Xen project Mailing List

[PATCH] xen/build: Fix build failure from LDFLAGS mismatch

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Tue, 26 Apr 2022 00:06:56 +0100

Authentication-results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "Stefano Stabellini" <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Mon, 25 Apr 2022 23:07:49 +0000

Ironport-data: A9a23:Hm4m164Q52iyieOs0OxA3gxRtNXHchMFZxGqfqrLsTDasY5as4F+v jBLUWyPMvfeYmTzedtzPdvn/U4PucOAmIU1TVE5/ixnHi5G8cbLO4+Ufxz6V8+wwmwvb67FA +E2MISowBUcFyeEzvuVGuG96yE6j8lkf5KkYAL+EnkZqTRMFWFw0XqPp8Zj2tQy2YTjXlvX0 T/Pi5a31GGNimYc3l08s8pvmDs31BglkGpF1rCWTakjUG72zxH5PrpGTU2CByKQrr1vNvy7X 47+IISRpQs1yfuP5uSNyd4XemVSKlLb0JPnZnB+A8BOiTAazsA+PzpS2FPxpi67hh3Q9+2dx umhurS0FgILZojhpd9EQkB/PwcgF4oF5ZPudC3XXcy7lyUqclPpyvRqSko3IZcZ6qB8BmQmG f4wcW5XKErZ3qTvnez9GrIEascLdaEHOKs2vH16wC6fJvEhWZ3ZGI3B5MNC3Sd2jcdLdRrbT 5VBMmIxN0maC/FJEkkWT5MewuiJvFa8IjtamAKtt7g8/HeGmWSd15CyaYGIK7RmX/59oEGco W7X+nXjNTsTPtef1Dmt/2qlg6nEmiaTcJkJCLSy+/pugVuS7m8eEhsbUR28u/bRolG6c8JSL QoT4CVGhaov8E2mSPHtUhv+p2SL1jYWVsBMCeQ85EeIw7DN/geCLmEeS3hKb9lOnN87Q3km2 0GEm/vtBCdzq/uFRHSF7LCWoDiufy8PIgcqZyAeShAey8L+u4x1hRXKJv5BOqOoitz+GRnr3 iuH6iM5gt0uYdUjjvvhuwqd2nT1+8aPHlVdChjrsnyN6lx8RtaASrGTsEmCytpmcqy+DUStl S1R8ySB19wmAZaInS2LZewCGrC1+vqIWAHhbU5T84oJrGr0pSP6FWxEyHQnfRoybJ5YEdP8S BWL0T698qO/K5dDgUVfR4uqQ/onwqH7fTgOfqCFN4EeCnSdmeLuwc2PWaJy9z23+KTPuftmU Xt+TSpLJSxHYZmLNBLsG48gPUYDn0jSP1/7S5Hh1AiA2rGDfnOTQrptGALQM7hmsfrc+lSIq Yg32y62J/N3CrSWjs7/q9B7ELz3BSJjWcCeRzJ/K4Zv3TaK6El+UqSMkNvNiqRunrhPl/egw 51OchQw9bYLvlWecV/iQik6MNvHBM8vxVpmbX1EFQv5gBALPNfwhJrzgrNqJNHLAsQ4lqUqJ xTEEu3daslypsPvpmpNMMGh/NAzHPlp7CrXVxeYjPEEV8YIb2T0FhXMJ2MDKAFm4vKLiPYD

Ironport-hdrordr: A9a23:9EpvrK7h17oH/7aZvAPXwMTXdLJyesId70hD6qhwISY6TiX+rb HIoB17726RtN9/YhEdcLy7VJVoIkmskKKdg7NhXotKNTOO0ADDQb2KhbGSpQEIcBeeygcy78 hdmtBFeb/NMWQ=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

In a GNU compatbile makefile, $(LDFLAGS) are passed to $(CC), not $(LD). In a default CentOS 7 build environment, $(LDFLAGS) is set to -Wl,-z,relro, which causes the Xen build to explode with: ld: unrecognized option '-Wl,-z,relro' ld: use the --help option for usage information It turns out that many downstreams identify this as a breakage in Xen's build system and bodge around it in various ways, mostly by unsetting all of $(CFLAGS), $(AFLAGS) and $(LDFLAGS). However, that is a security issue because it means that tools/ is not built with the distro-wide hardening flags that are otherwise expected of packages (relro, _FORTIFY_SOURCE, stack-protector, etc). tools/ specifically should honour the packaging environment's choice of flags, while xen/ must not pass $(LDFLAGS) to $(LD), and should not be influenced by the others either. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- CC: Anthony PERARD <anthony.perard@xxxxxxxxxx> CC: Bertrand Marquis <bertrand.marquis@xxxxxxx> CC: George Dunlap <George.Dunlap@xxxxxxxxxxxxx> CC: Jan Beulich <JBeulich@xxxxxxxx> CC: Juergen Gross <jgross@xxxxxxxx> CC: Julien Grall <julien@xxxxxxx> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> CC: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx> CC: Wei Liu <wl@xxxxxxx> RFC, because CFLAGS/AFLAGS need nuking too, and they're rather more entangled. I expect this to cause some disgreement, but Xen is behaving in a very nonstandard way even among embedded projects and all downstreams are suffering security problems as a consequence. --- xen/Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/Makefile b/xen/Makefile index ec34524ed21d..a8e1de54823b 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -254,6 +254,8 @@ export KBUILD_DEFCONFIG := $(ARCH)_defconfig # reparsing Config.mk by e.g. arch/x86/boot/. export XEN_TREEWIDE_CFLAGS := $(CFLAGS) +LDFLAGS := + # CLANG_FLAGS needs to be calculated before calling Kconfig ifneq ($(shell $(CC) --version 2>&1 | head -n 1 | grep clang),) CLANG_FLAGS := -- 2.11.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.