[openssl-users] Build OpenSSL on SUSE Linux Enterprise Server for z Systems

Sat May 13 01:13:12 UTC 2017

On May 12, 2017, at 5:00 PM, Michael Wojcik <Michael.Wojcik at microfocus.com> wrote:

>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
>> Of Thomas Francis, Jr.
>> Sent: Friday, May 12, 2017 15:55
>> 
>>> On 5/10/17 3:55 AM, 共通基盤ＳＳＬ［業務ＩＤ］ / COMMONSSL，GYOUMU wrote:
>>> 
>>> I will build OpenSSL on SUSE Linux Enterprise Server for z Systems.
> 
> What version of OpenSSL?
> 
>>> But, there is not yet the machine for build, so I cannot do actual
>>> machine verification.
>>> 
>>> The CPU is not Intel architecture, is probably z/Architecture.
> 
> Yes, Linux for System z runs on z-architecture CPUs.
> 
>>> I want to know beforehand the appropriate command-line parameters for
>>> executing "Configure".
>>> 
>>> Is it right to specify "linux64-s390x" as follows?
>>> 
>>> (1)cd /<source_root>/openssl-1.0.2k
>>> 
>>> (2)./Configure linux64-s390x
>> 
>> I'd suggest just running "./config".  That will pick the appropriate
>> 64-bit target.  Only use Configure if you want to do something
>> non-standard. :)
> 
> That's certainly the place to start. Whether it will work is another question.
> 
> When we build OpenSSL for z Linux (RHEL and SLES), we use a modified Configure that:
> 
> * Adds -fPIC and -mbackchain. This is because we compile OpenSSL into an archive library that is then linked into a shared object, so we have to force on the shared-object flags in Configure.
> 
> * Replaces -O3 with -O1, preferring robustness (or, if you prefer, toleration for sloppiness and error) and ease of problem determination over performance.
> 
> * Replaces the asm setting[1] with ${no_asm}, for the same reason.
> 
> * For 32-bit, removes /highgprs. According to my notes, highgprs does not work correctly with some glibc versions on zLinux.
> 
> The OP probably doesn't need the first three and may well not need the last. Depending on how clever one gets with building and using OpenSSL, though, config+Configure aren't always sufficient as supplied. That's not a criticism - trying to accommodate every use case is not a good use of the OpenSSL development team's time.
> 
> But unless you're happy with the default build parameters and comfortable with your platform, be prepared to learn how the OpenSSL build works.

I think in general, the same caveat applies for any system. The default build settings might not be what you want. But in most cases (including Linux for z), they will get you libraries that'll work with the system compiler toolchain if you pass only the minimum flags to specify where the headers and libraries can be found.

I figure if you need something else you probably already know that, and can pass the appropriate flags in CFLAGS, CPPFLAGS, or LDFLAGS. :) Or create a custom target. 

TOM

PS Regarding highgprs; I suspect that's actually a problem of mixing 32-bit s390x binaries with s390 binaries. There is a difference.  But old bugs and miscommunication means that sometimes the s390 system will think it can load an s390x binary (and sometimes think it succeeded). :)

> [1] There are two zLinux targets in the 1.0.2 Configure, for 64- and 32-bit. The linux64-s390x target uses ${s390x_asm} for its asm section, but the linux32-s90x uses an eval expression that edits $s390x_asm. We disable asm for both.
> 
> 
> Michael Wojcik 
> Distinguished Engineer, Micro Focus 