[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] tools/firmware: fix setting of fcf-protection=none


  • To: Anthony Perard <anthony.perard@xxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Fri, 1 Apr 2022 15:04:44 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PPqHA/MZh4eS0o+MlOz+r3ixLSalPH+ceDM5C4RiUfE=; b=kBHuby/fy2cgxzXR+V3bRaglCFJeQukIf1BR0WH8XqnsRKCV475IheLfYUGr1FCnEzgWBuh3cHM0fbWNMKTO00J1s2qMScPnXwEP11SR/OM6vGs4Sl/PZk9OTPQrK5LHDSqsKxBugF6V5CuU0NCeR7Ql71KCl35fETz6EMXAIDdOKyngHBPxAQPgAO5cgsIVoU3y6h2xh34U4aQRToBy79U1ImAx02ma8vWoH4T2Rx9vpayjZU5W4ywSsTSkWUy7oZRipaX26Q2qD0M5RlaKVRaAXipd9pQHrSm3MwZTzaInl2AQcdUxlqtT7teL8iM+jG8+Tx108fdf9RaFOPCreg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XYpZi6G+/irvyJy7vh55wLrvQlMbFmkJuxDW/mtFjmJJGub/V01ARBnT2yC08YSGm8Gm+FfAIuoH9e5MU5jY1A8mnrtpt+wG4O46Wu4BUXaaxoNDDNUYVL3l/DusYxcXYkbrHtwfh6f9YgpIA4JWrBJqMyb0HL6gB8BTUp9wpVmDPstqBSa40cih6XyDWim7rgYGWLxQhM4rR9BWugrLM2ctKkEXPJ9MUV7quFgF8svZ8NB698ilBJPEGnNSCk7GpB3c+uOkrEMm4iKy3QuzbTRe2sDl6GNG6ae+YtUfZxe9VHfy+qYO0BN+lmxld9mHUp29U5uHnFcSXfpsvG3+uQ==
  • Authentication-results: esa2.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Fri, 01 Apr 2022 15:04:58 +0000
  • Ironport-data: A9a23:fgrfZK74VLdSfcsympe7zAxRtDnHchMFZxGqfqrLsTDasY5as4F+v mYfWDuPOPuDNGGkLdh3b4iz80gF75DUm9VkHFNtrio8Hi5G8cbLO4+Ufxz6V8+wwmwvb67FA +E2MISowBUcFyeEzvuVGuG96yE6j8lkf5KkYAL+EnkZqTRMFWFw0XqPp8Zj2tQy2YThWlvX0 T/Pi5a31GGNimYc3l08s8pvmDs31BglkGpF1rCWTakjUG72zxH5PrpGTU2CByKQrr1vNvy7X 47+IISRpQs1yfuP5uSNyd4XemVSKlLb0JPnZnB+A8BOiTAazsA+PzpS2FPxpi67hh3Q9+2dx umhurSQRjsgYvGdo946QkZUHTBgOY9GpqPIdC3XXcy7lyUqclPpyvRqSko3IZcZ6qB8BmQmG f4wcW5XKErZ3qTvnez9GrIEascLdaEHOKs2vH16wC6fJvEhWZ3ZGI3B5MNC3Sd2jcdLdRrbT 5RGNms2MUScC/FJEnkdUbJ9hNqOvHXicGFe8GPNvrEowmeGmWSd15CyaYGIK7RmX/59gUKwt m/AuWPjDXkyJNGZjDaI7H+oruvOhj/gHpIfEqWi8fxni0HVwXYcYCD6TnPi/6P/0BTnHYsCd QpEoULCsJTe6mSLQeX0A0Hpm0Sjr0EQVctOF886th2Cn/+8DxmiOkAISTtIadoDvcAwRCA32 lLho+4FFQCDo5XOFyvDq+78QSeafHFMcDRcPXNsoR4tuYGLnW0lsv7Yoj+P+oaRh8a9Jzz/y iviQMMW1+RK1p5jO0lWEDn6b9OQSnrhE1ZdCub/BDvNAuZFiGiNPdPABb/zt6ooEWphZgPd1 EXoYuDHhAz0MbmDlTaWXMIGF6yz6vCOPVX02AAzT8Z8rW71qi/+IOi8BQ2Swm8zba7onhezP SfuVf55vscPbBNGk4cpC25ONyja5fe5Tom0PhwlRtFPfoJwZGe6ENJGPiatM5TWuBF0y8kXY M7DGe71VCpyIfk3nVKeGrZGuZd2l39W+I8mbc2ip/hR+eHFPyD9pHZsGAbmU93VG4vf/l2Pq owPZpbSo/idOcWnChTqHUcoBQliBVAwBIzsqtwRceiGIwF8H3omBeOXyrQkE7GJVYwP/gsU1 hlRgnNl9Wc=
  • Ironport-hdrordr: A9a23:mbLe1a8lxOTIP06e6cxuk+DWI+orL9Y04lQ7vn2ZKCY4TiX8ra uTdZsguiMc5Ax+ZJhDo7C90di7IE80nKQdieN9AV7IZniEhILHFvAG0aLShxHmBi3i5qp8+M 5bAsxD4QTLfDpHsfo=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHYRdaC1Ty1lDbR3E6vxjqdlx39GKzbI9kAgAAEHQA=
  • Thread-topic: [PATCH 1/2] tools/firmware: fix setting of fcf-protection=none

On 01/04/2022 15:50, Anthony PERARD wrote:
> On Fri, Apr 01, 2022 at 04:37:18PM +0200, Roger Pau Monne wrote:
>> Setting the fcf-protection=none option in EMBEDDED_EXTRA_CFLAGS in the
>> Makefile doesn't get it propagated to the subdirectories, so instead
>> set the flag in firmware/Rules.mk, like it's done for other compiler
>> flags.
>>
>> Fixes: 3667f7f8f7 ('x86: Introduce support for CET-IBT')
>> Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
>> ---
>>  tools/firmware/Makefile | 2 --
>>  tools/firmware/Rules.mk | 2 ++
>>  2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/tools/firmware/Makefile b/tools/firmware/Makefile
>> index 53ed4f161e..345037b93b 100644
>> --- a/tools/firmware/Makefile
>> +++ b/tools/firmware/Makefile
>> @@ -6,8 +6,6 @@ TARGET      := hvmloader/hvmloader
>>  INST_DIR := $(DESTDIR)$(XENFIRMWAREDIR)
>>  DEBG_DIR := $(DESTDIR)$(DEBUG_DIR)$(XENFIRMWAREDIR)
>>  
>> -EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
>> -
>>  SUBDIRS-y :=
>>  SUBDIRS-$(CONFIG_OVMF) += ovmf-dir
>>  SUBDIRS-$(CONFIG_SEABIOS) += seabios-dir
>> diff --git a/tools/firmware/Rules.mk b/tools/firmware/Rules.mk
>> index 9f78a7dec9..efbbc73a45 100644
>> --- a/tools/firmware/Rules.mk
>> +++ b/tools/firmware/Rules.mk
>> @@ -13,6 +13,8 @@ endif
>>  
>>  CFLAGS += -Werror
>>  
>> +EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
>> +
> I think making modification to $(EMBEDDED_EXTRA_CFLAGS) outside of
> "Config.mk" is confusing and would be better be avoided.

EMBEDDED_EXTRA_CFLAGS in the root Config.mk is conceptually broken and
needs deleting.

Yes, xen/ and tools/firmware/ are freestanding from C's point of view,
and embedded from many peoples points of view, but this doesn't mean
they have shared build requirements.

-nopie isn't even a CFLAG.  It's spelt -no-pie and is an LDFLAG.  This
bug is hidden by everything being cc-option'd behind the scenes.

Stack protector we'd absolutely have in Xen if it weren't for a quirk of
supporting PV guests.

-fno-exceptions is C++ only so not relevant for anything in xen.git

~Andrew

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.