Further optimization for space (-Os -> -Oz): musl-cross-make-> bump to gcc 15.1.0 & related changes #1991

tlaurion · 2025-07-30T17:24:38Z

MERGE Add CBFS/IFD validation + CBFS free space for coreboot builds #2041 first!
test oem factory reset + tpm duk + kexec on nv4x_adl
build is reproducible

bumps musl-cross-make to latest commit, bump gcc 9.4.0 -> 15.1.0; rename/bump kexec-tools to latest version (2.0.32) + gcc 15.1.0, switch/patch modules to switch from -Os to -Oz

Stats diff since #2041 got merged for x220-hotp-maximized

Master

As can be seen on CircleCI x220-hotp-maximized build :

Jan 06 22:44:08 "/root/heads/build/x86/coreboot-25.09/EOL_t420-hotp-maximized/cbfstool" "/root/heads/build/x86/coreboot-25.09/EOL_t420-hotp-maximized/coreboot.rom" print
Jan 06 22:44:08 FMAP REGION: COREBOOT
Jan 06 22:44:08 Name                           Offset     Type           Size   Comp
Jan 06 22:44:08 cbfs_master_header             0x0        cbfs header        32 none
Jan 06 22:44:08 cpu_microcode_blob.bin         0x80       microcode       26624 none
Jan 06 22:44:08 fallback/romstage              0x68c0     stage          101016 none
Jan 06 22:44:08 fallback/ramstage              0x1f3c0    stage          151125 LZMA (323316 decompressed)
Jan 06 22:44:08 config                         0x44280    raw              3526 LZMA (11252 decompressed)
Jan 06 22:44:08 revision                       0x45080    raw               766 none
Jan 06 22:44:08 build_info                     0x453c0    raw               101 none
Jan 06 22:44:08 bootsplash.jpg                 0x45480    bootsplash      43282 none
Jan 06 22:44:08 fallback/dsdt.aml              0x4fdc0    raw             14520 none
Jan 06 22:44:08 vbt.bin                        0x536c0    raw              1368 LZMA (3985 decompressed)
Jan 06 22:44:08 cmos.default                   0x53c80    cmos_default      256 none
Jan 06 22:44:08 cmos_layout.bin                0x53dc0    cmos_layout      2120 none
Jan 06 22:44:08 fallback/postcar               0x54640    stage           31180 none
Jan 06 22:44:08 fallback/payload               0x5c080    simple elf    7714640 none
Jan 06 22:44:08 (empty)                        0x7b7800   null            71076 none
Jan 06 22:44:08 bootblock                      0x7c8dc0   bootblock       28672 none
Jan 06 22:44:08 
Jan 06 22:44:08 Validating final CBFS/IFD configuration...
Jan 06 22:44:08 ===================================================================
Jan 06 22:44:08 IFD vs CBFS Size Validation
Jan 06 22:44:08 ===================================================================
Jan 06 22:44:08 IFD BIOS Region: 0x00018000 - 0x007fffff
Jan 06 22:44:08 IFD BIOS Size:   0x7E8000 (8096 KiB)
Jan 06 22:44:08 CONFIG_CBFS_SIZE: 0x7E7FFF (8095 KiB)
Jan 06 22:44:08 
Jan 06 22:44:08 ✓ CONFIG_CBFS_SIZE fits within IFD BIOS region
Jan 06 22:44:08    Unused IFD capacity: 1 bytes (< 1 KiB)
Jan 06 22:44:08 
Jan 06 22:44:08 CBFS Free Space: 71076 bytes (69 KiB)
Jan 06 22:44:08 
Jan 06 22:44:08 ===================================================================
Jan 06 22:44:08 ✓ Validation complete
Jan 06 22:44:08 ===================================================================

This PR

"/home/user/heads/build/x86/coreboot-25.09/EOL_x220-hotp-maximized/cbfstool" "/home/user/heads/build/x86/coreboot-25.09/EOL_x220-hotp-maximized/coreboot.rom" print
FMAP REGION: COREBOOT
Name                           Offset     Type           Size   Comp
cbfs_master_header             0x0        cbfs header        32 none
cpu_microcode_blob.bin         0x80       microcode       26624 none
fallback/romstage              0x68c0     stage           99128 none
fallback/ramstage              0x1ec80    stage          148459 LZMA (316668 decompressed)
config                         0x430c0    raw              3558 LZMA (11286 decompressed)
revision                       0x43f00    raw               772 none
build_info                     0x44240    raw               101 none
bootsplash.jpg                 0x44300    bootsplash      43282 none
fallback/dsdt.aml              0x4ec40    raw             14520 none
vbt.bin                        0x52540    raw              1400 LZMA (3985 decompressed)
cmos_layout.bin                0x52b00    cmos_layout      1976 none
fallback/postcar               0x53300    stage           30564 none
fallback/payload               0x5aac0    simple elf    7573984 none
(empty)                        0x793d00   null           217252 none
bootblock                      0x7c8dc0   bootblock       28672 none

Validating final CBFS/IFD configuration...
===================================================================
IFD vs CBFS Size Validation
===================================================================
IFD BIOS Region: 0x00018000 - 0x007fffff
IFD BIOS Size:   0x7E8000 (8096 KiB)
CONFIG_CBFS_SIZE: 0x7E7FFF (8095 KiB)

✓ CONFIG_CBFS_SIZE fits within IFD BIOS region
   Unused IFD capacity: 1 bytes (< 1 KiB)

CBFS Free Space: 217252 bytes (212 KiB)

===================================================================
✓ Validation complete
===================================================================

Gain of 212 - 69 = 143 KiB free for most constrained board

Continues #590

tlaurion · 2026-01-05T02:05:00Z

This PR will be needed soon, since xx20 (t420/x220) are near space exhaustion (less than 100kb free left) as can be seen at #2041 (comment) : the t420-hotp-maximized rom has 67kb free left in CBFS region.

tlaurion · 2026-01-05T16:46:16Z

https://app.circleci.com/pipelines/github/tlaurion/heads/3449/workflows/6b0bd1cc-8d3f-43f4-b176-1c4f6435a36b/jobs/76833/parallel-runs/0/steps/0-102?invite=true#step-102-2244532_182

2d073289ba2bb5ba6be6650c055928faf8020931f61eeb35c1b3bfe3625f55b8 /root/heads/build/x86/EOL_x220-hotp-maximized/heads-EOL_x220-hotp-maximized-v0.2.0-2902-g6b403e0.rom

Local build:

2d073289ba2bb5ba6be6650c055928faf8020931f61eeb35c1b3bfe3625f55b8 /home/user/heads/build/x86/EOL_x220-hotp-maximized/heads-EOL_x220-hotp-maximized-v0.2.0-2902-g6b403e0.rom

Builds are reproducible if built clean (./docker_repro.sh make BOARD=xyz real.clean && make BOARD=xyz )

Copilot

Pull request overview

This PR upgrades the Heads build toolchain from GCC 9.4.0 to GCC 15.1.0 and systematically switches compiler optimization flags from -Os (optimize for size) to -Oz (optimize aggressively for size) across 30+ modules. The changes deliver a 1.44% space reduction (115 KB) in the final firmware payload through improved compiler optimization and enhanced binary stripping.

Key changes include:

GCC toolchain upgrade via musl-cross-make bump to latest commit with GCC 15.1.0
C23 compatibility patches for multiple modules (tpmtotp, powerpc-utils, bash, e2fsprogs, gpg2, cairo, linux kernel)
Systematic -Os to -Oz optimization flag conversion across all modules
New CBFS/IFD validation script with automatic size fixing capability
Module version bumps: kexec-tools (2.0.26→2.0.31), dropbear (2016.74→2025.88)
Enhanced Makefile with GPG injection caching and improved stripping flags
Disabled features in OpenSSL and LVM2 for additional space savings

Reviewed changes

Copilot reviewed 59 out of 60 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
modules/musl-cross-make	Bumps commit hash and GCC version from 9.4.0 to 15.1.0 with upgrade notes
patches/musl-cross-make-3635262e4524c991552789af6f36211a335a77b3/0001-use-gcc-15_1_0.patch	Updates musl-cross-make Makefile to use GCC 15.1.0
patches/tpmtotp-4d63d21c8b7db2e92ddb393057f168aead147f47/*.patch	Three patches fixing GCC 15.1.0 compatibility issues (function signatures, printf formats, AES macro)
patches/powerpc-utils-1.3.5/0001-fix-rtas-function-pointer-signatures-gcc15.patch	Fixes function pointer declarations for C23 compatibility
patches/kexec-tools-2.0.31/*.patch	Six patches for kexec-tools 2.0.31: disables unused modules, improves framebuffer support, adds EBDA workaround, fixes purgatory build, uses build compiler for utils, adds x86-64 baseline flags
patches/lvm2-2.03.23.patch	Adds libgen.h include for basename() function required by GCC 15.1.0
patches/linux-6.6.16-openpower/0008-powerpc-boot-Fix-C23-bool-compatibility-for-GCC-15.patch	Adds -std=gnu11 to PowerPC boot Makefile for C23 bool keyword conflicts
patches/dropbear-2025.88/0001-disable-fatal-user-group-change-errors-for-heads-environment.patch	Updates patch paths for dropbear 2025.88 source tree restructuring
patches/coreboot-talos_2/0003-ugly_skiboot-patch_fix_for_newer_gcc_from_musl_125.patch	Adds additional GCC 15.1.0 warning suppressions for skiboot (-Wno-error=unterminated-string-initialization, -Wno-error=misleading-indentation)
patches/bash-5.1.16.patch	Adds unistd.h include to lib/termcap/tparam.c for write() declaration
modules/kexec	Deleted - replaced by modules/kexec-tools
modules/kexec-tools	New module file for kexec-tools 2.0.31 with -Oz optimization
modules/dropbear	Updates to version 2025.88 with additional configure options for space savings
modules/openssl	Switches to -Oz and disables additional protocols/algorithms (dtls, ec2m, engine, gost, md2, srp, ssl3, tls1, tls1_1)
modules/lvm2	Switches to -Oz and disables advanced features (thin, cache, VDO, writecache, integrity, snapshots, mirrors)
modules/linux	Adds -std=gnu11 flag and PowerPC-specific GCC 15.1.0 compatibility flags
modules/bash	Changes to -Oz with -std=gnu11 for C23 compatibility
modules/cairo	Changes to -Oz with -std=gnu11, -Wno-inline, -Wno-incompatible-pointer-types
modules/coreboot	Adds validation script calls and extensive GCC 15.1.0 compatibility documentation
modules/e2fsprogs	Changes to -Oz with -std=gnu11 for C23 bool keyword conflicts
modules/gpg2	Changes to -Oz with -std=gnu11 and adds -DDISABLE_PHOTO_VIEWER
modules/libgcrypt	Changes to -Oz and disables jent-support
modules/zstd, modules/util-linux, modules/tpmtotp, modules/qrencode, modules/powerpc-utils, modules/pixman, modules/pinentry, modules/newt, modules/ncurses, modules/mbedtls, modules/libusb-compat, modules/libusb, modules/libpng, modules/libnitrokey, modules/libksba, modules/libhidapi-libusb, modules/libgpg-error, modules/libassuan, modules/kbd, modules/ioport, modules/io386, modules/gpg, modules/flashtools, modules/flashrom, modules/flashprog, modules/fbwhiptail, modules/exfatprogs, modules/cryptsetup2, modules/cryptsetup	All changed from -Os to -Oz optimization
bin/validate_cbfs_ifd_fit.sh	New validation script that checks CONFIG_CBFS_SIZE against IFD BIOS region with auto-fix capability
Makefile	Adds validation targets, enhances strip flags (--strip-all), implements GPG injection caching, adds verbose build hints, fixes kexec module reference, adds coreboot cbmem GCC 15.1.0 compatibility flag

Comments suppressed due to low confidence (2)

patches/dropbear-2025.88/0001-disable-fatal-user-group-change-errors-for-heads-environment.patch:1

The patch header line references the old path "dropbear-2016.74" but this module is being updated to "dropbear-2025.88". The patch should use paths that match the new version to avoid confusion during patch application.
patches/dropbear-2025.88/0001-disable-fatal-user-group-change-errors-for-heads-environment.patch:12
Commenting out the dropbear_exit calls when setgid/initgroups or setuid fail means the server will continue executing the user session even if it could not drop privileges to ses.authstate.pw_uid/pw_gid, so a user who authenticated as an unprivileged account could end up with a shell running under the original (likely root) UID/GID. This silently bypasses the operating system’s privilege separation mechanisms and can turn any failure in the privilege-dropping path (for example due to security policy or environment issues) into a remote privilege escalation to the Dropbear daemon’s UID. The fix is to keep these failures fatal (e.g., by retaining dropbear_exit or otherwise aborting the session) so that no user commands are executed when user/group changes fail.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

modules/musl-cross-make

modules/coreboot

patches/kexec-tools-2.0.31/0006-use-x86-64-baseline-level-for-purgatory.patch

modules/powerpc-utils

modules/kexec-tools

modules/dropbear

modules/powerpc-utils

modules/e2fsprogs

modules/linux

Makefile

Upgrade from 5.1.16 (Jan 2022) to 5.3 (Jul 2025). The newer version doesn't require patches - it already includes proper C header handling and the -std=gnu11 workaround is no longer needed thanks to upstream fixes. Ref: GCC 15.1.0 upgrade (PR linuxboot#1991)

…for 6.1.8 only Remove duplication of EXTRA_FLAGS definition across kernel versions. Define base flags once (-fdebug-prefix-map, -gno-record-gcc-switches), then conditionally add -std=gnu11 only for kernel 6.1.8 which requires GCC 15.1 C23 compatibility workaround. Other kernel versions (4.14.62, 4.19.139, 5.4.69, 5.10.214, 6.6.16-openpower) compile without workaround flags. Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Upgrade from 2.03.23 (Nov 2023) to 2.03.25 (Jul 2024). The newer version removes the libgen.h issue that required a GCC 15.1.0 workaround patch. However, GCC 15.1.0's C23 mode enforces const qualifiers on stdin/stdout/stderr, which breaks lvm2's reopen_standard_stream() calls. Port the working patch from lvm2-2.03.23 in osresearch/heads master branch (commit 63290d6) to 2.03.25. The patch wraps problematic memory allocation and log10() calls in #if 0 blocks to disable them at compile-time, maintaining compatibility with musl-libc and C23 standard enforcement. Changes: - Bump lvm2 from 2.03.23 to 2.03.25 - Update hash to 4bea6fd2e5af9cdb3e27b48b4efa8d89210d9bfa13df900e092e404720a59b1d - Replace -Os with -Oz for space optimization - Port lvm2-2.03.23.patch to lvm2-2.03.25.patch for C23 compatibility - Remove obsolete lvm2-gcc-15.1-libgen.patch Tested: EOL_x220-hotp-maximized board builds successfully with 182 KiB free CBFS Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Upgrade from 5.1.16 (Jan 2022) to 5.3 (Jul 2025). The newer version doesn't require patches - it already includes proper C header handling and the -std=gnu11 workaround is no longer needed thanks to upstream fixes. Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>