Further optimization for space (-Os -> -Oz): musl-cross-make-> bump to gcc 15.1.0 & related changes#1991
Open
tlaurion wants to merge 43 commits intolinuxboot:masterfrom
Conversation
tlaurion
changed the title
tlaurion
force-pushed
the
musl-cross-make_gcc_15.1.0-Optimized_for_space-Oz
branch
from
69ab1d1 to
c19ab15
Compare
Collaborator
Author
|
This PR will be needed soon, since xx20 (t420/x220) are near space exhaustion (less than 100kb free left) as can be seen at #2041 (comment) : the t420-hotp-maximized rom has 67kb free left in CBFS region. |
tlaurion
added
enhancement
buildsystem
automated testing
and removed
automated testing
labels
This comment was marked as outdated.
This comment was marked as outdated.
Collaborator
Author
Local build:
Builds are reproducible if built clean ( |
There was a problem hiding this comment.
Pull request overview
This PR upgrades the Heads build toolchain from GCC 9.4.0 to GCC 15.1.0 and systematically switches compiler optimization flags from -Os (optimize for size) to -Oz (optimize aggressively for size) across 30+ modules. The changes deliver a 1.44% space reduction (115 KB) in the final firmware payload through improved compiler optimization and enhanced binary stripping.
Key changes include:
- GCC toolchain upgrade via musl-cross-make bump to latest commit with GCC 15.1.0
- C23 compatibility patches for multiple modules (tpmtotp, powerpc-utils, bash, e2fsprogs, gpg2, cairo, linux kernel)
- Systematic
-Osto-Ozoptimization flag conversion across all modules - New CBFS/IFD validation script with automatic size fixing capability
- Module version bumps: kexec-tools (2.0.26→2.0.31), dropbear (2016.74→2025.88)
- Enhanced Makefile with GPG injection caching and improved stripping flags
- Disabled features in OpenSSL and LVM2 for additional space savings
Reviewed changes
Copilot reviewed 59 out of 60 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| modules/musl-cross-make | Bumps commit hash and GCC version from 9.4.0 to 15.1.0 with upgrade notes |
| patches/musl-cross-make-3635262e4524c991552789af6f36211a335a77b3/0001-use-gcc-15_1_0.patch | Updates musl-cross-make Makefile to use GCC 15.1.0 |
| patches/tpmtotp-4d63d21c8b7db2e92ddb393057f168aead147f47/*.patch | Three patches fixing GCC 15.1.0 compatibility issues (function signatures, printf formats, AES macro) |
| patches/powerpc-utils-1.3.5/0001-fix-rtas-function-pointer-signatures-gcc15.patch | Fixes function pointer declarations for C23 compatibility |
| patches/kexec-tools-2.0.31/*.patch | Six patches for kexec-tools 2.0.31: disables unused modules, improves framebuffer support, adds EBDA workaround, fixes purgatory build, uses build compiler for utils, adds x86-64 baseline flags |
| patches/lvm2-2.03.23.patch | Adds libgen.h include for basename() function required by GCC 15.1.0 |
| patches/linux-6.6.16-openpower/0008-powerpc-boot-Fix-C23-bool-compatibility-for-GCC-15.patch | Adds -std=gnu11 to PowerPC boot Makefile for C23 bool keyword conflicts |
| patches/dropbear-2025.88/0001-disable-fatal-user-group-change-errors-for-heads-environment.patch | Updates patch paths for dropbear 2025.88 source tree restructuring |
| patches/coreboot-talos_2/0003-ugly_skiboot-patch_fix_for_newer_gcc_from_musl_125.patch | Adds additional GCC 15.1.0 warning suppressions for skiboot (-Wno-error=unterminated-string-initialization, -Wno-error=misleading-indentation) |
| patches/bash-5.1.16.patch | Adds unistd.h include to lib/termcap/tparam.c for write() declaration |
| modules/kexec | Deleted - replaced by modules/kexec-tools |
| modules/kexec-tools | New module file for kexec-tools 2.0.31 with -Oz optimization |
| modules/dropbear | Updates to version 2025.88 with additional configure options for space savings |
| modules/openssl | Switches to -Oz and disables additional protocols/algorithms (dtls, ec2m, engine, gost, md2, srp, ssl3, tls1, tls1_1) |
| modules/lvm2 | Switches to -Oz and disables advanced features (thin, cache, VDO, writecache, integrity, snapshots, mirrors) |
| modules/linux | Adds -std=gnu11 flag and PowerPC-specific GCC 15.1.0 compatibility flags |
| modules/bash | Changes to -Oz with -std=gnu11 for C23 compatibility |
| modules/cairo | Changes to -Oz with -std=gnu11, -Wno-inline, -Wno-incompatible-pointer-types |
| modules/coreboot | Adds validation script calls and extensive GCC 15.1.0 compatibility documentation |
| modules/e2fsprogs | Changes to -Oz with -std=gnu11 for C23 bool keyword conflicts |
| modules/gpg2 | Changes to -Oz with -std=gnu11 and adds -DDISABLE_PHOTO_VIEWER |
| modules/libgcrypt | Changes to -Oz and disables jent-support |
| modules/zstd, modules/util-linux, modules/tpmtotp, modules/qrencode, modules/powerpc-utils, modules/pixman, modules/pinentry, modules/newt, modules/ncurses, modules/mbedtls, modules/libusb-compat, modules/libusb, modules/libpng, modules/libnitrokey, modules/libksba, modules/libhidapi-libusb, modules/libgpg-error, modules/libassuan, modules/kbd, modules/ioport, modules/io386, modules/gpg, modules/flashtools, modules/flashrom, modules/flashprog, modules/fbwhiptail, modules/exfatprogs, modules/cryptsetup2, modules/cryptsetup | All changed from -Os to -Oz optimization |
| bin/validate_cbfs_ifd_fit.sh | New validation script that checks CONFIG_CBFS_SIZE against IFD BIOS region with auto-fix capability |
| Makefile | Adds validation targets, enhances strip flags (--strip-all), implements GPG injection caching, adds verbose build hints, fixes kexec module reference, adds coreboot cbmem GCC 15.1.0 compatibility flag |
Comments suppressed due to low confidence (2)
patches/dropbear-2025.88/0001-disable-fatal-user-group-change-errors-for-heads-environment.patch:1
- The patch header line references the old path "dropbear-2016.74" but this module is being updated to "dropbear-2025.88". The patch should use paths that match the new version to avoid confusion during patch application.
patches/dropbear-2025.88/0001-disable-fatal-user-group-change-errors-for-heads-environment.patch:12 - Commenting out the
dropbear_exitcalls whensetgid/initgroupsorsetuidfail means the server will continue executing the user session even if it could not drop privileges toses.authstate.pw_uid/pw_gid, so a user who authenticated as an unprivileged account could end up with a shell running under the original (likely root) UID/GID. This silently bypasses the operating system’s privilege separation mechanisms and can turn any failure in the privilege-dropping path (for example due to security policy or environment issues) into a remote privilege escalation to the Dropbear daemon’s UID. The fix is to keep these failures fatal (e.g., by retainingdropbear_exitor otherwise aborting the session) so that no user commands are executed when user/group changes fail.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
patches/kexec-tools-2.0.31/0006-use-x86-64-baseline-level-for-purgatory.patch
Outdated
Show resolved
Hide resolved
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Jan 5, 2026
Upgrade from 5.1.16 (Jan 2022) to 5.3 (Jul 2025). The newer version doesn't require patches - it already includes proper C header handling and the -std=gnu11 workaround is no longer needed thanks to upstream fixes. Ref: GCC 15.1.0 upgrade (PR linuxboot#1991)
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Jan 5, 2026
…for 6.1.8 only Remove duplication of EXTRA_FLAGS definition across kernel versions. Define base flags once (-fdebug-prefix-map, -gno-record-gcc-switches), then conditionally add -std=gnu11 only for kernel 6.1.8 which requires GCC 15.1 C23 compatibility workaround. Other kernel versions (4.14.62, 4.19.139, 5.4.69, 5.10.214, 6.6.16-openpower) compile without workaround flags. Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Jan 5, 2026
Upgrade from 2.03.23 (Nov 2023) to 2.03.25 (Jul 2024). The newer version removes the libgen.h issue that required a GCC 15.1.0 workaround patch. However, GCC 15.1.0's C23 mode enforces const qualifiers on stdin/stdout/stderr, which breaks lvm2's reopen_standard_stream() calls. Port the working patch from lvm2-2.03.23 in osresearch/heads master branch (commit 63290d6) to 2.03.25. The patch wraps problematic memory allocation and log10() calls in #if 0 blocks to disable them at compile-time, maintaining compatibility with musl-libc and C23 standard enforcement. Changes: - Bump lvm2 from 2.03.23 to 2.03.25 - Update hash to 4bea6fd2e5af9cdb3e27b48b4efa8d89210d9bfa13df900e092e404720a59b1d - Replace -Os with -Oz for space optimization - Port lvm2-2.03.23.patch to lvm2-2.03.25.patch for C23 compatibility - Remove obsolete lvm2-gcc-15.1-libgen.patch Tested: EOL_x220-hotp-maximized board builds successfully with 182 KiB free CBFS Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Jan 5, 2026
Upgrade from 5.1.16 (Jan 2022) to 5.3 (Jul 2025). The newer version doesn't require patches - it already includes proper C header handling and the -std=gnu11 workaround is no longer needed thanks to upstream fixes. Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Jan 5, 2026
…for 6.1.8 only Remove duplication of EXTRA_FLAGS definition across kernel versions. Define base flags once (-fdebug-prefix-map, -gno-record-gcc-switches), then conditionally add -std=gnu11 only for kernel 6.1.8 which requires GCC 15.1 C23 compatibility workaround. Other kernel versions (4.14.62, 4.19.139, 5.4.69, 5.10.214, 6.6.16-openpower) compile without workaround flags. Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Jan 5, 2026
Upgrade from 2.03.23 (Nov 2023) to 2.03.25 (Jul 2024). The newer version removes the libgen.h issue that required a GCC 15.1.0 workaround patch. However, GCC 15.1.0's C23 mode enforces const qualifiers on stdin/stdout/stderr, which breaks lvm2's reopen_standard_stream() calls. Port the working patch from lvm2-2.03.23 in osresearch/heads master branch (commit 63290d6) to 2.03.25. The patch wraps problematic memory allocation and log10() calls in #if 0 blocks to disable them at compile-time, maintaining compatibility with musl-libc and C23 standard enforcement. Changes: - Bump lvm2 from 2.03.23 to 2.03.25 - Update hash to 4bea6fd2e5af9cdb3e27b48b4efa8d89210d9bfa13df900e092e404720a59b1d - Replace -Os with -Oz for space optimization - Port lvm2-2.03.23.patch to lvm2-2.03.25.patch for C23 compatibility - Remove obsolete lvm2-gcc-15.1-libgen.patch Tested: EOL_x220-hotp-maximized board builds successfully with 182 KiB free CBFS Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
force-pushed
the
musl-cross-make_gcc_15.1.0-Optimized_for_space-Oz
branch
from
a6f1917 to
f547ef2
Compare
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Jan 5, 2026
Upgrade from 5.1.16 (Jan 2022) to 5.3 (Jul 2025). The newer version doesn't require patches - it already includes proper C header handling and the -std=gnu11 workaround is no longer needed thanks to upstream fixes. Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Jan 5, 2026
…for 6.1.8 only Remove duplication of EXTRA_FLAGS definition across kernel versions. Define base flags once (-fdebug-prefix-map, -gno-record-gcc-switches), then conditionally add -std=gnu11 only for kernel 6.1.8 which requires GCC 15.1 C23 compatibility workaround. Other kernel versions (4.14.62, 4.19.139, 5.4.69, 5.10.214, 6.6.16-openpower) compile without workaround flags. Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Jan 5, 2026
Upgrade from 2.03.23 (Nov 2023) to 2.03.25 (Jul 2024). The newer version removes the libgen.h issue that required a GCC 15.1.0 workaround patch. However, GCC 15.1.0's C23 mode enforces const qualifiers on stdin/stdout/stderr, which breaks lvm2's reopen_standard_stream() calls. Port the working patch from lvm2-2.03.23 in osresearch/heads master branch (commit 63290d6) to 2.03.25. The patch wraps problematic memory allocation and log10() calls in #if 0 blocks to disable them at compile-time, maintaining compatibility with musl-libc and C23 standard enforcement. Changes: - Bump lvm2 from 2.03.23 to 2.03.25 - Update hash to 4bea6fd2e5af9cdb3e27b48b4efa8d89210d9bfa13df900e092e404720a59b1d - Replace -Os with -Oz for space optimization - Port lvm2-2.03.23.patch to lvm2-2.03.25.patch for C23 compatibility - Remove obsolete lvm2-gcc-15.1-libgen.patch Tested: EOL_x220-hotp-maximized board builds successfully with 182 KiB free CBFS Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
force-pushed
the
musl-cross-make_gcc_15.1.0-Optimized_for_space-Oz
branch
from
f547ef2 to
90edf07
Compare
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Jan 6, 2026
Upgrade from 5.1.16 (Jan 2022) to 5.3 (Jul 2025). The newer version doesn't require patches - it already includes proper C header handling and the -std=gnu11 workaround is no longer needed thanks to upstream fixes. Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Jan 6, 2026
…for 6.1.8 only Remove duplication of EXTRA_FLAGS definition across kernel versions. Define base flags once (-fdebug-prefix-map, -gno-record-gcc-switches), then conditionally add -std=gnu11 only for kernel 6.1.8 which requires GCC 15.1 C23 compatibility workaround. Other kernel versions (4.14.62, 4.19.139, 5.4.69, 5.10.214, 6.6.16-openpower) compile without workaround flags. Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Jan 6, 2026
Upgrade from 2.03.23 (Nov 2023) to 2.03.25 (Jul 2024). The newer version removes the libgen.h issue that required a GCC 15.1.0 workaround patch. However, GCC 15.1.0's C23 mode enforces const qualifiers on stdin/stdout/stderr, which breaks lvm2's reopen_standard_stream() calls. Port the working patch from lvm2-2.03.23 in osresearch/heads master branch (commit 63290d6) to 2.03.25. The patch wraps problematic memory allocation and log10() calls in #if 0 blocks to disable them at compile-time, maintaining compatibility with musl-libc and C23 standard enforcement. Changes: - Bump lvm2 from 2.03.23 to 2.03.25 - Update hash to 4bea6fd2e5af9cdb3e27b48b4efa8d89210d9bfa13df900e092e404720a59b1d - Replace -Os with -Oz for space optimization - Port lvm2-2.03.23.patch to lvm2-2.03.25.patch for C23 compatibility - Remove obsolete lvm2-gcc-15.1-libgen.patch Tested: EOL_x220-hotp-maximized board builds successfully with 182 KiB free CBFS Ref: GCC 15.1.0 upgrade (PR linuxboot#1991) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
force-pushed
the
musl-cross-make_gcc_15.1.0-Optimized_for_space-Oz
branch
from
90edf07 to
f6a4e38
Compare
… validated V=1 on x86 & ppc64 Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…om Argon2 and normalize libtool hardcode flags; validated V=1 on x86 Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…ed V=1 (x86) Validated: build/x86/log/npth.log shows -Oz and no -O2. Updated build_OFLAG_inventory.csv. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…on vs older CircleCI artifact - normalize -O/ -Os -> -Oz only at packaging time - observed size regression (dropbear +56 KiB, ssh +56 KiB); note local GCC 15.1.0 vs remote GCC 9.4.0 also dropped old unused patch TODO: further optimizations? - -ffunction-sections -fdata-sections + --gc-sections .... Signed-off-by: Thierry Laurion <insurgo@riseup.net>
move single patch into patch dir Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…ith proper naming patches/tpm2-tss-3.2.2: move patch into versioned patchdir as 0001-remove-useradd-groupadd-check.patch modules/tpm2-tss: enforce -Oz for GCC 15.1 packaging tests and fix Make parse error from stray comment continuations Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…ude musl-cross-make 8865 O2; various module count updates) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…by default and kvm - Centralize Docker logic in docker/common.sh with build_docker_opts() and run_docker() to remove duplication across wrappers. - Implement programmatic Xauthority (via xauth) and avoid automatic xhost changes; provide concise guidance when Xauthority isn't present. - Enable host USB passthrough by default when /dev/bus/usb exists; opt-out via HEADS_DISABLE_USB=1 - Auto-add /dev/kvm when present; mount host repo at /root/heads and set HOME=/root. - Make run_docker print concise feature summary and full docker command for developer visibility; add usage docs for minimal env vars. - Add safety checks, set -euo pipefail, and trap SIGINT; validate via bash Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…86 & ppc64; update inventory and docs Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…nner; update inventory and build_oflags_summary Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…mary Signed-off-by: Thierry Laurion <insurgo@riseup.net>
… non-candidates Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…update inventory Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…inventory (validated x86 & ppc64) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…up UNUSED and note restoration; doc: record change Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…nventory (validated x86) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…FIG_MEMFD_CREATE in linux configs Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Saved the updated kernel configs in olddefconfig format in place by running the following command inside the reproducible Docker environment: ./docker_repro.sh bash -lc 'for b in EOL_z220-cmt-maximized UNMAINTAINED_kgpe-d16_server librem_11 novacustom-v540tu qemu-coreboot-fbwhiptail-tpm2-hotp EOL_t440p-hotp-maximized EOL_t480-maximized UNTESTED_talos-2 EOL_w541-maximized EOL_x230-hotp-maximized EOL_x230-maximized; do echo "=== $b ==="; make BOARD="$b" linux.save_in_olddefconfig_format_in_place || echo "FAIL: $b"; done' Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…le configure logs; regenerate built-only CSVs Details: - Ignore text after '|' (pipelines) and skip sed substitution contexts for generic '-O' counting to reduce false positives. - Skip '*.configure.log' and 'configure.*' so only built module logs are scanned. - Regenerated built-only CSVs: build_oflags_summary_built_only*.csv and updated combined CSVs. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- Standardize per-module '# OFLAG:' comments to reflect packaging-time '-Oz' enforcement, pre-configure sed normalization, or 'Untested' status. - Mark modules that had no build logs in the retest as 'Untested in prior retest'. - Update documentation and remove generated audit CSVs. - Delete leftovers oflags tracking files - Delete forgotten files in past testing Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
force-pushed
the
musl-cross-make_gcc_15.1.0-Optimized_for_space-Oz
branch
from
920b725 to
13642fa
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 111 out of 114 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| 'Os': re.compile(rb'(?<![A-Za-z0-9_-])\-Os(?![A-Za-z0-9_-])'), | ||
| 'Oz': re.compile(rb'(?<![A-Za-z0-9_-])\-Oz(?![A-Za-z0-9_-])'), | ||
| # Generic -O that is not -O2/-O3/-Os/-Oz | ||
| 'O': re.compile(rb'(?<![A-Za-z0-9_-])\-O(?![0-9sSzZA-Za-z0-9_-])'), |
There was a problem hiding this comment.
This regular expression includes duplicate character '0' in a set of characters.
This regular expression includes duplicate character 'z' in a set of characters.
This regular expression includes duplicate character 'Z' in a set of characters.
This regular expression includes duplicate character '9' in a set of characters.
| import argparse | ||
| import os | ||
| import re | ||
| import glob |
There was a problem hiding this comment.
Import of 'glob' is not used.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stats diff since #2041 got merged for x220-hotp-maximized
Master
This PR
Gain of 212 - 69 = 143 KiB free for most constrained board
Continues #590