdx/IntelTdxX64.dsc              | 15 ++--
 OvmfPkg/Microvm/MicrovmX64.dsc                | 24 +++---
 OvmfPkg/OvmfPkgIa32.dsc                       | 22 +++---
 OvmfPkg/OvmfPkgIa32X64.dsc                    | 22 +++---
 OvmfPkg/OvmfPkgX64.dsc                        | 22 +++---
 OvmfPkg/AmdSev/AmdSevX64.fdf                  |  6 ++
 OvmfPkg/IntelTdx/IntelTdxX64.fdf              |  5 ++
 OvmfPkg/Microvm/MicrovmX64.fdf                |  7 ++
 OvmfPkg/OvmfPkgIa32.fdf                       |  6 ++
 OvmfPkg/OvmfPkgIa32X64.fdf                    |  6 ++
 OvmfPkg/OvmfPkgX64.fdf                        |  6 ++
 OvmfPkg/Include/Fdf/OvmfCryptoDxeSmm.fdf.inc  | 12 +++
 OvmfPkg/Include/Fdf/OvmfCryptoPei.fdf.inc     |  9 +++
 24 files changed, 331 insertions(+), 137 deletions(-)
 create mode 100644 CryptoPkg/Include/Dsc/CryptoServicePcd.all.dsc.inc
 create mode 100644 CryptoPkg/Include/Dsc/CryptoServicePcd.hash_only.dsc.inc
 create mode 100644 CryptoPkg/Include/Dsc/CryptoServicePcd.min_dxe_smm.dsc.inc
 create mode 100644 CryptoPkg/Include/Dsc/CryptoServicePcd.min_pei.dsc.inc
 create mode 100644 OvmfPkg/Include/Dsc/OvmfCryptoComponentsDxe.dsc.inc
 create mode 100644 OvmfPkg/Include/Dsc/OvmfCryptoComponentsPei.dsc.inc
 create mode 100644 OvmfPkg/Include/Dsc/OvmfCryptoComponentsSmm.dsc.inc
 create mode 100644 OvmfPkg/Include/Dsc/OvmfCryptoDefines.dsc.inc
 create mode 100644 OvmfPkg/Include/Dsc/OvmfCryptoLibs.dsc.inc
 create mode 100644 OvmfPkg/Include/Fdf/OvmfCryptoDxeSmm.fdf.inc
 create mode 100644 OvmfPkg/Include/Fdf/OvmfCryptoPei.fdf.inc

-- 
2.39.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99870): https://edk2.groups.io/g/devel/message/99870
Mute This Topic: https://groups.io/mt/96850388/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

On Thu, 9 Feb 2023 at 11:27, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> Known problem: the NOOPT builds fail due to PEI becoming too big.
>
> What is the reason for doing these NOOPT builds?

They are very useful for doing single step debugging with GDB. On ARM,
I use the NOOPT builds fairly regularly.

>  I'm not sure what
> value they provide.  But the lack of LTO bloats the binaries with dead
> code, which is a constant source of trouble ...
>

> v2 changes:
>  - turn on crypto driver support by default.
>  - left the config option in for now as fallback option.
>    When all goes as planned remove it one or two releases
>    later.
>  - fix various build problems.
>
> Gerd Hoffmann (10):
>   CryptoPkg: move Driver PCD configs to include files
>   CryptoPkg: add CryptoServicePcd.hash_only.dsc.inc
>   CryptoPkg: add TPM hashes to CryptoServicePcd.min_dxe_smm.dsc.inc
>   OvmfPkg: add OvmfCrypto*.inc
>   OvmfPkg: OvmfPkgX64: use crypto includes
>   OvmfPkg: OvmfPkgIa32X64: use crypto includes
>   OvmfPkg: OvmfPkgIa32: use crypto includes
>   OvmfPkg: Microvm: use crypto includes
>   OvmfPkg: IntelTdx: use crypto includes
>   OvmfPkg: AmdSev: use crypto includes
>

This looks fine to me but I'll give other folks some time to chime in.

Thanks,

>  .../Include/Dsc/CryptoServicePcd.all.dsc.inc  | 29 +++++++
>  .../Dsc/CryptoServicePcd.hash_only.dsc.inc    |  8 ++
>  .../Dsc/CryptoServicePcd.min_dxe_smm.dsc.inc  | 37 +++++++++
>  .../Dsc/CryptoServicePcd.min_pei.dsc.inc      | 20 +++++
>  .../Dsc/OvmfCryptoComponentsDxe.dsc.inc       | 23 ++++++
>  .../Dsc/OvmfCryptoComponentsPei.dsc.inc       | 19 +++++
>  .../Dsc/OvmfCryptoComponentsSmm.dsc.inc       | 18 +++++
>  OvmfPkg/Include/Dsc/OvmfCryptoDefines.dsc.inc |  5 ++
>  OvmfPkg/Include/Dsc/OvmfCryptoLibs.dsc.inc    | 57 ++++++++++++++
>  CryptoPkg/CryptoPkg.dsc                       | 78 +------------------
>  OvmfPkg/AmdSev/AmdSevX64.dsc                  | 12 ++-
>  OvmfPkg/IntelTdx/IntelTdxX64.dsc              | 15 ++--
>  OvmfPkg/Microvm/MicrovmX64.dsc                | 24 +++---
>  OvmfPkg/OvmfPkgIa32.dsc                       | 22 +++---
>  OvmfPkg/OvmfPkgIa32X64.dsc                    | 22 +++---
>  OvmfPkg/OvmfPkgX64.dsc                        | 22 +++---
>  OvmfPkg/AmdSev/AmdSevX64.fdf                  |  6 ++
>  OvmfPkg/IntelTdx/IntelTdxX64.fdf              |  5 ++
>  OvmfPkg/Microvm/MicrovmX64.fdf                |  7 ++
>  OvmfPkg/OvmfPkgIa32.fdf                       |  6 ++
>  OvmfPkg/OvmfPkgIa32X64.fdf                    |  6 ++
>  OvmfPkg/OvmfPkgX64.fdf                        |  6 ++
>  OvmfPkg/Include/Fdf/OvmfCryptoDxeSmm.fdf.inc  | 12 +++
>  OvmfPkg/Include/Fdf/OvmfCryptoPei.fdf.inc     |  9 +++
>  24 files changed, 331 insertions(+), 137 deletions(-)
>  create mode 100644 CryptoPkg/Include/Dsc/CryptoServicePcd.all.dsc.inc
>  create mode 100644 CryptoPkg/Include/Dsc/CryptoServicePcd.hash_only.dsc.inc
>  create mode 100644 CryptoPkg/Include/Dsc/CryptoServicePcd.min_dxe_smm.dsc.inc
>  create mode 100644 CryptoPkg/Include/Dsc/CryptoServicePcd.min_pei.dsc.inc
>  create mode 100644 OvmfPkg/Include/Dsc/OvmfCryptoComponentsDxe.dsc.inc
>  create mode 100644 OvmfPkg/Include/Dsc/OvmfCryptoComponentsPei.dsc.inc
>  create mode 100644 OvmfPkg/Include/Dsc/OvmfCryptoComponentsSmm.dsc.inc
>  create mode 100644 OvmfPkg/Include/Dsc/OvmfCryptoDefines.dsc.inc
>  create mode 100644 OvmfPkg/Include/Dsc/OvmfCryptoLibs.dsc.inc
>  create mode 100644 OvmfPkg/Include/Fdf/OvmfCryptoDxeSmm.fdf.inc
>  create mode 100644 OvmfPkg/Include/Fdf/OvmfCryptoPei.fdf.inc
>
> --
> 2.39.1
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99909): https://edk2.groups.io/g/devel/message/99909
Mute This Topic: https://groups.io/mt/96850388/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

On Thu, Feb 09, 2023 at 05:46:15PM +0100, Ard Biesheuvel wrote:
> On Thu, 9 Feb 2023 at 11:27, Gerd Hoffmann <kraxel@redhat.com> wrote:
> >
> > Known problem: the NOOPT builds fail due to PEI becoming too big.
> >
> > What is the reason for doing these NOOPT builds?
> 
> They are very useful for doing single step debugging with GDB. On ARM,
> I use the NOOPT builds fairly regularly.

Can LTO be enabled for the NOOPT build?  Or depends that on
optimizations being turned on?

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99967): https://edk2.groups.io/g/devel/message/99967
Mute This Topic: https://groups.io/mt/96850388/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

On Fri, 10 Feb 2023 at 09:42, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> On Thu, Feb 09, 2023 at 05:46:15PM +0100, Ard Biesheuvel wrote:
> > On Thu, 9 Feb 2023 at 11:27, Gerd Hoffmann <kraxel@redhat.com> wrote:
> > >
> > > Known problem: the NOOPT builds fail due to PEI becoming too big.
> > >
> > > What is the reason for doing these NOOPT builds?
> >
> > They are very useful for doing single step debugging with GDB. On ARM,
> > I use the NOOPT builds fairly regularly.
>
> Can LTO be enabled for the NOOPT build?  Or depends that on
> optimizations being turned on?
>

With the hunk below applied:


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#100016): https://edk2.groups.io/g/devel/message/100016
Mute This Topic: https://groups.io/mt/96850388/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

On Fri, 10 Feb 2023 at 14:42, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> On Fri, 10 Feb 2023 at 09:42, Gerd Hoffmann <kraxel@redhat.com> wrote:
> >
> > On Thu, Feb 09, 2023 at 05:46:15PM +0100, Ard Biesheuvel wrote:
> > > On Thu, 9 Feb 2023 at 11:27, Gerd Hoffmann <kraxel@redhat.com> wrote:
> > > >
> > > > Known problem: the NOOPT builds fail due to PEI becoming too big.
> > > >
> > > > What is the reason for doing these NOOPT builds?
> > >
> > > They are very useful for doing single step debugging with GDB. On ARM,
> > > I use the NOOPT builds fairly regularly.
> >
> > Can LTO be enabled for the NOOPT build?  Or depends that on
> > optimizations being turned on?
> >
>

With the hunk below applied:

FV Space Information
SECFV [63%Full] 212992 (0x34000) total, 135824 (0x21290) used, 77168
(0x12d70) free
PEIFV [59%Full] 917504 (0xe0000) total, 544744 (0x84fe8) used, 372760
(0x5b018) free
DXEFV [53%Full] 13631488 (0xd00000) total, 7300712 (0x6f6668) used,
6330776 (0x609998) free
FVMAIN_COMPACT [40%Full] 3440640 (0x348000) total, 1383832 (0x151d98)
used, 2056808 (0x1f6268) free


Without:

FV Space Information
SECFV [49%Full] 212992 (0x34000) total, 105936 (0x19dd0) used, 107056
(0x1a230) free
PEIFV [62%Full] 917504 (0xe0000) total, 575656 (0x8c8a8) used, 341848
(0x53758) free
DXEFV [56%Full] 13631488 (0xd00000) total, 7652840 (0x74c5e8) used,
5978648 (0x5b3a18) free
FVMAIN_COMPACT [40%Full] 3440640 (0x348000) total, 1376272 (0x150010)
used, 2064368 (0x1f7ff0) free


(without any -D options turned on)


diff --git a/BaseTools/Conf/tools_def.template
b/BaseTools/Conf/tools_def.template
index f77e936c0453..48319fc2e9b4 100755
--- a/BaseTools/Conf/tools_def.template
+++ b/BaseTools/Conf/tools_def.template
@@ -2342,8 +2342,8 @@ RELEASE_GCC5_IA32_DLINK_FLAGS    =
DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto -Os -Wl,
 RELEASE_GCC5_X64_CC_FLAGS        = DEF(GCC5_X64_CC_FLAGS) -flto
-DUSING_LTO -Wno-unused-but-set-variable -Wno-unused-const-variable
 RELEASE_GCC5_X64_DLINK_FLAGS     = DEF(GCC5_X64_DLINK_FLAGS) -flto -Os

-  NOOPT_GCC5_X64_CC_FLAGS        = DEF(GCC5_X64_CC_FLAGS) -O0
-  NOOPT_GCC5_X64_DLINK_FLAGS     = DEF(GCC5_X64_DLINK_FLAGS) -O0
+  NOOPT_GCC5_X64_CC_FLAGS        = DEF(GCC5_X64_CC_FLAGS) -O0 -flto -DUSING_LTO
+  NOOPT_GCC5_X64_DLINK_FLAGS     = DEF(GCC5_X64_DLINK_FLAGS) -O0 -flto

 ##################
 # GCC5 ARM definitions


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#100017): https://edk2.groups.io/g/devel/message/100017
Mute This Topic: https://groups.io/mt/96850388/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

On Fri, Feb 10, 2023 at 02:46:34PM +0100, Ard Biesheuvel wrote:
> On Fri, 10 Feb 2023 at 14:42, Ard Biesheuvel <ardb@kernel.org> wrote:
> >
> > > Can LTO be enabled for the NOOPT build?  Or depends that on
> > > optimizations being turned on?

Turns out: kind of.  The crypto driver effectively does

	if (fixed.pcd.bit)
		call libcrypt / libopenssl
	else
		throw error

With optimizations turned off altogether gcc will not notice it can
evaluate the PCD config bits at compile time, which in turn leads to
everything being compiled in no matter whenever the features are
enabled or not ...

take care,
  Gerd

From e0a080ead544813445f731eef137747ff805a5cd Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 13 Feb 2023 10:21:50 +0100
Subject: [PATCH 1/1] CryptoPkg/Driver: enable moderate optimizations for NOOPT
 builds

With optimizations turned off altogether gcc will not evaluate the
(constant) configuration PCDs at compile time (see CALL_BASECRYPTLIB
macro).  Which renders LTO ineffective and leads to huge amounts of
dead code being included in the crypto driver builds.

Turn on optimizations for GCC, lowest level (-O1), to fix this.

FIXME: visual studio needs that too.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 CryptoPkg/Driver/CryptoDxe.inf | 3 +++
 CryptoPkg/Driver/CryptoPei.inf | 3 +++
 CryptoPkg/Driver/CryptoSmm.inf | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/CryptoPkg/Driver/CryptoDxe.inf b/CryptoPkg/Driver/CryptoDxe.inf
index 0d08f3a190c8..44921c1fdaa8 100644
--- a/CryptoPkg/Driver/CryptoDxe.inf
+++ b/CryptoPkg/Driver/CryptoDxe.inf
@@ -47,3 +47,6 @@ [Pcd]
 
 [Depex]
   TRUE
+
+[BuildOptions]
+  GCC:NOOPT_*_*_CC_FLAGS = -O1
diff --git a/CryptoPkg/Driver/CryptoPei.inf b/CryptoPkg/Driver/CryptoPei.inf
index dfa1ab58b16f..45704f5f9e42 100644
--- a/CryptoPkg/Driver/CryptoPei.inf
+++ b/CryptoPkg/Driver/CryptoPei.inf
@@ -49,3 +49,6 @@ [Pcd]
 
 [Depex]
   TRUE
+
+[BuildOptions]
+  GCC:NOOPT_*_*_CC_FLAGS = -O1
diff --git a/CryptoPkg/Driver/CryptoSmm.inf b/CryptoPkg/Driver/CryptoSmm.inf
index 9fe8718823d2..906cf06006f4 100644
--- a/CryptoPkg/Driver/CryptoSmm.inf
+++ b/CryptoPkg/Driver/CryptoSmm.inf
@@ -47,3 +47,6 @@ [Pcd]
 
 [Depex]
   TRUE
+
+[BuildOptions]
+  GCC:NOOPT_*_*_CC_FLAGS = -O1
-- 
2.39.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#100079): https://edk2.groups.io/g/devel/message/100079
Mute This Topic: https://groups.io/mt/96850388/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

On Mon, 13 Feb 2023 at 12:39, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> On Fri, Feb 10, 2023 at 02:46:34PM +0100, Ard Biesheuvel wrote:
> > On Fri, 10 Feb 2023 at 14:42, Ard Biesheuvel <ardb@kernel.org> wrote:
> > >
> > > > Can LTO be enabled for the NOOPT build?  Or depends that on
> > > > optimizations being turned on?
>
> Turns out: kind of.  The crypto driver effectively does
>
>         if (fixed.pcd.bit)
>                 call libcrypt / libopenssl
>         else
>                 throw error
>
> With optimizations turned off altogether gcc will not notice it can
> evaluate the PCD config bits at compile time, which in turn leads to
> everything being compiled in no matter whenever the features are
> enabled or not ...
>
> take care,
>   Gerd
>
> From e0a080ead544813445f731eef137747ff805a5cd Mon Sep 17 00:00:00 2001
> From: Gerd Hoffmann <kraxel@redhat.com>
> Date: Mon, 13 Feb 2023 10:21:50 +0100
> Subject: [PATCH 1/1] CryptoPkg/Driver: enable moderate optimizations for NOOPT
>  builds
>
> With optimizations turned off altogether gcc will not evaluate the
> (constant) configuration PCDs at compile time (see CALL_BASECRYPTLIB
> macro).  Which renders LTO ineffective and leads to huge amounts of
> dead code being included in the crypto driver builds.
>
> Turn on optimizations for GCC, lowest level (-O1), to fix this.
>
> FIXME: visual studio needs that too.
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  CryptoPkg/Driver/CryptoDxe.inf | 3 +++
>  CryptoPkg/Driver/CryptoPei.inf | 3 +++
>  CryptoPkg/Driver/CryptoSmm.inf | 3 +++
>  3 files changed, 9 insertions(+)
>
> diff --git a/CryptoPkg/Driver/CryptoDxe.inf b/CryptoPkg/Driver/CryptoDxe.inf
> index 0d08f3a190c8..44921c1fdaa8 100644
> --- a/CryptoPkg/Driver/CryptoDxe.inf
> +++ b/CryptoPkg/Driver/CryptoDxe.inf
> @@ -47,3 +47,6 @@ [Pcd]
>
>  [Depex]
>    TRUE
> +
> +[BuildOptions]
> +  GCC:NOOPT_*_*_CC_FLAGS = -O1

Could we use -Og instead?

> diff --git a/CryptoPkg/Driver/CryptoPei.inf b/CryptoPkg/Driver/CryptoPei.inf
> index dfa1ab58b16f..45704f5f9e42 100644
> --- a/CryptoPkg/Driver/CryptoPei.inf
> +++ b/CryptoPkg/Driver/CryptoPei.inf
> @@ -49,3 +49,6 @@ [Pcd]
>
>  [Depex]
>    TRUE
> +
> +[BuildOptions]
> +  GCC:NOOPT_*_*_CC_FLAGS = -O1
> diff --git a/CryptoPkg/Driver/CryptoSmm.inf b/CryptoPkg/Driver/CryptoSmm.inf
> index 9fe8718823d2..906cf06006f4 100644
> --- a/CryptoPkg/Driver/CryptoSmm.inf
> +++ b/CryptoPkg/Driver/CryptoSmm.inf
> @@ -47,3 +47,6 @@ [Pcd]
>
>  [Depex]
>    TRUE
> +
> +[BuildOptions]
> +  GCC:NOOPT_*_*_CC_FLAGS = -O1
> --
> 2.39.1
>
>
>
> 
>
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#100080): https://edk2.groups.io/g/devel/message/100080
Mute This Topic: https://groups.io/mt/96850388/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-