Xen project Mailing List

[PATCH] x86/build: Unilaterally disable -fcf-protection

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Tue, 12 May 2020 20:11:16 +0100

Authentication-results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@xxxxxxxxxx; spf=Pass smtp.mailfrom=Andrew.Cooper3@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx; dmarc=pass (p=none dis=none) d=citrix.com

Cc: Wei Liu <wl@xxxxxxx>, Jason Andryuk <jandryuk@xxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Stefan Bader <stefan.bader@xxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Tue, 12 May 2020 19:11:50 +0000

Ironport-sdr: PBwiuavzafFtcce7TY/uOXgN1tTXnJ+s1m+WMDEnJTkyadmsH7TPFfUwRDQDuQmV67huSJee6e /G4x1e/Igmwppwy/Nt1vKUIE90uZP+K59wXFR32m/yrPVyrKP3RcfuTLgRATacAcWvRqJdWmdC f447dNQL5Gw2m32E1Tq3re8yrcrqM6pG4w32pbHR+UbRRuMLz2ZzJBCk6h7AFtp55pN1ONzEU6 VK/Q/586PvfBzNP+bDcTCI7QwoujHHGXhH3DKEviXZPl7hM0doEuxxqciXYC1xike67kCeT0UD zNM=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

See comment for details. Works around a GCC-9 bug which breaks the build on Ubuntu. Reported-by: Jason Andryuk <jandryuk@xxxxxxxxx> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- CC: Jan Beulich <JBeulich@xxxxxxxx> CC: Wei Liu <wl@xxxxxxx> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> CC: Jason Andryuk <jandryuk@xxxxxxxxx> CC: Stefan Bader <stefan.bader@xxxxxxxxxxxxx> Sorry for messing you around with how to fix this. I'd neglected to consider the CONFIG_LIVEPATCH interaction. With that extra observation, there is no point having the extra complexity given that the result with CET-IBT and Retpoline still isn't usable. --- xen/arch/x86/arch.mk | 9 +++++++++ xen/arch/x86/boot/build32.mk | 1 + 2 files changed, 10 insertions(+) diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk index 2a51553edb..93e30e4bea 100644 --- a/xen/arch/x86/arch.mk +++ b/xen/arch/x86/arch.mk @@ -67,6 +67,15 @@ CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch=thunk-extern CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch-register CFLAGS-$(CONFIG_INDIRECT_THUNK) += -fno-jump-tables +# Xen doesn't support CET-IBT yet. At a minimum, logic is required to +# enable it for supervisor use, but the Livepatch functionality needs +# to learn not to overwrite ENDBR64 instructions. +# +# Furthermore, Ubuntu enables -fcf-protection by default, along with a +# buggy version of GCC-9 which objects to it in combination with +# -mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4). +$(call cc-option-add,CFLAGS,CC,-fcf-protection=none) + # If supported by the compiler, reduce stack alignment to 8 bytes. But allow # this to be overridden elsewhere. $(call cc-option-add,CFLAGS-stack-boundary,CC,-mpreferred-stack-boundary=3) diff --git a/xen/arch/x86/boot/build32.mk b/xen/arch/x86/boot/build32.mk index 48c7407c00..5a00755512 100644 --- a/xen/arch/x86/boot/build32.mk +++ b/xen/arch/x86/boot/build32.mk @@ -3,6 +3,7 @@ CFLAGS = include $(XEN_ROOT)/Config.mk $(call cc-options-add,CFLAGS,CC,$(EMBEDDED_EXTRA_CFLAGS)) +$(call cc-option-add,CFLAGS,CC,-fcf-protection=none) CFLAGS += -Werror -fno-asynchronous-unwind-tables -fno-builtin -g0 -msoft-float CFLAGS += -I$(XEN_ROOT)/xen/include -- 2.11.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.